How This Briefing Works
This report opens with key findings, then maps the gaps between what Mutiny discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
21 detections across 13 sites67% pre-consent activity1 critical disclosure gap
CRITICAL
Subprocessor Disclosure
39 vendors detected on mutinyhq.com including identity resolution, advertising, and session recording
GDPR Article 28GDPR Article 13/14
CRITICAL
Pre-Consent Activity
Mutiny was observed loading and executing before user consent was obtained on 67% of sites where it was detected.
GDPRePrivacy
HIGH
Pre-Consent Tracking
66.7% of detected tracking loads before consent
GDPR Article 6CCPA 1798.100
HIGH
Data Minimization
Identity resolution vendors perform PII enrichment
GDPR Article 5(1)(c)CCPA 1798.100
HIGH
Undisclosed Party
Not in privacy policy
Disclosure Gaps
Claims vs. Observed Behavior
4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09
Subprocessor Disclosure
GDPR Article 28 · GDPR Article 13/14CRITICAL
They Claim
“6 infrastructure vendors listed in subprocessor disclosure”
Observed Behavior
39 vendors detected on mutinyhq.com including identity resolution, advertising, and session recording
Scan data shows 6sense, Clearbit, Hotjar, HubSpot, MetaPixel, GoogleAds, LinkedInAds, Segment, Vector and 30+ others not in subprocessor list
Pre-Consent Tracking
GDPR Article 6 · CCPA 1798.100HIGH
They Claim
“GDPR and CCPA compliance”
Observed Behavior
66.7% of detected tracking loads before consent
28 of 39 vendors load with pre_consent=true on mutinyhq.com
Data Minimization
GDPR Article 5(1)(c) · CCPA 1798.100HIGH
They Claim
“De-identified and aggregated information”
Observed Behavior
Identity resolution vendors perform PII enrichment
6sense, Clearbit, IDVisitors, Vector all perform person/company identification from anonymous visitors
GPC/DNT
CCPA GPC requirementMEDIUM
They Claim
“Policy states they do NOT honor DNT signals”
Observed Behavior
Explicit non-compliance with browser privacy signals
Privacy policy quote: we do respond to or honor DNT signals
Customer Impact
What This Means For You
If Mutiny personalizes your B2B website, their platform deploys 39 third-party vendors while disclosing only 6 infrastructure providers. Under GDPR Art 28, this 30+ vendor disclosure gap means your data processing records are materially incomplete. Identity resolution services (6sense, Clearbit, IDVisitors, Vector) on mutinyhq.com mean visitors to Mutiny's site — including your prospects evaluating the platform — are being deanonymized by four separate identity vendors. The 66.7% pre-consent rate means two-thirds of tracking fires before consent, creating GDPR Art 7 liability. Mutiny's privacy policy claim of "de-identified and aggregated" data is contradicted by four identity resolution vendors that specifically perform individual-level identification.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Mutiny
- →Audit your privacy policy to disclose all 39+ vendors Mutiny loads — your current disclosure likely covers only 6 infrastructure providers
- →Implement consent gating before Mutiny script loads — 66.7% pre-consent rate on their own site indicates their code may not respect your CMP by default
- →Update your GDPR Article 30 records to include identity resolution vendors (6sense, Clearbit, IDVisitors, Vector) processing your visitor data
- →Consider the GDPR Art 28 liability of 30+ undisclosed data recipients processing data from your property
- →Monitor network requests from Mutiny's script on your site to verify no undisclosed identity resolution calls
If You're Evaluating Mutiny
- →Request SOC2 report — none found publicly, which is a significant gap for a vendor with access to your website and visitor data
- →Demand full vendor disclosure before contract — 39 detected versus 6 disclosed is one of the largest gaps we observe
- →Ask for reconciliation of 'de-identified and aggregated' data claims versus 4 identity resolution vendors performing individual identification
- →Negotiate contractual indemnification for the subprocessor disclosure gap and pre-consent tracking liability
- →Compare against alternatives with transparent subprocessor lists and demonstrable consent-first architecture
Negotiation Leverage
- →Subprocessor disclosure: 6 infrastructure vendors disclosed versus 39 detected including 4 identity resolution services. Require complete enumeration of all third-party vendors with 30-day advance notice before additions.
