The most underrated source of information in security research is the client. Every JavaScript app, every mobile binary, every desktop installer ships the protocol it speaks. Most companies treat the client as documentation. We treat it as the server's schema, disclosed in advance.
The view changes how recon works, what agents are good for, and what counts as an interesting first day on a new target.
What is actually in the bundle
A modern web client carries the full surface of the API it consumes. Endpoint URLs. Request shapes. Response shapes. Error codes. The conditions under which each call gets made. The minifier doesn't hide any of it. The minifier renames variables. The structure of the calls survives.
A modern mobile binary carries more. The same surface, plus the auth scheme, plus the keys the client thought were safe to embed because they were scoped, plus the feature flags that were going to ship next quarter, plus the dev menu somebody forgot to compile out.
A desktop installer is the same story with worse hygiene. Electron apps ship Chromium DevTools that someone, somewhere, left enabled on a port the OS will happily expose if a tab on a random page asks nicely.
None of this is hidden. All of it is on every customer's machine. The cost of obtaining it is the cost of clicking "save as."
Why the practice is rarer than it should be
Reading bundles is unglamorous. It is slow, largely manual even with good tooling, and most of what you find is noise. Most security tooling has never been good at it because the patterns aren't grep-able. Scanners look at the surface a client exposes to the server. Almost none look at the surface the server exposes to the client.
The practice gets dismissed because it doesn't pay on a first pass. You don't read a bundle and find a vulnerability. You read a bundle and find the map. The map is what makes the next two weeks of work tractable.
This is the part agents have changed for us.
Where agents actually help
Frontier models are very good at reading minified code. They aren't going to find your bugs. They are going to take a four-megabyte bundle and reconstruct, with high fidelity, the API contract the bundle expects.
Routes. Type shapes. Auth flow. Error vocabulary. The names the client uses for things, which are usually the names the server uses for things, which are usually the names the internal documentation uses for things. You can't search the company's internal wiki. You can search a clean reconstruction of it that the client just gave you.
Our agents reconstruct the surface in hours. We then spend weeks doing the part the model can't, which is asking what should be there that isn't, what shouldn't be there that is, and what shape of operation the client never exercises but the schema allows. That third category is most of what we file.
What this changes about defense
A defender reading this might conclude that the answer is to ship less. That is correct, and almost nobody does it.
The right principle is that the client should ship exactly what the client needs to render. Not the admin routes. Not the staff-only flags. Not the experimental endpoints behind a feature gate. Not the GraphQL types the consumer schema doesn't reference. Every byte of API surface in your bundle that isn't reachable from the UI you actually ship is a free piece of intelligence handed to anyone who downloads the page.
The number of teams that audit their bundle against the surface their UI actually exercises is approximately zero. We have not yet reviewed a non-trivial product where the two matched. The delta is always interesting. The delta is often where the chain starts.
The honest one-liner
We don't write blog posts about what's in a specific bundle. That isn't the value. The value is that, on a new target, we have a complete API contract before we send a single non-bundle-fetching request. The probes we send next are the ones we already know the server expects. The probes after that are the ones the server doesn't expect but the schema doesn't prohibit.
The client is the server, viewed from a distance. The teams that internalize this build differently. The teams that don't keep paying us to read their bundles for them.