All Vendors
sales_engagement

Instantly

Instantly operates a dual identity: a sales engagement SaaS marketed to cold email users, and an undisclosed data brokerage that sells personal information across advertising networks. Its own website deploys undisclosed visitor identification (RB2B, Leadsy.ai), implied consent that auto-grants all tracking, a server-side tagging proxy that disguises third-party tracking as first-party, and an active cookie sync ring feeding data to Beeswax DSP -- all while its cookie notice omits seven observed third parties.

13 IOCs1 detections1 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Instantly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

1 detection across 1 site4 critical disclosure gaps
CRITICAL

Cookiebot configured with implied consent (method:implied, stamp:-1). All 48 marketing cookies, 17 statistics cookies, and identity resolution scripts fire automatically for non-EEA visitors without any consent interaction. No consent banner shown.

GDPR Art. 6ePrivacy DirectiveCCPACPRATDPSACPA
CRITICAL

Seven active third-party services are completely omitted from the cookie notice: Leadsy.ai (visitor identification), RB2B (visitor de-anonymization), Cometly (attribution tracking with fingerprinting), Trovo-tag (cookie sync proxy), Plausible (analytics), ProfitWell (subscription analytics), PartnerStack (affiliate tracking).

GDPR Art. 13GDPR Art. 14ePrivacy Directive Art. 5(3)CCPA 1798.100
CRITICAL

No evidence of GPC signal processing observed in network traffic or GTM dataLayer. Browser GPC API returns undefined. Cookiebot implied consent overrides any GPC state by auto-granting all categories regardless.

CCPA/CPRA GPC RequirementsCPACTDPAVCDPA
HIGH

No Content Security Policy (CSP) header or meta tag. Only 4 of 33 external scripts have Subresource Integrity (SRI) attributes. No referrer policy meta tag. 29 third-party scripts load without integrity verification, creating massive supply chain attack surface.

GDPR Art. 32SOC 2 CC6.1
HIGH

Cometly sends POST with device fingerprint hash, browser metadata, OS, language, and Facebook pixel ID (fbp) to t.cometlytrack.com with CORS wildcard (access-control-allow-origin: *). Cross-domain tracking via domainOverrides linking instantly.ai to app.instantly.ai. This is behavioral profiling, not a necessary cookie.

ePrivacy DirectiveGDPR Art. 6(1)(a)CCPA
Disclosure Gaps

Claims vs. Observed Behavior

8 gaps
4 CRIT4 HIGH
Classified:BTI-X02BTI-X03BTI-X04BTI-X05BTI-X06BTI-X07BTI-X08BTI-X09BTI-X10BTI-X12BTI-X13

Undisclosed Gap

GDPR Art. 6 · ePrivacy Directive · CCPA · CPRA · TDPSA · CPACRITICAL
They Claim

Cookie notice states: The law states that we can store cookies on your device if they are strictly necessary. For all other types we need your permission

Observed Behavior

Cookiebot configured with implied consent (method:implied, stamp:-1). All 48 marketing cookies, 17 statistics cookies, and identity resolution scripts fire automatically for non-EEA visitors without any consent interaction. No consent banner shown.

Undisclosed Gap

GDPR Art. 13 · GDPR Art. 14 · ePrivacy Directive Art. 5(3) · CCPA 1798.100CRITICAL
They Claim

Cookie notice lists specific third-party providers with links to their privacy policies

Observed Behavior

Seven active third-party services are completely omitted from the cookie notice: Leadsy.ai (visitor identification), RB2B (visitor de-anonymization), Cometly (attribution tracking with fingerprinting), Trovo-tag (cookie sync proxy), Plausible (analytics), ProfitWell (subscription analytics), PartnerStack (affiliate tracking).

Undisclosed Gap

CCPA/CPRA GPC Requirements · CPA · CTDPA · VCDPACRITICAL
They Claim

Privacy policy claims: If our website detects that your browser is transmitting an opt-out preference signal such as the GPC signal we will opt that browser out

Observed Behavior

No evidence of GPC signal processing observed in network traffic or GTM dataLayer. Browser GPC API returns undefined. Cookiebot implied consent overrides any GPC state by auto-granting all categories regardless.

