All Vendors
deanon

ProspectDesk

ProspectDesk fires its full de-anonymization stack before consent on 67% of observed deployments — resolving your anonymous visitors to identifiable individuals before they have any opportunity to object.

25 IOCs3 detections67% pre-consent3 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what ProspectDesk discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 detections across 3 sites67% pre-consent activity
CRITICAL

Pre-Consent Activity

ProspectDesk was observed loading and executing before user consent was obtained on 67% of sites where it was detected.

GDPRePrivacy
HIGH

Pending Analysis

5 BTI behavioral codes detected across 3 deployments. Full claims extraction required for gap analysis.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps
1 HIGH

Pending Analysis

HIGH
They Claim

Claims analysis pending

Observed Behavior

5 BTI behavioral codes detected across 3 deployments. Full claims extraction required for gap analysis.

Customer Impact

What This Means For You

If ProspectDesk is deployed on your site, your anonymous visitors are being covertly identified and resolved to named individuals — and on 67% of observed deployments, this happens before any consent is collected. You are operating a de-anonymization service on your website that most of your visitors do not know about and did not agree to. The 5 external domains mean your visitor data is flowing to identity graph infrastructure beyond ProspectDesk, expanding your data processor chain and GDPR Article 28 obligations. If a visitor exercises their right to access under GDPR Article 15, you will need to account for the identification and profiling that ProspectDesk performed — including data held by their identity graph partners. The regulatory risk is not theoretical: de-anonymization vendors are precisely the category that EU data protection authorities have signaled as enforcement priorities.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use ProspectDesk

  • Immediately verify whether ProspectDesk fires before your CMP consent gate — the 67% pre-consent rate suggests it likely does on your deployment
  • Conduct a DPIA (Data Protection Impact Assessment) for ProspectDesk — de-anonymization at scale triggers mandatory DPIA requirements under GDPR Article 35
  • Map all 5 domains and identify which third-party identity graph partners process your visitor data
  • Review your privacy policy for adequate disclosure of covert visitor identification

If You're Evaluating ProspectDesk

  • Require ProspectDesk to provide complete documentation of their identity resolution methodology and all sub-processors
  • Demand proof of consent-gated deployment configuration before any procurement commitment
  • Assess whether the sales intelligence value justifies the regulatory exposure of operating a deanon tool
  • Compare ProspectDesk against alternatives that provide company-level identification without individual PII resolution

Negotiation Leverage

  • 67% pre-consent firing rate on a de-anonymization tool creates immediate GDPR exposure — demand contractual guarantee of consent-gated loading with penalties for violation
  • 5 domains for visitor identification means your data flows to undisclosed identity graph partners — require complete sub-processor disclosure and restrict onward transfers
  • De-anonymization is a high-priority enforcement category for EU regulators — negotiate full indemnification for regulatory penalties arising from ProspectDesk's default deployment behavior
  • Identity resolution + persistence + fingerprinting = permanent visitor surveillance record — negotiate strict data retention limits and deletion obligations
  • 5 BTI behavioral codes on 3 deployments shows consistent pattern — use as evidence to negotiate enhanced audit rights and compliance reporting requirements
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Evasion infrastructure may cause ProspectDesk to behave differently during compliance audits than in production, masking the true scope of visitor identification during privacy assessments.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 67% pre-consent rate on a de-anonymization tool means visitors are being identified before they consent. Under GDPR, processing personal data for identification purposes requires explicit consent or legitimate interest with a balancing test that de-anonymization is unlikely to survive.

BTI-C10Fingerprinting

Device identification

Impact: Device fingerprinting as part of a deanon stack creates persistent identification that visitors cannot prevent or undo. Combined with identity resolution, fingerprinting ensures that even privacy-conscious visitors using cookie blockers are still identified.

BTI-C13Persistence Mechanisms

Long-lived identifiers

Impact: Long-lived identifiers ensure ProspectDesk maintains visitor profiles across sessions. For a de-anonymization platform, persistence means once a visitor is identified, that identification follows them indefinitely — creating a permanent surveillance record tied to your domain.

BTI-C14Identity Resolution

PII deanonymization

Impact: PII deanonymization is ProspectDesk's core product. Every anonymous visitor to your site is a target for resolution to a named individual. Under GDPR, this constitutes processing of personal data that requires a lawful basis — a basis that is extremely difficult to establish for covert visitor identification.

IOC Manifest

IOC Manifest

25 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*tag.prospectdesk.ai/ldc.js*
Tracking script
TRACK
*pdtag.cloud.prospectdesk.ai/ldc.js*
Tracking script
TRACK
*norden.prospectdesk.ai/tag.js*
Tracking script
TRACK
*norden.prospectdesk.ai/device.js*
Tracking script
TRACK
tag.prospectdesk.ai
Tracking script
TRACK
tag.prospectdesk.ai/ldc.js
Auto-extracted from scan
TRACK
pdtag.cloud.prospectdesk.ai/ldc.js
Auto-extracted from scan
TRACK
norden.prospectdesk.ai/tag.js
Auto-extracted from scan
TRACK
norden.prospectdesk.ai/device.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

ProspectDesk operates in the visitor de-anonymization space alongside competitors like RB2B, Clearbit Reveal, and Leadfeeder. The 5 detected domains serving a relatively small vendor suggest integration with external identity graph providers — ProspectDesk likely does not maintain its own identity resolution infrastructure but relies on partners to match fingerprints and behavioral signals to PII. This means your visitor data flows through at least two layers of third-party processing. The platform integrates with CRM and sales engagement tools, feeding identified visitor profiles directly into outbound sales workflows.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

25 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details