How This Briefing Works
This report opens with key findings, then maps the gaps between what PathFactory discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
PathFactory was observed loading and executing before user consent was obtained on 75% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Unknown”
Requires claims extraction via CDT
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use PathFactory
- →Demand data processing addendum with explicit session recording disclosure
- →Require consent framework integration that blocks tag firing until user acceptance
- →Implement CSP headers to prevent tag injection without security review
- →Configure content analytics to exclude PII and competitive research signals
- →Establish data retention limits for behavioral profiles
If You're Evaluating PathFactory
- →Request technical documentation on consent detection mechanisms
- →Verify whether session recordings are processed in EU for GDPR deployments
- →Test tag behavior in pre-consent state to confirm no data collection occurs
- →Review visitor identity resolution logic for fingerprinting techniques
- →Assess data flows to vendor analytics infrastructure and third-party enrichment
Negotiation Leverage
- →PathFactory deploys 6 high-risk tracking techniques including session recording and consent bypass—demand full technical disclosure of data collection scope and explicit DPA terms covering regulatory liability
- →The platform captures detailed competitive research behavior that reveals your evaluation process to vendor analytics—negotiate contractual limits on secondary use of engagement data for vendor intelligence
- →Tag manager architecture allows runtime tracking modifications without your security review—require change control processes and tag injection approval workflows
- →Content intelligence creates attribution distortion that may shift marketing spend toward ineffective programs—establish baseline measurement methodology and verify attribution logic before deployment
- →Legal tail risk from consent bypass is 100% and cannot be fully mitigated through configuration—evaluate whether content intelligence value justifies regulatory exposure or consider privacy-respecting alternatives
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: PathFactory can detect analysis environments and alter tracking behavior during security assessments, masking full data collection scope.
Keystroke/mouse tracking
Impact: Content interaction patterns (scroll velocity, read time, navigation paths) create persistent visitor profiles across sessions.
Full session replay
Impact: Full session replay capability captures all visitor interactions during content consumption, including form fills and page navigation.
Ignoring CMP signals
Impact: Tag manager architecture allows tracking initialization before consent capture, processing visitor data regardless of preferences.
Device identification
Impact: Device and browser fingerprinting creates persistent identifiers for visitor recognition across content sessions.
Container/loader (neutral)
Impact: Dynamic tag injection capability allows runtime modification of tracking scope without code changes or security review.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
120 detection signatures across scripts, domains, cookies, and network endpoints