All Vendors
session_replay

PostHog

PostHog is an analytics vendor with a VRS of 80, flagged for 6 BTI codes including session recording (C07), consent bypass (C09), and persistence mechanisms (C13). The open-source product analytics platform deploys comprehensive behavioral tracking while claiming developer-friendly privacy controls, creating moderate signal corruption (25) but maximal cost attribution exposure (100) and full legal tail risk (100).

151 IOCs31 detections65% pre-consent18 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what PostHog discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

31 detections across 18 sites65% pre-consent activity
CRITICAL

Pre-Consent Activity

PostHog was observed loading and executing before user consent was obtained on 65% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Product and engineering teams face three core risks: (1) Product analytics distort feature value assessment by misattributing usage patterns, making development prioritization decisions unreliable. (2) Detailed usage behavior reveals product strategy and development priorities to PostHog infrastructure—even self-hosted deployments send telemetry that exposes roadmap intelligence. (3) Legal exposure from session recording and consent bypass creates GDPR/CCPA liability that privacy teams cannot mitigate while maintaining analytics functionality.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use PostHog

  • Require data processing addendum covering both application data and platform telemetry
  • Demand consent framework integration that blocks recording until user acceptance
  • Implement session replay exclusions for sensitive user interactions and PII
  • Configure analytics to minimize product intelligence exposure in telemetry
  • Establish retention limits for session recordings and behavioral profiles

If You're Evaluating PostHog

  • Test self-hosted deployment to verify what telemetry still flows to PostHog infrastructure
  • Review consent mechanism to confirm tracking respects opt-out immediately
  • Assess session recording scope and data access controls for replay storage
  • Verify whether product usage data influences PostHog product development or competitive analysis
  • Request documentation on persistence mechanisms and cross-session tracking logic

Negotiation Leverage

  • PostHog deploys session recording and consent bypass that captures complete product usage—demand explicit DPA terms covering both application analytics and platform telemetry
  • Self-hosted deployment still sends usage telemetry that reveals product strategy—negotiate telemetry opt-out or transparency into what data flows to vendor infrastructure
  • Session recordings capture sensitive user interactions including form inputs—require recording scope limits and data retention boundaries
  • Product analytics may distort feature value assessment for development prioritization—establish baseline measurement methodology and validate attribution logic
  • Legal tail risk of 100% contradicts developer-friendly positioning—evaluate whether open-source benefits provide meaningful privacy advantage over proprietary alternatives
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: PostHog can detect analytics blocking tools and alter tracking behavior during privacy assessments, masking production data collection.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Interaction patterns, rage clicks, and navigation behavior create detailed user profiles for product analytics.

BTI-C07Session Recording

Full session replay

Impact: Full session replay captures all user interactions including form inputs, navigation, and feature usage for product analysis.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Analytics and recording can initialize before consent capture, processing user behavior regardless of privacy preferences.

BTI-C10Fingerprinting

Device identification

Impact: Device and browser fingerprinting creates persistent user identifiers for cross-session analytics.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Multiple storage mechanisms ensure analytics continuity and profile persistence across sessions and cookie deletion.

