All Vendors
intent_data
Foundry ABM

Foundry ABM

Registered California data broker running 20+ ad and analytics trackers pre-consent. Operates KickFire IP-to-company identity resolution on every visitor while claiming GDPR compliance with a consent mechanism that never appears.

72 IOCs
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Foundry ABM discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 critical disclosure gaps
CRITICAL

Consent Bypass

SourcePoint CMP determines GDPR does not apply and renders zero consent UI. All 20+ third-party trackers fire on page load without any consent mechanism presented to visitors.

GDPR Art 5(3)ePrivacy Directive Art 5(3)PECR Reg 6
CRITICAL

Undisclosed Data Sharing

20+ specific ad networks, analytics services, and retargeting platforms receive visitor data on every page load. None are named in the privacy policy as specific recipients.

GDPR Art 13GDPR Art 28CCPA 1798.100
CRITICAL

Identity Resolution Without Consent

KickFire (Foundry-owned) performs IP-to-company identity resolution on every visitor, linking IP addresses to company identities without explicit consent. This is individual-level identification masquerading as aggregate B2B research.

GDPR Art 6GDPR Art 14ePrivacy Directive Art 5(3)
HIGH

Session Replay Without Disclosure

Microsoft Clarity session replay is active, recording mouse movements, clicks, scrolls, and form interactions. This captures behavioral biometric data without specific disclosure.

GDPR Art 9ePrivacy Directive Art 5(3)
HIGH

CNAME Cloaking

SourcePoint CMP is hosted on cmpv2.foundryco.com, a first-party subdomain CNAME-cloaked to disguise third-party consent management infrastructure as first-party.

ePrivacy Directive Art 5(3)CNIL CNAME cloaking guidance
Disclosure Gaps

Claims vs. Observed Behavior

6 gaps
3 CRIT2 HIGH1 MED
Classified:BTI-X02BTI-X05BTI-X08

Undisclosed Data Sharing

GDPR Art 13 · GDPR Art 28 · CCPA 1798.100CRITICAL
They Claim

Privacy policy states data shared with business partners and sponsors

Observed Behavior

20+ specific ad networks, analytics services, and retargeting platforms receive visitor data on every page load. None are named in the privacy policy as specific recipients.

CDT MCP network analysis: Google Ads (AW-325207805, AW-933723986), Meta Pixel (1215706755128807), LinkedIn Insight (pid:4249626), Bing UET (ti:187120442), Reddit Pixel, The Trade Desk, Microsoft Clarity, SalesLoft, KickFire, WordPress Stats all fire pre-consent.

Session Replay Without Disclosure

GDPR Art 9 · ePrivacy Directive Art 5(3)HIGH
They Claim

No mention of session recording in privacy policy

Observed Behavior

Microsoft Clarity session replay is active, recording mouse movements, clicks, scrolls, and form interactions. This captures behavioral biometric data without specific disclosure.

CDT MCP: scripts.clarity.ms loaded via GTM, n.clarity.ms/collect POST requests observed, _clck and _clsk cookies set.

CNAME Cloaking

ePrivacy Directive Art 5(3) · CNIL CNAME cloaking guidanceHIGH
They Claim

Cookie policy references use of third-party cookies

Observed Behavior

SourcePoint CMP is hosted on cmpv2.foundryco.com, a first-party subdomain CNAME-cloaked to disguise third-party consent management infrastructure as first-party.

CDT MCP network analysis: cmpv2.foundryco.com serves SourcePoint CMP JavaScript and configuration data. This makes the third-party CMP appear as first-party infrastructure.

Data Broker Registration

CCPA 1798.99.80 · California Delete Act SB 362MEDIUM
They Claim

CCPA page discloses: Foundry is registered as a data broker

Observed Behavior

Confirmed registered data broker selling personal data via cookies for personalized advertising, while simultaneously positioning as a trusted B2B content and research platform.

CCPA page verbatim: Foundry may sell your personal data, including information collected by cookies, with third parties for the purpose of personalized advertising.

