Using BTI Codes
How to reference BTI codes in contracts, compliance reports, vendor assessments, and internal communications.
Legal & Compliance
Reference BTI codes in DPAs, vendor contracts, and compliance reports. Each code maps to specific regulatory obligations.
Security Teams
Use BTI codes for vendor risk assessments, incident response, and third-party security reviews. Each code has MITRE ATT&CK mappings.
Procurement & Marketing Ops
Evaluate new vendors before deployment. Use BTI codes as acceptance criteria in RFPs and vendor questionnaires.
Citation Format
BTI-[C|X][NN] — [Code Name]BTI-C01 (Defeat Device), BTI-X04 (Marketing Mismatch)BTI-[YYYY]-[NNNN] — [Vendor Name]BTI-2025-0001 (RB2B), BTI-2025-0003 (ZoomInfo)deployblackout.com/bti/codes/C01deployblackout.com/bti/BTI-2025-0001Contract & DPA Templates
“Vendor warrants that its software, scripts, and data collection practices do not exhibit behaviors classified under the BLACKOUT Threat Intelligence (BTI) framework, including but not limited to BTI-C01 (Defeat Device), BTI-C09 (Consent Bypass), BTI-C14 (Identity Resolution), and BTI-C03 (Storage Exfiltration).”
“Vendor must confirm that no active BTI advisories exist for their product. If advisories exist, vendor must provide a written response addressing each finding. Reference: deployblackout.com/bti”
“Client may terminate this agreement without penalty if Vendor's product receives a BTI advisory with BTSS score of 7.0 or above (HIGH or CRITICAL severity).”
Vendor Assessment Questions
Use these questions during vendor evaluation. Each maps to specific BTI codes.
Does your script behave differently when it detects automated browsers, compliance scanners, or security tools?
Does your product read, access, or transmit first-party cookies, localStorage data, or form inputs to external endpoints?
Does your script load additional third-party code that is not disclosed in your documentation?
Does your product capture keystroke patterns, mouse movements, or other behavioral biometric data?
Does your product execute data collection before consent management platform (CMP) initialization?
Does your product use canvas fingerprinting, WebGL rendering, or audio context for device identification?
Does your product resolve anonymous visitors to identified individuals using IP-to-company mapping or email hash matching?
Does your privacy policy list ALL third parties who receive data collected by your product?
Can you provide your SOC 2 Type II report, DPA, and subprocessor list without NDA or access restrictions?
Communication Templates
Subject: BTI Advisory [ID] — Request for Response
---
We have identified your product as exhibiting behaviors documented in BTI Advisory [ID] (BTSS [score], [severity level]).
The specific behaviors include [BTI-C code] ([code name]). Full technical details and evidence are available at: deployblackout.com/bti/[advisory-id]
We are requesting a formal response within 30 days addressing the documented findings.
Subject: Vendor Risk Alert — [Vendor Name]
---
A BTI advisory has been published for [Vendor Name] with a severity score of [BTSS] ([severity level]).
Key findings: [BTI-C/X codes triggered]. This affects our [legal/security/revenue] posture because [specific impact].
Recommended action: [immediate/short-term/for legal]. Full advisory: deployblackout.com/bti/[advisory-id]
BTSS Scale
Blackout Threat Severity Score. Same 0-10 scale as CVSS. Per-advisory severity.
| Score | Level | Meaning |
|---|---|---|
| 9.0 — 10.0 | CRITICAL | Active evasion, defeat devices, data theft at scale |
| 7.0 — 8.9 | HIGH | Significant data exposure, consent violations, identity resolution |
| 4.0 — 6.9 | MEDIUM | Undisclosed behaviors, scope creep, policy mismatches |
| 0.1 — 3.9 | LOW | Minor discrepancies, documentation gaps, low-risk patterns |