All Vendors
dsp

Pulsepoint

Pulsepoint is a dsp vendor with a VRS of 80, flagged for 4 BTI codes including cross-domain sync (C08), consent bypass (C09), and identity resolution (C14). The demand-side platform deploys visitor tracking across programmatic inventory for healthcare and pharmacy advertising, creating moderate signal corruption (15) but maximal cost attribution exposure (100) and moderate legal tail risk (55).

10 IOCs32 detections6% pre-consent30 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Pulsepoint discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

32 detections across 30 sites6% pre-consent activity
MEDIUM

Pre-Consent Activity

Pulsepoint was observed loading and executing before user consent was obtained on 6% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Healthcare advertisers and publishers face three core risks: (1) Audience attribution becomes distorted by health intent misclassification, making pharma campaign effectiveness measurement unreliable. (2) Health-related behavioral data flows through Pulsepoint infrastructure, potentially exposing patient condition research and treatment evaluation patterns. (3) Legal exposure from health data processing creates GDPR/CCPA liability with potential HIPAA considerations if behavioral signals correlate to medical conditions.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Pulsepoint

  • Require data processing addendum with explicit health data processing disclosure and HIPAA assessment
  • Demand consent framework integration that blocks health-related tracking until user acceptance
  • Implement audience targeting minimization to avoid condition-specific behavioral profiling
  • Configure campaign delivery to prioritize contextual over behavioral targeting for pharma ads
  • Establish strict retention limits for health-related visitor profiles

If You're Evaluating Pulsepoint

  • Assess whether behavioral health signals create HIPAA protected health information (PHI) obligations
  • Verify geographic data processing boundaries for health data under GDPR
  • Review identity resolution in health context and cross-site medical condition inference
  • Test consent mechanism to verify health tracking respects opt-out preferences
  • Request legal opinion on health data processing regulatory compliance across jurisdictions

Negotiation Leverage

  • Pulsepoint processes health-related behavioral data across programmatic ecosystem—demand legal assessment of HIPAA applicability and explicit liability protection for health data violations
  • Cross-domain identity resolution in healthcare context creates elevated privacy risk—negotiate contractual limits on health condition inference and medical behavior profiling
  • Health audience targeting may distort pharma campaign attribution—establish baseline measurement methodology that separates contextual from behavioral performance
  • Identity resolution links health research behavior to individuals across sites—require transparency into matching techniques and enhanced data deletion for medical signals
  • Legal tail risk of 55% reflects healthcare data sensitivity—evaluate whether programmatic pharma targeting value justifies health privacy exposure or consider contextual-only alternatives
Runtime Detections

Runtime Detections

4 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Health content interaction patterns create behavioral profiles indicating medical conditions or healthcare needs for targeting.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Identity synchronization across health-related publisher properties enables patient journey tracking throughout healthcare ecosystem.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: DSP infrastructure processes health-related behavioral data regardless of consent state, collecting medical signals before permission.

BTI-C14Identity Resolution

PII deanonymization

Impact: Cross-site identity matching creates unified profiles linking health conditions, symptoms, and treatment research to individuals.

IOC Manifest

IOC Manifest

7 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Pulsepoint integrates with healthcare publisher ad servers, pharmacy sites, and medical information platforms. The vendor operates across health-focused inventory where visitor behavior may indicate medical conditions or treatment needs. Integration architecture creates data flows where health-related browsing patterns flow to DSP infrastructure for pharma campaign targeting.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

10 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details