Sardine.ai | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Sardine.ai discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

1 detection across 1 site

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN

They Claim

“Unknown”

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Every legitimate transaction you approve trains Sardine fraud models protecting competitors. Your customer behavior patterns become shared intelligence. Meanwhile, privacy-conscious customers may be flagged as risky due to fingerprinting resistance, causing you to reject revenue. Perfect CAC subsidization score means competitors get your fraud prevention insights without your false positive costs.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Sardine.ai

→Audit false positive rates for privacy tool users - verify fraud detection is not systematically rejecting legitimate privacy-conscious customers
→Request fraud model training opt-out - your transaction data should not optimize competitor fraud prevention
→Verify PCI-DSS scope - session recording at checkout may expand compliance requirements
→Implement explicit consent for behavioral biometrics or accept GDPR Article 9 violations

If You're Evaluating Sardine.ai

→First-party fraud scoring without cross-merchant data sharing
→Rule-based fraud prevention without behavioral biometrics
→On-premise fraud detection with complete data isolation

Negotiation Leverage

→Perfect CAC subsidization (100) means your fraud intelligence trains competitor models - demand data segregation or pricing discount
→Behavioral biometrics require GDPR Article 9 consent - audit consent mechanism for lawful basis
→Cross-merchant fraud network creates privacy violations - DPA must address regulatory liability
→False positives from privacy tool users create revenue rejection - demand transparency on blocking rates
→Fraud prevention value derives from shared intelligence - pricing should reflect your data contribution

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Mouse dynamics and typing patterns are biometric identifiers under GDPR Article 9, requiring explicit consent and heightened security controls.

BTI-C07Session Recording

Full session replay

Impact: Recording checkout sessions may capture payment credentials, creating PCI-DSS scope expansion and GDPR Article 32 violations.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Fraud scoring across merchant sites creates cross-site tracking without user knowledge, violating ePrivacy Directive and GDPR Article 21.

BTI-C10Fingerprinting

Device identification

IOC Manifest

8 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

cdn.sardine.ai

Tracking script

Ecosystem

Ecosystem & Supply Chain

Integrates with payment processors (Stripe, Adyen), e-commerce platforms. Shares fraud signals across merchant network. Requires JavaScript SDK deployment at checkout.

Loads (2)

Onetrust Hubspot

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

10 detection signatures across scripts, domains, cookies, and network endpoints