- →De-identification verification: Privacy policy claims 'de-identified and aggregated' data while deploying 6sense, Clearbit, IDVisitors, and Vector for individual identification. Require written reconciliation and contractual specification of what identification capabilities are active.
- →Pre-consent SLA: 66.7% pre-consent rate. Require contractual guarantee that Mutiny's personalization script loads only after consent on your property with zero pre-consent activity.
- →Security certification: No SOC2 found publicly. Require SOC2 Type II as a contract condition given Mutiny's access to your website visitor data and personalization logic.
- →Identity resolution scope: Require contractual limitation on what identification granularity Mutiny applies to your visitors — company-level versus individual-level — with right to audit.
Runtime Detections
Runtime Detections
8 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C07Session Recording
Full session replay
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
97 INDICATORS
Indicators of compromise across 6 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.mutinyhq.com/_next/static/chunks/pages/_app-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/main-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/239-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/66-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/LpMo0Q_XsGPv_g53LewAp/_buildManifest.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/LpMo0Q_XsGPv_g53LewAp/_ssgManifest.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/460-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/137-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/268-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/366-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/563-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/526-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/framework-*.js*
Tracking script
TRACK
*www.mutinyhq.com/_next/static/chunks/303-*.js*
Tracking script
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/product-tour.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/index.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/request-demo.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/playbooks.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/playbooks/launchdarkly.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/blog/mutiny-for-sales.json*
Data collection endpoint
TRACK
*www.mutinyhq.com/_next/static/chunks/pages/blog/%5Bslug%5D-*.js*
Tracking script
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/playbooks/veracode-abm-pilot-program.json*
Data collection endpoint
EXFIL
*www.mutinyhq.com/_next/data/LpMo0Q_XsGPv_g53LewAp/playbooks/singlestore.json*
Data collection endpoint
TRACK
client-registry.mutinycdn.com
Tracking script
TRACK
www.mutinyhq.com/_next/static/chunks/webpack-84209fb2022d3d30.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/framework-17192dba208c6c17.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/main-ac65de4f033b8d13.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/pages/_app-b83491b1a4038e57.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/37a763b4-1edccaf5e5757b4d.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/94726e6d-d47641e74bd92f14.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/252f366e-3acf88ccc7f1bcae.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/31d4e3d1-4f4b41c1b0ee1b04.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/303-0441cd628ca74d5b.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/137-d2752ffc7dcdeb10.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/66-c7518455215605b4.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/460-b7c1db6a543ec132.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/366-ce394e5a2ad10c86.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/563-17e6dad3ce08af2c.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/268-22cf8f93611a11ef.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/526-7543b6457d218ca1.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/239-ad93cda80a0ae1ab.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/pages/%5B%5B...slug%5D%5D-c09896f6eb7290a1.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/LpMo0Q_XsGPv_g53LewAp/_buildManifest.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/LpMo0Q_XsGPv_g53LewAp/_ssgManifest.js
Auto-extracted from scan
TRACK
www.mutinyhq.com/_next/static/chunks/pages/blog/%5Bslug%5D-1d35b13fe30b4fcc.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Mutiny operates as an ABM website personalization layer. It is typically loaded via GTM or direct script injection on customer websites. Mutiny in turn loads multiple identity resolution vendors (6sense, Clearbit) to enrich visitor profiles. The supply chain is: Customer Website -> Mutiny -> Identity Resolution (6sense/Clearbit/Vector) -> Data Brokers. Mutiny is backed by Sequoia, Tiger Global, and Insight Partners with $72M in funding. Their customer base includes Snowflake, Qualtrics, Amplitude, and Veracode - enterprise companies whose visitors are exposed to this undisclosed tracking.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
99 detection signatures across scripts, domains, cookies, and network endpoints