How This Briefing Works
This dossier opens with key findings, then maps the gap between what PathFactory discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 7 sites
vendor fires before consent
Briefing
PathFactory operates as a content intelligence platform that tracks prospect engagement across multi-touch journeys. The vendor uses tag manager capabilities to instrument behavioral tracking throughout content consumption sessions, capturing granular interaction data that feeds predictive scoring models. Deployment patterns reveal session recording, device fingerprinting, and consent bypass mechanisms that operate independently of website consent frameworks.
What This Means For You
Revenue teams face three core risks: (1) Marketing attribution becomes distorted by over-crediting content touches, making CAC calculations unreliable and potentially shifting budget toward ineffective content programs. (2) Detailed prospect research behavior becomes visible to PathFactory, revealing which competitors you evaluate and what objections concern you most—intelligence that feeds vendor competitive analysis. (3) Legal exposure from consent bypass and session recording creates GDPR/CCPA liability that DPOs cannot fully mitigate without removing the vendor.
Risk Channel Breakdown
PathFactory tracks content engagement velocity and consumption patterns that feed into intent scoring models (25% signal corruption). These behavioral signals can distort attribution by over-crediting content touches while missing actual decision triggers.
The platform captures detailed visitor journey data that reveals prospect research behavior and competitive evaluation patterns (90% CAC subsidization). This intelligence enables competitors and vendors to optimize targeting against your pipeline.
Expands attack surface
Tag manager deployment with session recording and consent bypass creates full GDPR/CCPA exposure (100% legal tail risk). The vendor processes detailed behavioral data without transparent consent controls, leaving deploying organizations liable for regulatory violations.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Container/loader (neutral)
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed PathFactory's public claims against observed runtime behavior and identified 1 contradiction.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
oktopost, qualified, googletagmanager…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →