How This Briefing Works
This report opens with key findings, then maps the gaps between what MoEngage discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
consent
HIGH
They Claim
“GDPR and CCPA compliance claimed”
Observed Behavior
SDK-level data collection depth and anonymous-to-identified profile merging need runtime verification — awaiting scanner verification
data_sovereignty
MEDIUM
They Claim
“Data processor role”
Observed Behavior
Depth of behavioral data collected (location, device IDs, cross-channel events) may constitute independent controllership under GDPR — awaiting legal analysis
consent
HIGH
They Claim
“Geofencing consent model”
Observed Behavior
Physical location tracking consent requirements may not align with app-level permission grants — awaiting scanner verification of consent flow timing
Customer Impact
What This Means For You
Organizations deploying MoEngage's SDK grant it deep access to mobile application runtime, user behavioral data, device identifiers, and potentially physical location. The AI-driven optimization (Sherpa) creates attribution dependency — marketing teams rely on MoEngage's measurement of campaign effectiveness without independent verification. The Unified Identity feature means all historical anonymous behavioral data becomes linked to identified users, creating data records that grow in sensitivity over time. For regulated industries (healthcare, finance, government), the SDK-level data collection and geofencing capabilities may conflict with data minimization requirements. Switching costs are significant because MoEngage becomes embedded in the mobile application codebase, requiring SDK removal, push notification re-architecture, and engagement workflow migration — a multi-sprint engineering effort.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for MoEngage
- →- Audit SDK permissions: Review exactly what data the MoEngage SDK collects from your mobile application, including device identifiers, location, and behavioral events. - Verify consent flow timing: Confirm that MoEngage's anonymous-to-identified profile merging respects consent boundaries and does not retroactively attach pre-consent data to identified users. - Evaluate geofencing exposure: If geofencing is enabled, assess whether location data collection and physical tracking align with your privacy commitments and user expectations. - Test AI attribution claims: Cross-reference MoEngage Sherpa's campaign optimization metrics against independent analytics to identify potential attribution inflation. - Review data residency: Confirm where MoEngage processes and stores your customer data, particularly if operating under GDPR while MoEngage is headquartered in India.
Negotiation Leverage
- →MoEngage's leverage is SDK-level integration — removing it requires mobile app engineering effort, not just a tag manager change. Counter-leverage: the mobile engagement market is highly competitive (Braze, CleverTap, Airship all offer comparable capabilities), giving you credible migration alternatives. Press MoEngage on data processor vs. controller status — if they process data for AI model training or cross-client optimization, they may be acting as an independent controller, which changes your liability exposure. Demand transparent reporting on Sherpa AI decisions — if they cannot explain why the AI selected specific audiences or timing, the attribution claims are unfalsifiable. India's DPDP Act compliance requirements give additional leverage: request contractual guarantees on data localization and processing jurisdiction.
IOC Manifest
IOC Manifest
155 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/accordion-home.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/script-home-pagespeed.js*
Tracking script
TRACK
*www.moengage.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/ua-parser.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/gsap.js*
Tracking script
TRACK
*cdn.moengage.com/release/dc_1/versions/2/moe_webSdk.min.latest.js*
Tracking script
TRACK
*cdn.moengage.com/release/dc_1/versions/2/moe_webSdk_webp.min.latest.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/MorphSVGPlugin.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/ScrollTrigger.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/SplitText.js*
Tracking script
TRACK
*www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/DrawSVGPlugin.js*
Tracking script
TRACK
*ok.moengage.com/ping*
Tracking script
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/script-home-pagespeed.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/accordion-home.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/gsap.min.js
Auto-extracted from scan
TRACK
cdn.moengage.com/release/dc_1/versions/2/moe_webSdk.min.latest.js
Auto-extracted from scan
TRACK
cdn.moengage.com/release/dc_1/versions/2/moe_webSdk_webp.min.latest.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/ua-parser.min.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/SplitText.min.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/MorphSVGPlugin.min.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/DrawSVGPlugin.min.js
Auto-extracted from scan
TRACK
www.moengage.com/wp-content/themes/moengagewp/assets/js/v2/ScrollTrigger.min.js
Auto-extracted from scan
TRACK
ok.moengage.com/ping
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
MoEngage integrates with major mobile attribution platforms (Adjust, Branch, AppsFlyer), customer data platforms (Segment, RudderStack), and analytics tools. The platform is available through AWS Marketplace and connects with Shopify, Salesforce, and other CRM systems. MoEngage competes with Braze, CleverTap, and Airship in the mobile engagement space, with particular strength in South Asian and Southeast Asian markets. The company's India headquarters positions it within India's growing martech ecosystem, though this also means customer data may be processed under India's Digital Personal Data Protection Act (DPDP) rather than solely under GDPR. MoEngage's SDK is embedded in thousands of mobile applications, creating a network effect where behavioral data patterns inform the AI engine's optimization across the entire client base.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
155 detection signatures across scripts, domains, cookies, and network endpoints