HOW BLACKOUT INVESTIGATESVENDOR BEHAVIOR.
Every BTI advisory is the output of a forensic process. Observable runtime behavior, captured under reproducible conditions, scored with documented criteria.
Every claim is reproducible. Every finding is verifiable. No anonymous sources.
WHO THIS PROTECTS
Blackout exists to protect companies running vendor code on their sites—not the vendors themselves.
We do not notify vendors before publication. We do not provide remediation windows. We do not help vendors fix intentional behavior.
If a vendor wants vulnerability disclosure, they can hire a penetration tester. Blackout documents what vendors do on purpose.
//SECURITY_FRAMEWORKS_FLIPPED
Blackout borrows the toolkit of security research—forensic evidence, severity scoring, advisories—but serves the opposite constituency.
| Traditional Security | Blackout |
|---|---|
| Protects software vendors from exploits | Protects companies from vendor exploitation |
| Vendors are clients | Vendors are subjects of observation |
| Vulnerabilities are bugs to fix | 'Vulnerabilities' are features working as designed |
| Disclosure helps vendors patch | Disclosure warns the market |
| Severity = risk to vendor | Severity = risk to vendor's customers |
THE BTI FRAMEWORK
BTI (Blackout Threat Intelligence) is a purpose-built taxonomy for vendor runtime behavior. It follows the CVE/CVSS pattern used in security: codes describe the class of behavior, advisories document specific instances, the score rates severity.
| Industry Standard | BTI Equivalent | What it is |
|---|---|---|
| CWE-79 | BTI-C09 | A code — the class of behavior (e.g. consent bypass) |
| CVE-2024-12345 | BTI-2025-0001 | An advisory — a specific vendor finding citing one or more codes |
| CVSS 9.2 | BTSS 9.2 | A score — severity of that advisory (0–10) |
The vocabulary. 30 codes total — 16 BTI-C codes (observable runtime behaviors) and 14 BTI-X codes (contextual claims-vs-reality).
BTI-C09 = pre-consent capture
BTI-X04 = marketing mismatch
A specific vendor finding. Cites one or more BTI codes, carries technical evidence, ships with a BTSS severity score.
BTI-2025-0001 = RB2B
BTI-2025-0002 = ZoomInfo
Blackout Threat Severity Score. Per-advisory severity on a 0–10 scale, same as CVSS. Computed from exploitability, data sensitivity, prevalence, detection difficulty.
9.0+ Critical · 7.0+ High
4.0+ Medium · <4.0 Low
WHERE IT COSTS YOU
Every finding maps to four revenue impact channels. This is not a compliance exercise—it’s a revenue threat assessment.
CAC Subsidization
Visitor data captured on a site can flow into data broker networks and identity graphs, eventually surfacing in competitor prospecting tools. The original company paid to acquire the traffic; competitors pay pennies to intercept the lead.
Signal Corruption
Overlapping tracking mechanisms corrupt attribution data. Multiple sources claim credit for single conversions. Pipeline metrics diverge from reality. Marketing decisions get made on numbers that can't be trusted.
Legal Tail Risk
Pre-consent data collection, undisclosed data sharing, and consent signal violations create regulatory exposure. Class actions and regulatory fines can exceed entire annual marketing budgets. Liability sits with the site owner, not the vendor.
GTM Attack Surface
Third-party scripts execute with full privileges on every page load. Dangerous code patterns, external dependencies, and data interception turn marketing infrastructure into attack vectors. One compromised dependency compromises the entire site.
REPRODUCIBILITY
Every finding can be independently verified. We provide the exact conditions, tools, and steps needed to reproduce our results.
CHAIN OF CUSTODY
All evidence is cryptographically hashed and timestamped. Forensic packages include SHA256 hashes for integrity verification.
ADVERSARIAL TESTING
We actively seek to disprove our findings. Only claims that survive rigorous counter-testing are published.
Network Traffic Capture
We capture all network requests from a clean browser profile using Chrome DevTools Protocol. HAR files preserve the complete request/response cycle with precise timing data.
Tools: Chrome DevTools, mitmproxy, WiresharkScript Deobfuscation
Third-party scripts are extracted and deobfuscated to reveal their true behavior. We document every data collection mechanism and transmission endpoint.
Tools: AST parsing, de4js, manual analysisTimeline Reconstruction
We establish precise timing of events: when scripts load, when data is captured, when consent banners appear. This reveals the liability gap—unauthorized collection that occurs before consent.
Tools: Performance.timing, Resource Timing API, Network timestampsPayload Analysis
All transmitted data is decoded, documented, and categorized. We identify PII, behavioral data, device fingerprints, and third-party enrichment calls.
Tools: Email hashes, IP, User-Agent, Canvas fingerprints, WebGLEvidence Packaging
Findings are compiled into forensic evidence packs with chain-of-custody hashes. Packages include HAR files, deobfuscated source, screenshots, and timeline data.
Tools: ZIP with SHA256 manifest, PDF report, JSON timelineFROM SIGNAL TO EXPLOIT CHAIN
Detection alone does not guarantee escalation. A finding becomes a BTI advisory when there is a demonstrable exploit path and consequence.
DETECTION
What we observed: pixels, cookies, network endpoints, script behavior, obfuscation patterns.
Maps to:
BTI-C codes
DECEPTION
What vendors claim vs. what they do: privacy promises contradicted by runtime behavior, undisclosed data flows.
Maps to:
BTI-X codes
COST
The revenue consequence: CAC subsidization, signal corruption, legal exposure, attack surface expansion.
Maps to:
Revenue impact channels + BTSS severity
This is why we're not a "security rating." Security ratings give you 10,000 yellow warnings. We give you a focused list of what's exploitable now, with the evidence chain to prove it.
No Anonymous Sources
We don't publish claims based on unnamed insiders or leaked documents without independent technical verification.
No Speculation
Findings are limited to what we can technically demonstrate. We don't infer intent or speculate on business motivations.
No Pay-for-Play
Vendors cannot pay to influence findings, delay publication, or have investigations removed.
SEE IT IN ACTION
Review our published investigations to see this methodology applied to real-world cases.