All Vendors
dsp

Octave

Demand-side platform with pre-consent behavioral tracking and advertising pixel deployment.

25 IOCs27 detections15% pre-consent25 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Octave discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

27 detections across 25 sites15% pre-consent activity
MEDIUM

Pre-Consent Activity

Octave was observed loading and executing before user consent was obtained on 15% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

MEDIUM
They Claim

Pending claims extraction

Observed Behavior

Broker score (25) and Counselor score (55) indicate bid stream data sharing and consent violations. Privacy policy likely lacks specific disclosure of advertising ecosystem participants.

Customer Impact

What This Means For You

Removing Octave disrupts programmatic advertising campaigns and display ad targeting. Marketing loses retargeting capabilities and conversion attribution for display channels. However, retention creates risk: GDPR complaints for unlawful processing, ePrivacy enforcement for non-compliant cookies, revenue loss when browsers block third-party tracking used by Octave.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Octave

  • Gate all Octave pixels behind explicit consent for advertising cookies
  • Audit Data Processing Agreement for bid stream data sharing disclosures
  • Confirm Octave complies with IAB Transparency & Consent Framework
  • Review privacy policy for adequate disclosure of programmatic advertising data flows

If You're Evaluating Octave

  • Require consent before any Octave scripts load
  • Demand contractual limits on bid stream participant data access
  • Assess first-party advertising alternatives to reduce third-party tracking dependence
  • Consider contextual advertising without behavioral targeting to eliminate consent friction

Negotiation Leverage

  • Octave contract permits sharing visitor data with bid stream participants - demand exhaustive partner list and purpose limitations
  • Behavioral profiles persist in partner systems beyond Octave control - negotiate contractual liability for downstream violations
  • Confirm Octave honors browser-based tracking opt-outs (GPC, DNT) and consent withdrawal requests
  • Request evidence of IAB TCF compliance and consent string validation before pixel activation
Runtime Detections

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C09Consent Bypass

Ignoring CMP signals

IOC Manifest

IOC Manifest

19 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*octave.com/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*
Tracking script
TRACK
*octave.com/splash/js/sites-runtime.*.js*
Tracking script
EXFIL
*octave.com/splash/data/*-84e2-422a-b861-*/_index.json*
Data collection endpoint
TRACK
octave.com/splash/js/sites-runtime.852f2d4eed531581e82d6b86a6df5e3436a5b1caf523f223a3615b18436b4019.js
Auto-extracted from scan
TRACK
octave.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Octave connects to ad exchanges, supply-side platforms, and data management platforms. Visitor data flows through real-time bidding infrastructure where multiple participants receive behavioral signals. Often deployed with header bidding wrappers that amplify pre-consent exposure.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

25 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details