How This Briefing Works
This dossier opens with key findings, then maps the gap between what ABMatic discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 2 sites
vendor fires before consent
Briefing
ABMatic deploys full-spectrum visitor surveillance: session recording, behavioral biometrics, cross-domain identity resolution, and persistent tracking infrastructure. Executes all capabilities pre-consent. Represents worst-case GTM threat profile combining GDPR Article 9 violations (behavioral data as special category), CCPA biometric disclosure failures, and documented consent bypass.
What This Means For You
For security teams: Session recordings capture authentication flows and sensitive form data, creating breach notification obligations if ABMatic storage is compromised. For legal: Every recorded session is a GDPR data subject access request requiring video reconstruction with PII redaction. For marketing: Complete behavioral profiles sold to competitors at 10-100x markup over your visitor acquisition cost. For sales: Behavioral intent signals leak to competitors before your team can act.
Risk Channel Breakdown
Distorts attribution data
ABMatic sells complete behavioral profiles to intent data platforms. Every mouse movement, keystroke, and session recording feeds competitor intelligence. Your visitor acquisition cost subsidizes competitors targeting the same accounts with your behavioral insights.
Expands attack surface
Session recording and behavioral biometrics without explicit consent create maximum regulatory exposure. GDPR Article 9 treats behavioral patterns as special category data. CCPA requires biometric disclosure in privacy policy. ePrivacy Directive prohibits pre-consent execution. Tag manager deployment extends liability to site operator as joint controller.
Threat Indicators
Runtime-observed (BTI-C)
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Long-lived identifiers
PII deanonymization
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed ABMatic's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 3 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 0, observed 1
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →