▊
Every B2B website runs dozens of marketing and sales tools. HubSpot, 6sense, Clearbit, LinkedIn, Apollo, Demandbase, Drift. They're in your tag manager. They're in your CRM. They're in your enrichment pipeline.
Nobody audits them. Nobody monitors what data leaves. Nobody verifies that the "consent" banner actually blocks anything. Security teams don't touch it. Privacy teams don't understand it. Legal trusts vendor contracts.
Meanwhile, these vendors are building shadow profiles of your visitors, syncing cookies across ad networks, and selling access to behavioral data you don't even know exists.
Identity enrichment APIs fire before the consent banner loads. Company intelligence is captured before a visitor can say "no."
Visitor IDs are shared across 10+ domains via redirect chains. Your "first-party" data is actually third-party intelligence.
Some vendors ship code that detects audits and changes behavior. Compliance checks pass. Real visitors get tracked.
Your vendors wave SOC 2 Type II reports. Your procurement team checks the box. Everyone feels secure.
But SOC 2 verifies that controls exist—not that vendors behave correctly at runtime. An auditor reviews policies and access logs. They don't instrument a browser and watch what happens when real JavaScript executes.
The defeat device we discovered in RB2B proves the gap: the script detects compliance scanners and serves different code. The SOC 2 audit passes. Real users get surveilled.
SOC 2 was built for a world where vendors wanted to comply. We built BLACKOUT for a world where they don't.
BLACKOUT is an outside-in GTM pentest platform. We scan your site like an adversary would. No agents. No credentials. No access to your CRM. Just what the browser sees—and what it sends.
Automated browser-based scans that capture every script, network request, and cookie. HAR forensics extract identity payloads and consent timing.
83+ vendor threat profiles. Detection signatures, risk scores, data practices, evasion techniques. Updated from field investigations.
35+ technical controls mapped to real violations. Pre-consent tracking, identity leaks, cookie sync chains. Evidence-based, not checkbox-based.
BLACKOUT is a working field lab. The scanner runs. The database is live. The Command Center produces real intel. But we're not pretending this is a shrink-wrapped SaaS product.
We're publishing findings, building in public, and iterating based on what we discover in the field. If you want a polished enterprise demo, come back in 6 months. If you want to see what we're finding right now, you're in the right place.
Run scans. Publish findings. Build the BTI database with real evidence from real sites. Establish that GTM stacks are a legitimate threat surface that security teams ignore.
Auth, workspaces, continuous monitoring. Turn field research into a repeatable service that security and privacy teams can use to audit their own stacks.
Crowdsourced vendor intelligence. Real-time threat feeds. Community-contributed signatures. Make GTM security a discipline, not a one-off audit.
We're not selling seats or running demos. Here's how to engage with what we're building:
Security teams, privacy researchers, burned practitioners. Reach out.
Looking for the original Burn It Down essays?