Undisclosed Gap

GDPR Art. 6 · GDPR Art. 13 · CCPA 1798.140(v) · State biometric/surveillance lawsCRITICAL
They Claim

Cookie notice does not disclose visitor identification or de-anonymization services

Observed Behavior

RB2B is loaded and active (window.reb2b.loaded=true). Leadsy.ai tag.js loads and makes POST request to wvbknd.leadsy.ai/v1/website-visitors/test. Trovo-tag deploys hidden 1x1 iframe with 3 cookie sync pixels feeding data to Beeswax DSP, remarketstats.com, and usbrowserspeed.com.

Undisclosed Gap

GDPR Art. 32 · SOC 2 CC6.1HIGH
They Claim

Privacy policy section 9 claims security measures including encryption, firewall protections, and access controls

Observed Behavior

No Content Security Policy (CSP) header or meta tag. Only 4 of 33 external scripts have Subresource Integrity (SRI) attributes. No referrer policy meta tag. 29 third-party scripts load without integrity verification, creating massive supply chain attack surface.

Undisclosed Gap

ePrivacy Directive · GDPR Art. 6(1)(a) · CCPAHIGH
They Claim

Cookie notice categorizes Cometly cookietest as necessary and ctCartToken as unclassified

Observed Behavior

Cometly sends POST with device fingerprint hash, browser metadata, OS, language, and Facebook pixel ID (fbp) to t.cometlytrack.com with CORS wildcard (access-control-allow-origin: *). Cross-domain tracking via domainOverrides linking instantly.ai to app.instantly.ai. This is behavioral profiling, not a necessary cookie.

Undisclosed Gap

ePrivacy Directive Art. 5(3) · GDPR Art. 5(1)(a) transparencyHIGH
They Claim

Not disclosed: server-side tagging proxy architecture

Observed Behavior

Google Cloud Run instance (server-side-tagging-maafcqllza-uc.a.run.app) acts as SST proxy for GA4, receiving full payload (client ID, page URL, user agent, screen resolution, geolocation). Sets first-party cookie FPAU on instantly.ai domain, making third-party tracking appear as first-party to bypass browser cookie restrictions.

Undisclosed Gap

CCPA/CPRA · TDPSA · CPA · CTDPAHIGH
They Claim

We may provide you with cookie management options such as through a banner visible on our landing page

Observed Behavior

No cookie banner is visible on the landing page for US visitors. Cookiebot is loaded but configured for implied consent with all categories auto-granted. Cookie banner only shown to EEA/UK visitors per cookie notice.

Customer Impact

What This Means For You

Organizations using Instantly for sales engagement are unknowingly feeding their prospect data into a company that operates as a data broker, selling identifiers and behavioral inferences to advertising networks and data compilers. The implied consent architecture means any website embedding Instantly tracking pixels inherits the consent liability -- visitors are tracked without meaningful consent, creating GDPR, CCPA, and state privacy law exposure for the customer, not just Instantly. The undisclosed visitor identification services (RB2B, Leadsy.ai) mean that even casual visitors to Instantly customer websites may be de-anonymized and their personal information entered into data broker databases without any disclosure or consent. The 5,229 CCPA opt-out requests processed in 2025 demonstrate that consumers are actively discovering and objecting to this data collection, creating growing regulatory and reputational risk for organizations in the Instantly ecosystem.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Instantly

  • Audit all Instantly pixel/script deployments on your properties for pre-consent loading
  • Verify your CMP blocks Instantly tracking before consent is granted
  • Request Instantly DPA and confirm data processing scope excludes data brokerage activities
  • Review Instantly subprocessor list for undisclosed third parties (Leadsy, RB2B, Trovo-tag)
  • Confirm Instantly email warmup service data handling -- privacy policy states warmup participants personal information is shared with other participants

If You're Evaluating Instantly

  • Require contractual prohibition on Instantly using your customer data for their data brokerage operations
  • Assess whether Instantly server-side tagging proxy affects your first-party data integrity
  • Request proof of GPC signal processing implementation
  • Evaluate alternative sales engagement platforms without data broker dual-purpose business model
  • Conduct independent scan of your sites to verify Instantly script behavior matches contractual terms

