How This Briefing Works
This report opens with key findings, then maps the gaps between what Pendo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Disclosure Gaps
Claims vs. Observed Behavior
1 gaps
pending
MEDIUM
They Claim
“Requires scanner verification of runtime behavior”
Observed Behavior
Analysis based on Pendo documentation, help center articles, and privacy policy
Customer Impact
What This Means For You
Organizations using Pendo should recognize that the platform operates within authenticated application contexts where users are performing real work with real data. Unlike website analytics that tracks anonymous browsing, Pendo tracks identified users performing specific actions within business applications. The DOM injection capability for in-app guides creates a supply chain risk: if Pendo's infrastructure is compromised, attackers could inject content into trusted application interfaces that users have no reason to distrust. The 2025 expansion into session replay means existing Pendo deployments may now be recording more data than originally authorized in privacy impact assessments. Organizations should re-evaluate their Pendo data processing scope in light of these expanded capabilities.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Pendo
- →- Re-evaluate Pendo's data collection scope following the 2025 session replay and web analytics feature additions to ensure privacy impact assessments are current. - Configure Do Not Process (DNP) rules for sensitive user segments and application contexts where behavioral tracking is inappropriate. - Audit in-app guide targeting rules to ensure behavioral segments are not exposing sensitive data in guide targeting logic. - Implement Content Security Policy headers that account for Pendo's DOM injection requirements while limiting the scope of injected content. - Review Pendo's data retention policies and configure appropriate limits for behavioral data, session recordings, and survey responses separately.
Negotiation Leverage
- →Leverage: Pendo's rapid feature expansion in 2025 (session replay, web analytics, agent analytics) means the data collection scope is growing faster than most organizations' privacy assessments can keep up. Use this to negotiate feature-specific data processing terms rather than blanket platform access. Key questions: Are session replay features enabled by default or opt-in per customer? Can DOM injection (in-app guides) be restricted to specific pages or user segments? What data does Pendo collect about guide interactions beyond what is visible in the dashboard? Does Pendo use customer behavioral data for product benchmarking or AI model training? Protections to require: Feature-level data processing agreements that cover analytics, session replay, in-app guides, and surveys separately. Contractual notification before new data collection features are enabled. Right to audit DOM injection scope. Prohibition on using behavioral data for cross-customer benchmarking without explicit authorization. Data deletion SLA covering all data types.
IOC Manifest
IOC Manifest
103 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.pendo.io/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/app/%5Blocale%5D/not-found-*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/app/%5Blocale%5D/page-*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/app/%5Blocale%5D/layout-*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/*.*.js*
Tracking script
TRACK
*www.pendo.io/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.pendo.io/_vercel/speed-insights/script.js*
Tracking script
TRACK
*www.pendo.io/_vercel/insights/script.js*
Tracking script
TRACK
*cdn.pendo.io/agent/static/*-59c1-450a-68d3-*/pendo.js*
Tracking script
EXFIL
*app.pendo.io/data/guide.js/*-59c1-450a-68d3-**
Data collection endpoint
TRACK
www.pendo.io/_next/static/chunks/webpack-c1f26e1261fc483b.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/4bd1b696-f785427dddbba9fb.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/1255-2e45eb1ae1342caa.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/main-app-5eb0d9c55a395822.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/app/%5Blocale%5D/layout-0d12885be7b689f3.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/c16f53c3-b3b18c3a302e625f.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/1356-46359ec6cbc65fc4.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/3529-8676a383620f19b7.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/7459-2b6a85d8da4f607d.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/app/%5Blocale%5D/not-found-96a0a6fc42809f43.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/3298-539473f746f76548.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/4674-ebb30eb47229e007.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/app/%5Blocale%5D/page-1941d473db8c13a8.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/c15bf2b0-1894ff94ed039d0f.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/7605-68b17966a6a92e96.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/2190.f720e31b7c320533.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/f58c171e.b76db2e8181857c2.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/5664.8e1bdb296346bd43.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/9212.e59acda18de5a0ca.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/7624-97fec5a2499ac961.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/2147.e9b7fce074e77c1f.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/5580.1a6f51d43f6f3539.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/4529.794f035773619065.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/2619-38012e79151e370a.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/6270.51474eb81726492b.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/4587.320ca4505234a59f.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/5987.7286be62fc5e6a96.js
Auto-extracted from scan
TRACK
www.pendo.io/_next/static/chunks/7469.693951823f8ca41d.js
Auto-extracted from scan
TRACK
www.pendo.io/_vercel/speed-insights/script.js
Auto-extracted from scan
TRACK
www.pendo.io/_vercel/insights/script.js
Auto-extracted from scan
TRACK
cdn.pendo.io/agent/static/50ff22c7-59c1-450a-68d3-f097e9eaa74c/pendo.js
Auto-extracted from scan
EXFIL
app.pendo.io/data/guide.js/50ff22c7-59c1-450a-68d3-f097e9eaa74c
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Pendo integrates with CRM systems (Salesforce, HubSpot), marketing automation platforms, data warehouses, business intelligence tools, and product management systems (Jira, Productboard). The platform's segment-based targeting means behavioral data is used to determine which users see specific in-app content. Pendo's API enables export of usage analytics and behavioral data. The multi-tenant SaaS architecture means customer data is logically segregated but hosted on shared infrastructure. Pendo is typically accessed by product management, customer success, marketing, and UX teams. The platform's feedback and NPS data may also be shared with executive leadership and customer-facing teams.
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
103 detection signatures across scripts, domains, cookies, and network endpoints