Industry Expert Blogs

BLACKBOX AI is an AI-powered coding assistant designed to enhance developer productivity by offering features such as code generation, code search, and code completion across multiple programming languages. It integrates seamlessly with popular development environments like Visual Studio Code and provides tools for tasks including autocompletion, natural language to code conversion, and code extraction from various sources.
The platform employs a multi-model architecture, integrating several advanced large language models (LLMs) to deliver comprehensive coding assistance. These include GPT-4o, Claude 3.5 Sonnet, Gemini Pro, LLaMA 3.1, DeepSeek R1 and more .

Network Traffic Analysis

The ATI team in Keysight has analyzed the network traffic of Blackbox AI and found some interesting insights, which can be helpful for other researchers, optimize performance and ensure secure usage. This was done utilzing a HAR captures of a web session. Blackbox AI operates with standard web protocols, relying on secure TLS encryption for communication.

Overall Analysis

We have performed extensive user interactions with the Blackbox AI web application. The captured traffic was completely TLS encrypted. We have further analyzed the traffic based on host names.

Figure 1: Request-Response count per host

In the figure above we can observe the maximum number of request-response was seen by www.blackbox.ai followed by www.useblackbox.io. The first host has been observed as the main host responsible for handling core dynamic functionalities such as user authentication and session management. While the latter is for telemetry and analytics, logging events, and user interactions.

 

Figure 2: Cumulative payload per host

The diagram above shows that the host www.blabkbox.ai has the maximum cumulative payload followed by api-iam.intercom.io. The rest of the hosts are creating smaller network footprints.

Analyzing Endpoints

By examining the HAR file, we gain a detailed view of the HTTP requests and responses between the client and Blackbox AI's servers. This analysis focuses on critical endpoints and their roles in the platform's functionality.

Session Authentication

Endpoint: /api/auth/session

• Method: GET
• 

• Purpose: Checks or retrieves the current user session and related authentication status.
• Request Headers:
• Accept: application/json
• Content-Type: application/json
• Origin: https://www.blackbox.ai (Ensures requests originate from BLACKBOX AI’s platform)
• Response Status: 200 OK (active session or session data returned)
• Response Body: JSON object containing user session status, expiry, and authentication details

 

This endpoint is essential for maintaining secure access to Blackbox AI, allowing the platform to verify and manage user sessions and authentication status.

Query Execution

Endpoint: /api/chat

• Method: POST

 

• Purpose: Processes user queries and returns AI-generated responses.
• Request Headers:
• Content-Type: application/json
• Accept: application/json
• Origin: https://www.blackbox.ai (Ensures requests originate from BLACKBOX AI’s platform)
• Request Payload: JSON object with the user's query and session details.
• Response Status: 200 OK (successful query processing)

 This endpoint is central to Blackbox AI's functionality, enabling dynamic interactions between users and the AI model.

 Source Verification

Endpoint: /api/check-sources

• Method: POST

 

• Purpose: Validates the origin of the provided input or context for generating responses or citations.
  Request Headers:
• Content-Type: application/json
• Accept: application/json
• Origin: https://www.blackbox.ai (Ensures requests originate from BLACKBOX AI’s platform)
• Request Payload: Contains the query type and the user's input
• Response Status: 200 OK (source check completed)
• Response Body: JSON object with source metadata or validation results

 This endpoint ensures the integrity of AI responses by validating the origin and credibility of the user's input, reinforcing trust in generated outputs.

 Telemetry Logging

Endpoint: /tlm

• Method: POST

 

• Purpose: Logs user behavior or system diagnostics to help improve product performance and stability.
  Request Headers:
• Content-Type: application/json
• Accept: */*
• Origin: https://www.blackbox.ai (Ensures requests originate from BLACKBOX AI’s platform)
• Request Payload: The request payload contains a JSON object logging a user event with its type, timestamp, and specific details like the action performed and its duration.
• Response Status: 200 OK (telemetry event accepted)
• Response Body: Confirmation message or status log

 

This endpoint supports platform reliability and user experience optimization by capturing detailed telemetry data on user behavior and system performance.

NOTE: While BLACKBOX AI can be useful, it is a prohibited tool by many companies and government entities. Policy and technical systems must be in place to prevent usage, and it is vital to confirm this via test using BreakingPoint. These tests help validate the security measures and help organizations prevent accidental or malicious use of the platform.

Blackbox AI Traffic Simulation in Keysight ATI

At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the network traffic related to Blackbox AI in ATI-2025-07 StrikePack which simulates the HAR collected from the Blackbox AI web application as of April 2025 including different user actions like performing text-based queries, uploading multimedia files, refining search results, managing saved searches. Here all the HTTP transactions are replayed in HTTP/2 over TLS1.3.

 

Figure 3: Blackbox AI Apr25 HAR Replay HTTP/2 over TLS1.3 Superflow in BPS

The Blabkbox AI application and its 4 new Superflows as shown below:

 

Figure 4: Blackbox AI App and its Superflows in BPS

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control's ability to detect or block such attacks.