diff --git a/docs/informal-preso/0-intro-banana/d4-introduction.pdf b/docs/informal-preso/0-intro-banana/d4-introduction.pdf
index 70780fd..05b844d 100644
Binary files a/docs/informal-preso/0-intro-banana/d4-introduction.pdf and b/docs/informal-preso/0-intro-banana/d4-introduction.pdf differ
diff --git a/docs/informal-preso/0-intro-banana/d4-introduction.tex b/docs/informal-preso/0-intro-banana/d4-introduction.tex
index 6a3d209..1459604 100644
--- a/docs/informal-preso/0-intro-banana/d4-introduction.tex
+++ b/docs/informal-preso/0-intro-banana/d4-introduction.tex
@@ -104,6 +104,30 @@
         \includegraphics[scale=0.18]{d4-2.png}
 \end{frame}
 
+\begin{frame}
+        \frametitle{D4 client example : A passive SSL fingerprinter}
+
+        History of links between:
+        \begin{itemize}
+          \item x509 certificates (And therefore their fields) 
+          \item Ports
+          \item IP address
+          \item Client (ja3)
+          \item Server (ja3s)
+        \end{itemize}
+\end{frame}
+        
+\begin{frame}
+        \frametitle{D4 client example : A passive SSL fingerprinter}
+        CSIRT's rationale for collecting TLS handshakes:
+        \begin{itemize}
+          \item Pivot on additional data points
+          \item Find owners of IP addresses
+          \item Detect usage of CIDR blocks
+          \item Detect vulnerable systems
+          \item Detect compromised services
+        \end{itemize}
+\end{frame}
 
 \begin{frame}
         \frametitle{D4 client example : A passive SSL fingerprinter}