IOC Manifest

IOC Manifest

145 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*posthog.com/scripts/posthog-init.js*
Tracking script
TRACK
*posthog.com/scripts/theme-init.js*
Tracking script
TRACK
*posthog.com/*-*.js*
Tracking script
TRACK
*posthog.com/scripts/initial-loader.js*
Tracking script
TRACK
*posthog.com/webpack-runtime-*.js*
Tracking script
TRACK
*internal-c.posthog.com/static/array.js*
Tracking script
TRACK
*posthog.com/app-*.js*
Tracking script
TRACK
*internal-c.posthog.com/array/sTMFPsFhdP1Ssg/config.js*
Tracking script
EXFIL
*posthog.com/page-data/app-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/index/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/sq/d/*.json*
Data collection endpoint
TRACK
*posthog.com/component---src-pages-index-tsx-*.js*
Tracking script
TRACK
*internal-c.posthog.com/static/posthog-recorder.js*
Tracking script
TRACK
*internal-c.posthog.com/static/dead-clicks-autocapture.js*
Tracking script
TRACK
*internal-c.posthog.com/static/logs.js*
Tracking script
TRACK
*internal-c.posthog.com/static/conversations.js*
Tracking script
TRACK
*internal-c.posthog.com/static/web-vitals.js*
Tracking script
TRACK
*internal-c.posthog.com/static/surveys.js*
Tracking script
TRACK
*internal-c.posthog.com/static/exception-autocapture.js*
Tracking script
TRACK
*internal-c.posthog.com/static/product-tours.js*
Tracking script
EXFIL
*posthog.com/page-data/changelog/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/customers/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/careers/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/about/page-data.json*
Data collection endpoint
TRACK
*posthog.com/component---src-pages-careers-tsx-*.js*
Tracking script
TRACK
*posthog.com/component---src-pages-changelog-index-tsx-*.js*
Tracking script
TRACK
*posthog.com/component---src-pages-customers-index-tsx-*.js*
Tracking script
TRACK
*posthog.com/component---src-pages-about-tsx-*.js*
Tracking script
EXFIL
*posthog.com/page-data/pricing/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/docs/page-data.json*
Data collection endpoint
EXFIL
*posthog.com/page-data/talk-to-a-human/page-data.json*
Data collection endpoint
TRACK
*posthog.com/component---src-pages-talk-to-a-human-tsx-*.js*
Tracking script
TRACK
*posthog.com/component---src-pages-docs-index-tsx-*.js*
Tracking script
EXFIL
*posthog.com/page-data/handbook/page-data.json*
Data collection endpoint
TRACK
*posthog.com/component---src-pages-pricing-index-tsx-*.js*
Tracking script
TRACK
*posthog.com/component---src-pages-handbook-tsx-*.js*
Tracking script
TRACK
cdn.posthog.com
Tracking script
TRACK
us-assets.i.posthog.com
Tracking script
TRACK
posthog.com/scripts/posthog-init.js
Auto-extracted from scan
TRACK
posthog.com/scripts/theme-init.js
Auto-extracted from scan
TRACK
posthog.com/scripts/initial-loader.js
Auto-extracted from scan
TRACK
posthog.com/app-6a4cead6119f2e000801.js
Auto-extracted from scan
TRACK
posthog.com/cdb64564-4b8fec19322715baad8a.js
Auto-extracted from scan
TRACK
posthog.com/d24c56cb-7102111ce1f2f190d3cc.js
Auto-extracted from scan
TRACK
posthog.com/fcc993b1-4e79354163f6f66229e5.js
Auto-extracted from scan
TRACK
posthog.com/507a0916-d6225b717e81e4c3bc38.js
Auto-extracted from scan
TRACK
posthog.com/aed920e9-55685e7506166bc4a1f7.js
Auto-extracted from scan
TRACK
posthog.com/17c50846-40a286e210c77e1fbc0d.js
Auto-extracted from scan
TRACK
posthog.com/b37f7dfe-10e819d738b3c708c596.js
Auto-extracted from scan
TRACK
posthog.com/74bffcdc-11af7eae6b8a17bffba9.js
Auto-extracted from scan
TRACK
posthog.com/9cb3c7b0-fbadcc32973a8cc2d237.js
Auto-extracted from scan
TRACK
posthog.com/9b206854-c8430cfb3e6687439736.js
Auto-extracted from scan
TRACK
posthog.com/5186a68d-cc743cb12938cfb39fc0.js
Auto-extracted from scan
TRACK
posthog.com/webpack-runtime-95a276cd97551677110e.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/array.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/array/sTMFPsFhdP1Ssg/config.js
Auto-extracted from scan
TRACK
posthog.com/0f8f4022-6f8e6dc6039374c892bd.js
Auto-extracted from scan
TRACK
posthog.com/d591d374-0d5897aa3979a4f05d20.js
Auto-extracted from scan
TRACK
posthog.com/d5aef4f3-b616adfbfc484e043c04.js
Auto-extracted from scan
TRACK
posthog.com/66ed4dae115fccb7cfc9d7ad8d9b0ffbcfd40c9d-38bbafd4290cd069c228.js
Auto-extracted from scan
TRACK
posthog.com/60cda329b859042c45bc39b9f91ee1f72fb828fb-82abad0ceea677c1c42f.js
Auto-extracted from scan
TRACK
posthog.com/21d9bffc2e2c006a39db8622dbca693592d75761-a237c7db41a8d103347b.js
Auto-extracted from scan
TRACK
posthog.com/component---src-pages-index-tsx-69a9b6ccb6c5fb22f2a3.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/posthog-recorder.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/dead-clicks-autocapture.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/surveys.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/logs.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/conversations.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/product-tours.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/web-vitals.js
Auto-extracted from scan
TRACK
internal-c.posthog.com/static/exception-autocapture.js
Auto-extracted from scan
TRACK
posthog.com/8c0e413a-d8743bfe069bc9ffb761.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

PostHog integrates with feature flag systems, A/B testing platforms, and product development tools. Even self-hosted deployments may send usage telemetry to PostHog infrastructure for product analytics and billing. Integration architecture creates data flows where product usage patterns and development priorities flow to vendor analytics, potentially informing competitive intelligence or product roadmap decisions.
Loaded By (9)
AdyntelCrispCrustdataFingerprintjsFullenrichHeygenOsanoPocusWarmly
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

151 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details