Customer Impact

What This Means For You

If Foundry intent data or ABM products are deployed on your site, you are exposed to an intent data provider that is a registered California data broker and explicitly sells personal data collected via cookies. Under GDPR Art 5(3) and Art 28, you as the site operator bear liability for any Foundry scripts or tracking deployed on your property, including KickFire IP-to-company resolution that identifies visitors without consent. Foundry's own site demonstrates that their technology stack fires 20+ third-party trackers pre-consent with no consent mechanism presented. Their GDPR compliance claim is contradicted by a CMP configured to bypass consent entirely. CIPA class actions for similar pre-consent tracking patterns have settled in the $5-50M range. As a data broker, any data flowing through Foundry infrastructure is subject to the California Delete Act (SB 362) requirements.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Foundry ABM

  • Audit your deployment to confirm whether KickFire or other Foundry scripts fire before consent is obtained on your properties
  • Request a complete list of all data recipients who receive visitor data collected through Foundry integrations on your sites
  • Add contract clause requiring Foundry to honor consent signals (GPC, TCF) before processing any visitor data from your properties
  • Implement server-side integration for any Foundry intent data feeds to eliminate client-side script execution and associated supply chain risk
  • Review your GDPR Art 28 data processing agreement to ensure it covers all observed third-party data flows, including the 20+ ad/analytics vendors Foundry loads on its own infrastructure

If You're Evaluating Foundry ABM

  • Require Foundry to disclose all third-party vendors loaded by their technology stack before signing
  • Negotiate explicit data broker liability indemnification given Foundry's registered data broker status under CCPA
  • Request documentation of how KickFire IP-to-company resolution handles consent requirements across jurisdictions
  • Compare intent data quality against TechTarget, Bombora, or G2 who do not operate as registered data brokers
  • Require right-to-audit clause allowing independent verification of consent compliance on your deployment

Negotiation Leverage

  • Data broker liability: Foundry is a registered California data broker that admits selling personal data via cookies. Any contract should include full indemnification for regulatory actions arising from Foundry's data broker activities on your properties.
  • Consent compliance SLA: Investigation found zero consent UI rendered and 20+ trackers firing pre-consent on Foundry's own site. Require contractual guarantee that all Foundry technology respects consent signals on your deployment, with liquidated damages for violations.
  • Third-party disclosure: Foundry's privacy policy does not name the 20+ specific ad networks and analytics platforms receiving visitor data. Require complete vendor disclosure and 30-day advance notice before adding new data recipients.
  • KickFire transparency: Foundry's IP-to-company identity resolution technology identifies visitors without explicit consent. Require documentation of legal basis for this processing and contractual limitation on downstream use of identification data.
  • Vertical integration conflict: Foundry controls the content network, the intent data platform, and the identity resolution technology. Require independent audit rights to verify that intent signals are not inflated by Foundry's control of the measurement environment.
IOC Manifest

IOC Manifest

72 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*foundryco.com/_static/*
Tracking script
TRACK
*foundryco.com/wp-content/plugins/page-scroll-to-id/js/page-scroll-to-id.js*
Tracking script
TRACK
*cmpv2.foundryco.com/unified/wrapperMessagingWithoutDetection.js*
Tracking script
TRACK
*cmpv2.foundryco.com/unified/4.40.1/gdpr-tcf.*.bundle.js*
Tracking script
TRACK
*cmpv2.foundryco.com/unified/4.40.1/usnat.*.bundle.js*
Tracking script
EXFIL
*cmpv2.foundryco.com/mms/v2/get_site_data*
Data collection endpoint
TRACK
*foundryco.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
cmpv2.foundryco.com/unified/wrapperMessagingWithoutDetection.js
Auto-extracted from scan
TRACK
foundryco.com/_static/
Auto-extracted from scan
TRACK
foundryco.com/wp-content/plugins/page-scroll-to-id/js/page-scroll-to-id.min.js
Auto-extracted from scan
TRACK
cmpv2.foundryco.com/unified/4.40.1/gdpr-tcf.27718c8cb9d29947d2c1.bundle.js
Auto-extracted from scan
TRACK
cmpv2.foundryco.com/unified/4.40.1/usnat.f12613136193900e32e2.bundle.js
Auto-extracted from scan
TRACK
foundryco.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
TRACK
kf.tag.foundryco.com/tag.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Foundry operates a vertically integrated content-to-data pipeline. Their editorial brands (CIO, Computerworld, InfoWorld, CSO, PCWorld, Macworld, TechHive, NetworkWorld) generate 28M+ monthly visitors whose behavior feeds Foundry's intent data products. KickFire, acquired by IDG, provides the IP-to-company identity resolution layer. On their own site, Foundry loads everything through Google Tag Manager, which triggers Google Analytics (GA4 + Universal), Google Ads remarketing, Meta Pixel, LinkedIn Insight, Bing UET, Reddit Pixel, The Trade Desk, HubSpot (CRM + analytics + forms + chat), SalesLoft, Microsoft Clarity session replay, and WordPress Stats. The SourcePoint CMP is CNAME-cloaked to cmpv2.foundryco.com. Dead references to tribl.io and kf.tag.foundryco.com suggest recently deprecated integrations.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

72 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details