How This Briefing Works
This report opens with key findings, then maps the gaps between what Chartbeat discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
2 gaps
pending
LOW
They Claim
“Cookieless mode available”
Observed Behavior
Awaiting scanner verification to confirm default cookie behavior and actual data transmission patterns
pending
LOW
They Claim
“No third-party cookies or fingerprinting”
Observed Behavior
Awaiting runtime validation of JavaScript payload behavior
Customer Impact
What This Means For You
For organizations with Chartbeat deployed on their properties, the revenue risk is low. Chartbeat's focused analytics scope means it is unlikely to trigger regulatory enforcement or create material compliance gaps under GDPR or CCPA, particularly when operated in cookieless mode. The primary operational consideration is vendor dependency — Chartbeat's JavaScript executes on every page load, meaning any outage or compromise of their CDN affects site performance. Organizations in heavily regulated industries should verify that Chartbeat's data processing agreement covers their specific jurisdictional requirements.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Chartbeat
- →- Verify whether Chartbeat is configured in cookie mode or cookieless mode on your properties - Review Chartbeat's Data Processing Agreement for alignment with your privacy obligations - Audit the Chartbeat JavaScript tag to confirm it matches the expected version and behavior - Consider cookieless mode if operating in jurisdictions with strict consent requirements - Monitor Chartbeat's Datastream API usage to ensure engagement data is not being piped to unintended destinations
Negotiation Leverage
- →Chartbeat's leverage position is moderate — it dominates real-time editorial analytics for publishers but faces increasing competition from privacy-first alternatives. Key negotiation questions: (1) Is cookieless mode the default or opt-in? If opt-in, what percentage of customers use it? (2) What data retention periods apply to visitor engagement records? (3) Does Chartbeat aggregate or benchmark visitor data across publisher clients? (4) What subprocessors handle data, and in which jurisdictions? Protective measures: Require contractual commitment to cookieless mode if that is your configuration, include data deletion clauses upon contract termination, and ensure the DPA explicitly prohibits cross-client data aggregation.
Runtime Detections
Runtime Detections
2 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
Impact: Chartbeat's real-time editorial analytics create a measurement dependency for publishers. While the data collection is narrowly scoped to content engagement, the depth of behavioral telemetry (scroll depth, active reading time, recirculation) means editorial strategy becomes dependent on Chartbeat's measurement accuracy.
BTI-C10Fingerprinting
Device identification
IOC Manifest
IOC Manifest
228 INDICATORS
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*chartbeat.com/wp-content/themes/child-chartbeat/scripts/cb-scripts.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/script-modules/block-library/navigation/view.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/script-modules/interactivity/index.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/colab-alert//js/main.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/carousel-block/blocks/vendor/slick/init.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/carousel-block/blocks/vendor/slick/slick.js*
Tracking script
TRACK
*static2.chartbeat.com/js/chartbeatpreprod.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/embedpress/assets/js/lazy-load.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/blob.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/embedpress/assets/js/gallery-justify.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/vendor/react.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/vendor/react-jsx-runtime.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/deprecated.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/autop.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/block-serialization-default-parser.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/element.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/priority-queue.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/keycodes.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/is-shallow-equal.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/escape-html.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/compose.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/vendor/wp-polyfill.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/redux-routine.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor-common.js*
Tracking script
EXFIL
*chartbeat.com/wp-includes/js/dist/private-apis.js*
Data collection endpoint
TRACK
*chartbeat.com/wp-includes/js/dist/warning.js*
Tracking script
TRACK
*chartbeat.com/wp-content/themes/child-chartbeat/scripts/custom-scripts.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout1/fca-ept-layout1.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout2/fca-ept-layout2.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/dom-ready.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/dom.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/rich-text.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/shortcode.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/html-entities.js*
Tracking script
EXFIL
*chartbeat.com/wp-includes/js/dist/data.js*
Data collection endpoint
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-sidebar.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/a11y.js*
Tracking script
TRACK
*chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-toolbar.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/vendor/react-dom.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/dist/blocks.js*
Tracking script
TRACK
*chartbeat.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
chartbeat.com/wp-content/plugins/colab-alert//js/main.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/themes/child-chartbeat/scripts/cb-scripts.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/script-modules/block-library/navigation/view.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/script-modules/interactivity/index.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/carousel-block/blocks/vendor/slick/slick.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/carousel-block/blocks/vendor/slick/init.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/embedpress/assets/js/gallery-justify.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/embedpress/assets/js/lazy-load.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/vendor/react.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/vendor/react-jsx-runtime.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/autop.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/vendor/wp-polyfill.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/blob.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/block-serialization-default-parser.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/deprecated.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/dom.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/vendor/react-dom.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/escape-html.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/element.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/is-shallow-equal.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/keycodes.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/priority-queue.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/compose.min.js
Auto-extracted from scan
EXFIL
chartbeat.com/wp-includes/js/dist/private-apis.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/redux-routine.min.js
Auto-extracted from scan
EXFIL
chartbeat.com/wp-includes/js/dist/data.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/html-entities.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/dom-ready.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/a11y.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/rich-text.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/shortcode.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/warning.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/dist/blocks.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor-common.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-sidebar.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-toolbar.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout1/fca-ept-layout1.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout2/fca-ept-layout2.min.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-content/themes/child-chartbeat/scripts/custom-scripts.js
Auto-extracted from scan
TRACK
static2.chartbeat.com/js/chartbeatpreprod.js
Auto-extracted from scan
TRACK
chartbeat.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Chartbeat operates primarily within the digital publishing ecosystem. It integrates with major CMS platforms and offers a Datastream API for piping analytics data into external systems. Chartbeat does not share visitor data with advertising networks or data brokers. The platform's data stays within the publisher-Chartbeat relationship unless the publisher explicitly exports it via API. Chartbeat is a cloud-only service with no self-hosted option — all data is processed on Chartbeat's infrastructure.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
228 detection signatures across scripts, domains, cookies, and network endpoints