FOR CISO // SECURITY ENGINEERING // APPSEC

Your CRM is an attack surface.

The vendor your marketing team approved can read your CEO's emails, your deal strategy, your competitive positioning, and your pricing decisions. Through OAuth scopes you never audited.

Map your threat surface Track 3 Methodology

Unexplained access surface

6sense → Salesforce

▸ OAuth scopes granted

+ contacts.read
+ accounts.read
+ deals.read
+ pipeline.read
+ activities.read
+ emails.read

▸ Documented product requirement

emails.read · NONE FOUND

▸ Records accessible

8,400

logged email activities · 18-month integration

Persistence: HIGHAuditable

How we map this

01 // PRODUCT FUNCTIONALITY TEST

For every scope a vendor holds: what feature requires it?

The methodology asks one question of every OAuth scope. The delta between scopes requested and scopes justified by documented features is the unexplained access surface.

contacts.read

Often justified

Vendor needs to sync contacts for their core product to function. Defensible.

accounts.read

Sometimes justified

ABM tools have a documented need for account-level data. Audit per-vendor.

deals.read · pipeline.read

Rarely justified

What intent-data product requires knowing your deal values and close dates?

emails.read · activities.read

Almost never justified

What non-CRM vendor requires read access to internal email threads?

We don't claim the vendor is misusing the data. We show what they CAN access, what their docs say they NEED, and the gap. You draw the conclusion.

02 // SCOPE AUDIT

Run the test. Get the gap.

BLACKOUT://SCOPE/AUDIT6 GRANTED · 2 JUSTIFIED

$ blackout audit --vendor 6sense --crm salesforce

contacts.readSync contacts for ABM scoringJUSTIFIED

accounts.readAccount enrichment for intent matchingJUSTIFIED

deals.readNONE FOUND in product documentationUNEXPLAINED

pipeline.readNONE FOUND in product documentationUNEXPLAINED

activities.readNONE FOUND in product documentationUNEXPLAINED

emails.readNONE FOUND in product documentationUNEXPLAINED

● Unexplained access surface · 4 of 6 scopes

Records accessible: 14,232 contacts · 340 active deals · ~8,400 logged email activities. Last vendor API pull: 2026-04-27 09:14 UTC. Integration age: 18 months. Data persistence risk: HIGH.

Vendor: 6sense → Salesforce · 18 months activeUnexplained access: 4 scopes

03 // EXPOSURE CATEGORIES

Six things a vendor with email scope can already see.

All email and activity objects are the same object type in the CRM. The vendor's API pull retrieving email activity retrieves all email activity. No filter for “only the ones relevant to our product.”

Internal deal strategy

Competitive positioning, pricing decisions, discount willingness, deal risk notes.

Deal record fields, activity notes, email threads logged to CRM.

Executive communications

CEO and C-suite correspondence flowing through CRM-connected email.

Email activity sync, activity logging.

Org structure

Who talks to whom, how often, about which accounts.

Communication-pattern analysis from activity data.

Hiring & contraction signals

New users appearing or disappearing, account reassignment patterns.

CRM user activity, account-ownership changes.

Competitive intelligence

Which competitors are tracked, where you're losing, why.

Account fields, competitive tags, lost-deal reasons.

Recruitment & expansion

Expansion plans, new market entry, geographic growth.

New deal stages for new product lines, career-page traffic patterns.

04 // CLIENT-SIDE SUPPLY CHAIN

The other attack surface. In your browser.

Your DPA covers the vendor you signed with. It doesn't cover the vendors they load at runtime, or the vendors those vendors load.

The methodology calls this an undisclosed subprocessor amplification. Each layer adds exposure your team cannot assess, audit, or consent to.

BLACKOUT://SUPPLY-CHAIN/TRACEUNDISCLOSED

+ Your GTM → loads → Meta Pixel [disclosed]

− Meta Pixel → loads → FullStory [undisclosed]

− FullStory → loads → RB2B [defeat device]

− RB2B → exfil → AWS us-west-2 [PII payload]

Your contract bound 1 of 4 nodes. The other 3 sit outside your governance perimeter.

Depth: 4 hops · 3 undisclosedNot in DPA

05 // THE ENGINEERING EXPORT

The artifact your AppSec already knows how to read.

Findings ship as a forensic package. Same evidence chain your team already uses for incident response. SBOM-style dependency tree, auth-scope inventory, payload hashes.

▸ engineering-evidence-package.zip

SHA-256 chain of custody · ISO-8601 timestamps · HAR + payload hashes

01_oauth_scope_inventory.jsonPer-vendor OAuth scopes vs. documented product requirement

02_supply_chain_dag.jsonFull client-side dependency tree with disclosure status per node

03_payload_intel.jsonDecoded vendor payloads with PII identification

04_pre_consent_evidence.jsonScripts firing before consent banner load

05_defeat_device_scan.jsonAnti-audit code patterns identified in vendor scripts

06_evidence_har/Raw HAR captures with hash-verified manifest

Format ready for SOC tooling ingest or manual triageOne-click export

Map the gap. Close the gap.

Run a scan. Get your full client-side dependency tree and OAuth scope audit in 60 seconds. No agent install. No code change.

Start the scan or read about the product →

▸ Free · No signup · No credit card · 600+ vendor signatures