Every number we publish survives a CFO.
The methodology is published. The inputs are transparent. The assumptions are named. The customer can override any variable. Transparency is the moat. Vendors hide how they use your data. Blackout shows how we calculate its cost.
Every number must survive a CFO's scrutiny.
We quantify what's quantifiable.
Per-vendor revenue at risk, calculable from contract value, data classes, and observable behavior.
We estimate what's estimable.
Campaign effectiveness degradation. Renewal asymmetry. Bands with confidence intervals.
We reveal what can only be shown.
OAuth access to internal email. The finding is the number. No estimate needed.
We never inflate.
Every variable has a discount built in. Caps everywhere. Ranges instead of point estimates.
Revenue risk decomposes into four independent tracks.
Competitive Signal Leakage
“We're funding our competitors”
Campaign Effectiveness Degradation
“That's why CAC keeps climbing”
Corporate Intelligence Exposure
“They can read WHAT?”
Regulatory & Legal Tail Risk
“Our DPA says X. Runtime shows Y.”
▸ The Collapse Engine describes WHY revenue degrades. The methodology calculates HOW MUCH.
Three variables. One per-vendor result.
▸ Core equation · per vendor
DAV
Data Access Value
What the data this vendor can access is actually worth, anchored to the customer's own contract value.
Contract value × data contribution ratio. Or, fallback: records × published reference rates.
CEF
Competitive Exposure Factor
What percentage of this vendor's data access creates competitive advantage for your rivals.
Shared model (binary) × competitor overlap × relevance multiplier. Capped at 60%.
EC
Exfiltration Confidence
How confident we are that this vendor is actually extracting and using this data versus merely having theoretical access.
Confirmed (90–100%) → Probable (60–80%) → Possible (20–40%) → Not Observed (0%).
▸ Worked example
6sense on a $40M ARR B2B SaaS company
50K monthly visitors · Salesforce integration · $85K/yr contract
▸ Step 1 · DAV (Data Access Value)
Visitor identity
50K/month × $0.25/record
CRM contacts
8,200 × $1.50/record/month
Pipeline / deals
340 active × $5.00/record/month
▸ Step 2 · CEF (Competitive Exposure Factor)
Shared intent graph: YES
Competitor overlap: 4 of 8 known competitors = 50%
Relevance multiplier: 3×
Raw: 150% → capped at 60%
▸ Step 3 · EC (Exfiltration Confidence)
Browser identity: Confirmed (95%)
CRM pull: Probable (70%)
Blended (DAV-weighted): 80%
▸ Result
$318,000 × 0.60 × 0.80 = $152,640 / year
$130K – $175K
estimated annual revenue at risk from 6sense
Range reflects EC confidence band. Customer overrides will tighten the estimate further.
The other three tracks. Different math, same rigor.
Track 02 · Campaign Effectiveness Degradation
Your forecast is built on signal you can't trust.
Vendor scripts manufacture identity events your analytics ingests as real. The same vendors take credit for the pipeline they helped fabricate. Channel mix, attribution model, and CAC calculation read off corrupted data.
▸ At-risk campaign spend
Campaign Spend (vendor-flagged accounts) × Signal Compromise Ratio
If 30% of a vendor's signal derives from pooled customer data, 30% of campaign spend targeting that vendor's surfaced accounts is built on compromised signal.
Track 03 · Corporate Intelligence Exposure
They can read your CEO's emails.
Vendor access to executive correspondence, deal strategy notes, competitive positioning, and pricing decisions through CRM integrations approved for “product functionality.” Not calculable. Either they have access or they don't.
▸ The Product Functionality Test
For every OAuth scope a vendor holds: what specific, documented product feature requires this data class?
Delta between scopes requested and scopes justified by documented features = the unexplained access surface. The customer draws the conclusion.
Track 04 · Regulatory & Legal Tail Risk
Your DPA says X. Runtime shows Y.
The measurable gap between governance artifacts (DPAs, privacy policies, consent mechanisms, subprocessor disclosures) and what actually happens at runtime. Surface name in product: Regulatory Touchpoints.
▸ Posture
We observe behavior and cite the regulations or statutes that address that behavior pattern. We do not assert violations, applicability, or liability.
Blackout provides the evidence. Counsel provides the assessment.
The number tightens as you connect more.
Layer 01
Scan-only estimate
Wide range
Vendor count, VIDB behavioral profiles, public competitive overlap
$180K–$340K annual exposure
Layer 02
OAuth-enriched
Tighter range
+ actual OAuth scopes, CRM object counts, API pull frequency
$130K–$175K from 6sense
Layer 03
Contract-enriched
Narrow bands
+ contract values, stated terms, subprocessor disclosures
$42K subsidization on $85K spend
Layer 04
Enforcement-verified
Measured, not estimated
+ actual exfiltration events observed and blocked by the diode
4,218 events blocked. $95K verified savings.
▸ Customer override principle · every input is editable · numbers become collaborative
Every cap is a discount on the number.
Every variable carries a discount
EC confidence levels: 0% – 100%, never above observed evidence
CEF capped at 60%
No competitive-exposure factor exceeds 0.60, regardless of inputs
Time multipliers capped at 1.5×
Integration age longer than 24 months never multiplies above 1.5×
Cross-vendor correlation capped at 1.3×
Aggregate stack risk never multiplies above 1.3×
Ranges replace point estimates
Wherever confidence is below Confirmed, output is a band
The methodology is honest about its limits.
We do not claim vendors are "selling" specific customer data. We show what they can access, what their products require, and the gap.
We do not claim precise dollar losses. We show estimated exposure ranges with published methodology.
We do not claim attribution fraud without direct evidence. We identify the conditions that make circular attribution possible.
We do not assign intent. A vendor with unexplained OAuth scopes may have legitimate reasons we haven't identified.
We do not provide legal advice. Regulatory exposure ceilings use published penalty structures applied to observed evidence.
We do not claim DPA discrepancies constitute violations. We show the delta. The legal determination is your counsel's.
See your number. Then verify it.
Run a scan. Get a Layer 1 estimate in 60 seconds. Connect your CRM and contracts to tighten the band. Override anything you disagree with.
▸ Methodology v0.2 · 2026-04-22 · Conservative by design