All Vendors
marketing_automation

Emarsys

Emarsys deploys persistent JavaScript tracking via its Web Extend SDK (scarab-v2.js served from cdn.scarabresearch.com) that captures granular behavioral data including page views, product interactions, cart events, and purchase history in real time. As an SAP-owned platform, collected data flows into the broader SAP Customer Data ecosystem. The SDK initializes a ScarabQueue object that fires tracking commands on every page load, building comprehensive behavioral profiles used to power its Predict recommendation engine and omnichannel campaign targeting.

89 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Emarsys discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

pending

HIGH
They Claim

Web Extend SDK pre-consent loading behavior

Observed Behavior

Awaiting scanner verification of scarab-v2.js initialization timing relative to consent signals

pending

MEDIUM
They Claim

SAP ecosystem data flow mapping

Observed Behavior

Third-party data enrichment flows through SAP Customer Data Platform integrations require runtime confirmation

pending

MEDIUM
They Claim

Cookie persistence and cross-domain tracking

Observed Behavior

Cookie mechanisms and cross-domain behavioral linking need forensic analysis

Customer Impact

What This Means For You

If Emarsys is deployed on a website you rely on for business, your behavioral data — including browsing patterns, product interest signals, and purchase behavior — is being captured in real time and processed through SAP's data infrastructure. This data powers recommendation algorithms and campaign targeting that you have no visibility into or control over. Your competitive intelligence (what products you research, what you purchase, when you buy) becomes fuel for an engagement optimization engine that serves the website operator's interests, not yours. The SAP ecosystem integration means your behavioral profile may be enriched with data from other SAP-connected touchpoints.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Emarsys

  • - Audit whether Emarsys Web Extend (scarab-v2.js / scarabresearch.com) loads before consent is granted on sites you interact with - Review data processing agreements to understand how behavioral data flows through SAP's Customer Data Platform integrations - Assess whether the 100+ partner ecosystem creates unacceptable data sharing exposure for your organization - Monitor for cross-domain tracking between SAP-connected properties that may link your behavioral profiles - Request disclosure of all third-party data enrichment partners that receive your interaction data

Negotiation Leverage

  • Emarsys is a mature SAP-owned platform with enterprise-grade capabilities, but the depth of behavioral data collection and breadth of the SAP ecosystem create significant data flow complexity. Key leverage points: (1) Pre-consent loading patterns — if Web Extend fires before consent, this is a regulatory liability for the deploying site. (2) SAP ecosystem data flows — demand clarity on exactly which SAP products and third-party partners receive behavioral data. (3) The scarabresearch.com CDN domain is a legacy artifact that obscures the SAP/Emarsys relationship in network traffic, making informed consent more difficult for end users.
IOC Manifest

IOC Manifest

89 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*emarsys.com/app/cache/min/1/app/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js*
Tracking script
TRACK
*emarsys.com/wp/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/js/forms2/js/forms2.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-validation.6c814c.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-prefill.aaa7a8.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-formsplus-tag.b*.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-last-form-post.*.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-fieldHandler.eb*.js*
Tracking script
EXFIL
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-dreamdata.c*b.js*
Data collection endpoint
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/vendor.30c7e7.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-form-move-tracker.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/pa-*.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/main-redesign.aba986.js*
Tracking script
TRACK
*emarsys.com/app/cache/min/1/assets/external/E-v1.js*
Tracking script
TRACK
emarsys.com/app/cache/min/1/app/plugins/sitepress-multilingual-cms/res/js/cookies/language-cookie.js
Auto-extracted from scan
TRACK
emarsys.com/wp/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-validation.6c814c.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-prefill.aaa7a8.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-last-form-post.265806.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-formsplus-tag.b01904.js
Auto-extracted from scan
EXFIL
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-dreamdata.c4032b.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/mkto-fieldHandler.eb1198.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/vendor.30c7e7.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/pa-68b999d0c99eee001200010d.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-form-move-tracker.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/assets/external/E-v1.js
Auto-extracted from scan
TRACK
emarsys.com/app/cache/min/1/app/themes/emarsys/dist/scripts/main-redesign.aba986.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Emarsys operates within the SAP Customer Experience portfolio, with direct integrations to SAP Customer Data Platform, SAP Customer Data Cloud, SAP Commerce Cloud, and SAP S/4HANA. The partner ecosystem includes 100+ technology partners across data integration, data enrichment, analytics, loyalty, and e-commerce categories. Common co-deployments include Segment, Google Analytics, Facebook Ads, and various e-commerce platforms. The Web Extend SDK is frequently deployed via Google Tag Manager, adding another data intermediary to the collection chain.
Loads (2)
ClearbitWistia
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

89 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details