Pardot | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Pardot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

12 detections across 9 sites50% pre-consent activity

CRITICAL

Pre-Consent Activity

Pardot was observed loading and executing before user consent was obtained on 50% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

disclosure

HIGH

They Claim

“Pending claims extraction”

Observed Behavior

Broker score (40) and Counselor score (65) indicate Salesforce ecosystem data sharing and consent violations. Privacy policy likely lacks specific disclosure of identity resolution and AppExchange partner access.

Customer Impact

What This Means For You

Marketing loses lead scoring, behavioral nurture triggers, and campaign attribution if Pardot tracking is gated. Sales visibility into prospect engagement disappears. Marketing automation workflows break without visitor behavior signals. However, retention creates exposure: regulatory complaints for pre-consent identity linking, GDPR Article 6 violations for behavioral processing without lawful basis, potential data breach if Salesforce ecosystem is compromised containing visitor behavioral profiles.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Pardot

→Implement consent gate before Pardot tracking scripts load
→Audit Salesforce ecosystem integrations for visitor data access and sharing
→Review Data Processing Agreement for behavioral data retention in Salesforce
→Confirm privacy policy discloses Pardot identity resolution and behavioral scoring

If You're Evaluating Pardot

→Defer Pardot scripts until post-consent confirmation
→Require Salesforce documentation on AppExchange partner data access controls
→Assess progressive profiling alternatives that reduce pre-consent tracking dependence
→Consider whether behavioral scoring can operate on consented data only

Negotiation Leverage

→Pardot/Salesforce contract permits AppExchange partner access to behavioral data - demand exhaustive integration audit and access controls
→Behavioral scoring models may persist visitor profiles indefinitely in Salesforce - negotiate retention limits aligned to sales cycle
→Confirm Pardot honors consent withdrawal and purges visitor behavioral data from Salesforce ecosystem
→Request disclosure of all Salesforce ecosystem integrations that process Pardot visitor data

Runtime Detections

2 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

8 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

pi.pardot.com

Tracking script

Ecosystem

Ecosystem & Supply Chain

Pardot integrates deeply with Salesforce CRM, Sales Cloud, and marketing automation workflows. Behavioral scoring data flows through Salesforce ecosystem where AppExchange partners and custom integrations may access visitor intelligence. Often deployed with complementary tracking vendors that benefit from Salesforce identity graphs.

Loaded By (3)

Adara Googletagmanager Sojern

Commonly Deployed With

Linkedinads Googletagmanager Googleanalytics4 Doubleclick Clarity Bing Ads Onetrust Metapixel Factors Ai

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

11 detection signatures across scripts, domains, cookies, and network endpoints