What is this vendortaking from you,and what does it cost?
Stop evaluating vendors based on what they give you. Judge them based on what they take.
The Mechanisms of Taking
Runtime behaviors observed directly. What the code actually does. How vendors extract value from your traffic.
Identity theft, surveillance, data exfiltration, evasion
The Deception That Obscures the Take
Claims vs. reality. What vendors say vs. what they do. How they hide what they're taking.
Undisclosed parties, policy violations, compliance fraud
TrenDemon
TrenDemon is an ABM (Account-Based Marketing) content personalization platform. Critical findings include: (1) 6 eval() functions executing arbitrary JavaScript from CTA parameters enabling customer-level RCE, (2) polyfill.io supply chain vulnerability loading from COMPROMISED domain (June 2024), (3) 760-day cookie retention violating GDPR/ICO guidelines, (4) Cross-vendor Marketo cookie harvesting, (5) Base64 URL obfuscation to evade privacy tools.
RB2B
RB2B's JavaScript contains defeat device logic that detects compliance scanners, security tools, and automated browsers, then disables tracking functionality to appear compliant during audits while maintaining full surveillance for real users.
6sense
A SINGLE PAGE LOAD on 6sense.com triggers an extraordinary surveillance cascade: 13 hosts syncing cookies, 17 hash exfiltrations, PII deanonymization (name + phone), a CMP defeat device harvesting pre-consent data, and TrenDemon SDK with eval()-based arbitrary code execution loading from the compromised polyfill.io domain. ## SUPPLY CHAIN COMPROMISE: polyfill.io on Privacy Policy Page TrenDemon SDK (loaded on 6sense.com) includes a dependency on polyfill.io/v3/polyfill.min.js. This domain was acquired by Chinese company Funnull in February 2024 and subsequently used to inject malicious code into websites. **This script loads while users read 6sense's privacy policy** - the page that should inform them of data practices instead exposes them to a known compromised CDN. 6sense deploys Ketch CMP (documented in BTI-2025-0022 as a consent defeat device) which harvests Marketo tracking cookies from visitors and transmits them to ketchcdn.com. This creates undisclosed cross-vendor identity aggregation where visiting 6sense's Trust Center ironically results in marketing cookie exfiltration. The researcher was identified by name ("Ronin") and geolocated to state level (Alabama) while researching 6sense's privacy practices. This is not a collection of separate issues - it's a coordinated surveillance architecture deployed by a company that sells "privacy-compliant intent data."
CoPilot AI
CoPilot AI's website deploys 34+ third-party data processors while their GDPR-citing privacy policy discloses only 9 (26% disclosure rate). The pre-consent tracking stack includes browser fingerprinting, 3 IP deanonymization services, 14+ data broker cookie syncs, and 2 undisclosed session recorders. They use a server-side GTM proxy to obscure tracking origins. White-label offering multiplies proliferation risk.
ZoomInfo
ZoomInfo's FormComplete product captures email addresses from form fields before users click submit, including data populated by browser autofill. The script monitors input field changes and immediately transmits emails to ZoomInfo servers for validation, without any user submission action.
IdentityMatrix
IdentityMatrix's tracking script contains an extractHems() function that scans all browser storage (cookies, localStorage, sessionStorage) looking for email addresses and email hashes. Found values are transmitted for cross-reference against identity graphs for visitor de-anonymization.
BTSS (Blackout Threat Severity Score) measures the severity of a specific finding. Same 0-10 scale as CVSS. Each advisory has its own BTSS based on the behaviors documented.