Negotiation Leverage

  • Instantly self-identifies as a data broker under CCPA, confirmed by 5,229 opt-out requests processed in 2025 -- require contractual separation of SaaS and data brokerage activities
  • Cookie notice omits 7 observed third-party services including visitor de-anonymization tools (RB2B, Leadsy.ai) -- demand updated disclosure or contractual indemnification
  • Cookiebot is deployed with implied consent auto-granting all tracking for non-EEA visitors -- this creates consent liability that flows to customers embedding Instantly scripts
  • Server-side tagging proxy on Google Cloud Run sets first-party cookies on behalf of Google Analytics -- this is an undisclosed consent bypass technique that violates transparency requirements
  • Privacy policy states email warmup participants personal information including name and email is shared with other warmup participants -- assess whether this creates data leakage risk for your organization
  • Legal entity is Foo Monk LLC (Wyoming) -- assess counterparty risk of a Wyoming shell entity operating data brokerage services at scale
  • Require SRI implementation on all scripts and CSP headers as baseline security before deployment on your properties
Runtime Detections

Runtime Detections

9 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C02Credential Interception

Form data interception

Impact: Pre-consent tracking: All 48 marketing cookies, session replay scripts (Hotjar, Clarity), and identity resolution services fire before any consent interaction. Cookiebot auto-grants consent.

BTI-C03Storage Exfiltration

Cookie/localStorage reading

Impact: Cross-domain tracking: Cometly configured with domainOverrides for app.instantly.ai, enabling cross-domain attribution between marketing site and product. Comet token embedded in all signup/login URLs.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Cookie syncing: Active 4-party sync ring -- LinkedIn syncs 6 cookies through redirect chain, Trovo-tag syncs with Beeswax DSP and usbrowserspeed.com via hidden iframe pixels.

BTI-C07Session Recording

Full session replay

Impact: Session replay: Hotjar (ID 3590486) and Microsoft Clarity (ttk54e8weh) both active, recording user interactions including clicks, scrolls, and mouse movements.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Behavioral profiling: 48 declared marketing cookies from Google, Meta, LinkedIn, Twitter/X, Reddit, Bing, and Beeswax build comprehensive behavioral profiles across advertising networks.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Identity resolution: RB2B (loaded and active) and Leadsy.ai (with Trovo-tag proxy) perform visitor de-anonymization. Neither is disclosed in cookie notice or privacy policy.

BTI-C10Fingerprinting

Device identification

Impact: Data brokering: CCPA disclosures confirm selling identifiers, protected characteristics, employment info, and inferences. 5,229 opt-out requests in 2025 indicate scale of operation.

BTI-C14Identity Resolution

PII deanonymization

Impact: Consent manipulation: Cookiebot configured with implied consent auto-granting all categories. GTM dataLayer pushes consent update granting all storage types without user interaction.

BTI-C19Client-Side Manipulation

Site tampering (MITB)

Impact: Server-side tracking: Google Cloud Run proxy (server-side-tagging-maafcqllza-uc.a.run.app) sets first-party FPAU cookie, making third-party tracking appear as first-party to bypass browser restrictions.

IOC Manifest

IOC Manifest

13 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*instantly.ai/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*instantly.ai/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
instantly.ai/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
instantly.ai/cdn-cgi/challenge-platform/h/b/scripts/jsd/7f3d2ee44814/main.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Instantly operates at the intersection of sales engagement, data brokerage, and advertising technology. Its marketing site deploys a dense stack of 20+ third-party services spanning analytics (GA4, Plausible), session replay (Hotjar, Clarity), advertising (Meta Pixel, LinkedIn Insight, Twitter/X, Reddit, Bing), identity resolution (RB2B, Leadsy.ai/Trovo-tag), A/B testing (VWO), attribution (Cometly), payments (Stripe), chat (Intercom), and affiliate tracking (PartnerStack/Rewardful). The data flows through a server-side tagging proxy on Google Cloud Run that disguises third-party tracking as first-party. A cookie sync ring connects LinkedIn, Beeswax DSP, usbrowserspeed.com, and remarketstats.com, enabling cross-platform identity matching. The platform runs on Webflow for its marketing site with Cloudflare CDN, while the product lives on app.instantly.ai with n8n.instantly.ai handling automation workflows.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

13 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details