All Vendors
attribution

Cometly

Cometly is an AI-powered marketing attribution vendor that deploys client-side pixels and server-side tracking to map the full customer journey from ad click to CRM close, syncing enriched conversion data back to ad platforms to optimize algorithmic targeting.

8 IOCs
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Cometly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

pending

MEDIUM
They Claim

Server-side tracking bypasses privacy limitations

Observed Behavior

Awaiting scanner verification of pixel behavior, data endpoints, and cookie patterns at runtime

pending

MEDIUM
They Claim

300+ integrations

Observed Behavior

Scope of data sharing across integration ecosystem needs direct observation

Customer Impact

What This Means For You

Organizations deploying Cometly face three key risks: (1) Data leakage to competitors — by sharing enriched conversion data with ad platforms via CAPI, organizations are training algorithms that serve their competitors, effectively subsidizing competitive intelligence. (2) Measurement lock-in — once ad platform algorithms are optimized on Cometly's conversion signals, removing Cometly degrades ad performance, creating artificial dependency. (3) Compliance liability — server-side tracking that circumvents user privacy preferences creates regulatory exposure that falls on the data controller. The promise of "better attribution" comes at the cost of sharing first-party business intelligence with the largest advertising platforms.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Cometly

  • - Audit exactly what data the Cometly Pixel collects at runtime, including all behavioral events, identifiers, and metadata captured before and after consent. - Map the complete data flow from Cometly to each connected ad platform via CAPI to understand what customer and business data is being shared externally. - Evaluate whether server-side tracking circumvents user consent preferences and assess compliance implications under applicable privacy regulations. - Request a data inventory of all information Cometly retains, how long it is retained, and what happens to data upon contract termination. - Establish independent measurement benchmarks to validate Cometly's attribution claims against directly observed conversion data.

Negotiation Leverage

  • Leverage: Cometly's core value depends on CAPI integration with ad platforms — ask exactly what data fields are transmitted to Meta, Google, and TikTok, and whether customers can selectively restrict what is shared. The server-side tracking capability is a compliance liability transfer; negotiate for indemnification covering regulatory actions arising from Cometly's tracking methodology.
  • Key questions: What specific data is sent to ad platforms via CAPI? Can customers restrict revenue and deal-stage data from being shared? Does server-side tracking operate on visitors who have declined tracking consent? What data does Cometly retain independently of ad platform integrations?
  • Contractual protections: Require granular control over what data flows to which ad platforms. Include data deletion upon termination with third-party certification. Negotiate for the right to audit CAPI payloads. Ensure the DPA covers server-side tracking as a distinct processing activity with its own lawful basis requirements.
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Cometly's CAPI integration creates a measurement-optimization feedback loop: attribution data feeds ad platform algorithms, which then produce the conversions Cometly measures. This circular dependency makes it impossible to independently validate attribution accuracy. Marketing teams may believe they are getting objective measurement when they are actually receiving a self-reinforcing narrative.

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

8 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*p.cometly.com/script.js*
Tracking script
TRACK
p.cometly.com/script.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Cometly sits at the center of a data supply chain connecting customer websites, CRM systems, and advertising platforms. The platform ingests behavioral data via its pixel, enriches it with CRM conversion data from Salesforce, HubSpot, and other systems, then exports this combined dataset to Meta, Google, TikTok, and other ad networks via Conversion APIs. With 300+ integrations spanning analytics warehouses, email platforms, and ad networks, Cometly ensures attribution data propagates across the entire marketing technology stack. This creates a scenario where sensitive business data — conversion rates, deal values, customer journey patterns — flows through Cometly to multiple third parties, each with their own data retention and usage policies.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

8 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details