We introduced per-connection features based on JA3/JA4 TLS fingerprinting. By computing the JA4 hash from the full TLS ClientHello (including cipher suites, extensions, ALPN, and elliptic curves), we can now detect VPN client software that attempts to masquerade as a standard web browser.