diff --git a/Service-Bus.md b/Service-Bus.md
index 22aab9b..bab1abc 100644
--- a/Service-Bus.md
+++ b/Service-Bus.md
@@ -159,6 +159,8 @@ Current topic families:
 | `attacker.observed`               | Correlator | first sighting; consumed by `decnet enrich` as a wake signal |
 | `attacker.scored`                 | Profiler   | post-enrichment score update; also wakes `decnet enrich` |
 | `attacker.intel.enriched`         | `decnet enrich` | `{attacker_ip, aggregate_verdict, providers}` after a threat-intel pass; webhook → SIEM |
+| `attacker.fingerprinted`          | Prober     | `{attacker_ip, port, jarm_hash\|hassh_server\|tcpfp_hash, ...}` — fires on every successful active probe result. Distinct from `attacker.observed` (correlator first-sight); a fingerprint is additional evidence about an already-observed attacker. |
+| `attacker.fingerprint_rotated`    | Prober (via `decnet.correlation.fingerprint_rotation`) | `{attacker_uuid, attacker_ip, port, probe_type, old_hash, new_hash, rotation_count, ts}` — fires only when a probe produces a *different* hash than the last persisted hash for the same `(attacker_uuid, port, probe_type)` triple. Carries both old and new hash so consumers don't have to join. Indicates infrastructure churn / VPS rotation / banner rewrite / cert swap. Consumers: dashboard, forensics, attribution clustering. |
 | `identity.formed`                 | _reserved (clusterer)_ | `{identity_uuid, observation_uuids: [...], confidence, first_seen_at}` — clusterer creates a new identity from one or more observations |
 | `identity.observation.linked`     | _reserved (clusterer)_ | `{identity_uuid, observation_uuid, confidence_after}` — observation attached / re-attached to an identity |
 | `identity.merged`                 | _reserved (clusterer)_ | `{winner_uuid, loser_uuid, observation_uuids: [...], confidence_after}` — two identities collapsed; subscribers re-key cached references to the winner |