All Vendors
data_enrichment

Pitchbook

Pitchbook is a data_enrichment vendor with a VRS of 80, flagged for 5 BTI codes including session recording (C07), consent bypass (C09), and fingerprinting (C10). The financial data platform deploys visitor intelligence while delivering market research and deal data, creating moderate signal corruption (25) but severe cost attribution exposure (90) and full legal tail risk (100).

15 IOCs87 detections5% pre-consent85 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Pitchbook discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

87 detections across 85 sites5% pre-consent activity
MEDIUM

Pre-Consent Activity

Pitchbook was observed loading and executing before user consent was obtained on 5% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Investment and research teams face three core risks: (1) Research behavior analytics become distorted by platform over-crediting, making usage value calculations unreliable for renewal decisions. (2) Detailed deal research patterns reveal investment thesis, competitive analysis, and market focus to Pitchbook infrastructure—intelligence that could inform vendor strategy or competitive positioning. (3) Legal exposure from consent bypass and session recording creates GDPR/CCPA liability that compliance teams cannot fully mitigate while maintaining platform access.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Pitchbook

  • Require data processing addendum with explicit research query retention limits
  • Demand consent framework integration that blocks tracking until user acceptance
  • Implement query data minimization to exclude deal-sensitive information from logs
  • Configure analytics to separate platform usage from competitive intelligence gathering
  • Establish retention limits for search history and behavioral profiles

If You're Evaluating Pitchbook

  • Request technical documentation on tracking initialization and consent detection
  • Verify whether research query data is used for product development or market intelligence
  • Test session recording scope to understand what research activity is captured
  • Review data flows to third-party analytics and enrichment platforms
  • Assess fingerprinting techniques and cross-session identity resolution mechanisms

Negotiation Leverage

  • Pitchbook deploys session recording and consent bypass that captures all research behavior—demand explicit DPA terms covering query data processing and regulatory liability protection
  • Research patterns reveal deal pipeline, investment thesis, and competitive analysis—negotiate contractual limits on secondary use of behavioral data for vendor intelligence
  • Platform tracking creates GDPR/CCPA exposure that compliance cannot fully remediate—require technical controls for consent enforcement and data deletion
  • Usage analytics may distort platform value assessment for renewals—establish baseline measurement methodology for research productivity
  • Legal tail risk of 100% reflects tracking necessity for platform analytics—evaluate whether data value justifies privacy exposure or negotiate enhanced privacy controls
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Pitchbook can detect privacy analysis tools and alter tracking behavior during security assessments, masking production data collection scope.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Research velocity, query patterns, and content consumption behavior create persistent user profiles for usage analytics.

BTI-C07Session Recording

Full session replay

Impact: Session capture records all research queries, data views, and navigation patterns for profile refinement and usage analysis.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Tracking begins before consent capture, processing user research behavior regardless of privacy preferences.

BTI-C10Fingerprinting

Device identification

Impact: Device and browser fingerprinting creates persistent identifiers for user recognition across research sessions.

IOC Manifest

IOC Manifest

10 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*pitchbook.com/20.*.js*
Tracking script
TRACK
*pitchbook.com/442.*.js*
Tracking script
TRACK
pitchbook.com/20.8452b4873a00cce21301.js
Auto-extracted from scan
TRACK
pitchbook.com/442.012c2b667dc242ba3352.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Pitchbook integrates with CRM systems (Salesforce), deal management platforms, and financial research tools. The vendor may consume user identity data from enterprise authentication while generating behavioral intelligence about research patterns. Integration architecture creates data flows where detailed search queries and content consumption patterns flow to vendor analytics infrastructure.
Loads (1)
Metapixel
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

15 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details