QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
advertising
Mountain

Mountain

CTV advertising platform with $226M revenue deploying 52 third-party vendors on mountain.com — 23 fire pre-consent including identity resolution (Demandbase, LiveRamp, Contactout) and advertising pixels (Criteo, Meta, LinkedIn, Reddit). Discloses 22 subprocessors while significantly more operate at runtime. No SOC2 certification.

94 IOCs observed29 detections28% pre-consent17 sites
90
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Mountain discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
29

across 17 sites

Pre-Consent Rate
28%

vendor fires before consent

Disclosure Gaps
4

1 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X05BTI-X08
Summary

Briefing

MNTN (formerly SteelHouse) is a publicly traded Connected TV advertising platform (NYSE: MNTN) headquartered in Austin, TX with $226M revenue. The company provides performance TV advertising software enabling brands to run measurable CTV campaigns. Analysis reveals significant disclosure gaps: their own website deploys 52 third-party vendors including 23 that load pre-consent, while their subprocessor list discloses only 22 partners. Identity resolution vendors (Demandbase, LiveRamp, Contactout) and major advertising platforms (Criteo, Meta, LinkedIn, Reddit) are observed but not fully disclosed. As a CTV advertising platform handling advertiser data, MNTN's compliance claims (GDPR/CCPA referenced in Terms) contrast with their website's pre-consent tracking practices.

Customer Impact

What This Means For You

If MNTN (formerly SteelHouse) handles your CTV advertising, their platform connects advertiser audience data to a programmatic ecosystem where 52 third-party vendors operate on their corporate site — 23 firing before consent. Under GDPR Art 28, you must verify subprocessor chains, but MNTN discloses 22 partners while significantly more are detected at runtime. Identity resolution vendors (Demandbase, LiveRamp, Contactout) on mountain.com mean your advertiser data and campaign strategies flow through infrastructure shared with deanonymization services. MNTN does not hold SOC2 certification, leaving you without independent verification of security controls for a platform handling campaign data and creative assets through their QuickFrame acquisition.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

MNTN corrupts measurement through participation in identity resolution networks (LiveRamp, Demandbase) that enable cross-platform tracking. As a CTV advertising platform, they have visibility into advertiser campaign performance data which could be leveraged for competitive intelligence. Their Verified Visits attribution methodology relies on device graph matching that introduces measurement uncertainty.

Broker
Control Collapse
100

As a CTV advertising platform with LiveRamp and Demandbase integrations, MNTN has access to advertiser audience data and campaign performance signals. The bidstream data from programmatic CTV ads reveals demand patterns. Their acquisition of QuickFrame means advertiser creative assets and campaign strategies flow through their platform.

Reaper
Safety Collapse
0

MNTN's extensive third-party vendor deployment (52 observed) creates significant attack surface. Pre-consent loading of 23 vendors including identity resolution and behavioral tracking exposes site visitors. The company's SOC2 certification is not yet achieved (working on Type I as of Jan 2025), creating compliance risk for enterprise customers.

Counselor
Legitimacy Collapse
100

MNTN references GDPR/CCPA compliance in Terms & Conditions while their own website loads 23 vendors pre-consent. The gap between disclosed subprocessors (22) and observed vendors (52) creates material consent liability. No GPC support despite being in advertising technology where consent signals are increasingly required.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07
Session Recording

Full session replay

BTI-C08
Cross-Domain Sync

Identity stitching

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

BTI-C13
Persistence Mechanisms

Long-lived identifiers

BTI-C14
Identity Resolution

PII deanonymization

BTI-C15
Tag Manager

Container/loader (neutral)

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

4
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

4
Gaps Observed
1 HIGH2 MEDIUM1 LOW

BLACKOUT analyzed Mountain's public claims against observed runtime behavior and identified 4 contradictions.

BTI-X01BTI-X02BTI-X05BTI-X08
Featured Gap
Pre-Consent Tracking
HIGH
They Claim

"GDPR/CCPA compliance referenced in Terms & Conditions"

BLACKOUT Observed

23 tracking vendors load pre-consent on mountain.com including identity resolution (Demandbase, Contactout) and advertising pixels (MetaPixel, LinkedIn, Criteo)

3 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
10

5 for current users · 5 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 22, observed 22

Commonly Paired With
10

googletagmanager, googleanalytics4, doubleclick

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: mountainFirst Seen: 2025-12-25Last Updated: 2026-05-21