Replay & artifacts
Step through a completed trajectory in the web app or via API. Read command output, state transitions, and targets per step.
Every completed trajectory carries enough state to be replayed step by step — the command the sampler or agent ran, the output it produced, the target it was aimed at, and the before/after state that resulted. Replay is the primary surface for understanding what actually happened inside a trajectory.
In the web app
Section titled “In the web app”Open Worlds → Trajectories, pick a completed trajectory, and select the Steps tab. The replay inspector splits into two panes:
- Step list (left) — numbered steps with a short title, source badge, command name, and a failure indicator for steps that errored.
- Step detail (right) — the full contents of the selected step, plus previous/next navigation.
Each step detail shows:
| Field | Meaning |
|---|---|
| Outcome | Success or failure badge for the step |
| Source | Which pipeline produced the step (algorithmic sampler or agent run) |
| Command name | The action the sampler or agent invoked |
| Technique type | Categorization when available (e.g. credential access, lateral movement) |
| Target summary | Human-readable description — e.g. “Enumerate DC01” or “alice → MemberOf → Domain Admins” |
| Command output | Full command text, stdout, stderr, and failure reason |
| State before / state after | Snapshots of attacker-visible state on either side of the step |
| Temporal | Step-level timing metadata, when available |
| Details | Any step-specific structured data the sampler emitted |
The Steps tab is always present on a trajectory. If the replay endpoint can’t fetch artifacts — typically because the Worlds backend sandbox that produced the trajectory has been reaped — the tab shows a “Replay unavailable” state instead of steps.
From the API
Section titled “From the API”Fetch the normalized replay payload directly:
GET /org/{org}/ws/{workspace}/worlds/trajectories/{trajectory-id}/replayThe response reconstructs steps from stored artifacts into the same shape the app renders. See Trajectory reference — replay payload for the full field list.
The replay endpoint has three sources (source_format):
atif— normalized from a stored ATIF trajectory file.worlds— reconstructed from the Worlds backend trajectory record.raw— backend passthrough when the structured formats aren’t available.
The app-rendered view is identical across sources; the field tells you where the data came from if you’re debugging a discrepancy.
Artifacts
Section titled “Artifacts”Trajectory records carry artifact_refs — pointers to stored payloads the control
plane doesn’t keep inline. For algorithmic trajectories this is typically the step
record and the published training dataset. For agent-mode trajectories it also includes
the native agent messages.
Artifacts are paths in the artifact store, not inline JSON. The replay endpoint dereferences what it needs; direct access is available via the standard workspace artifact download surface.
Credential redaction in summaries
Section titled “Credential redaction in summaries”Trajectory summaries strip credential secrets before leaving the control plane.
initial_state.credentials keeps username and domain so you can see which identity
was used; password and hash are never included. This applies to every summary
endpoint — replay steps themselves may contain tool output that the sampler or agent
discovered, which is intentional.
What’s next
Section titled “What’s next”- Trajectory job lifecycle and waiting: Jobs & lifecycle
- Full replay payload shape: Trajectory reference