All Vendors
analytics

Semrush

Semrush is an SEO and competitive intelligence vendor that harvests clickstream data from over 200 million internet users via browser extensions, ISP partnerships, and third-party panel providers, then repackages that browsing behavior as traffic analytics available to any paying subscriber — including your competitors.

135 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Semrush discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Runtime behavior of Semrush tracking scripts on customer websites has not yet been observed via BLACKOUT scanner

pending

UNKNOWN
They Claim

Extension encryption status

Observed Behavior

Browser extension data transmission patterns require direct forensic analysis to confirm current encryption status and data payloads

Customer Impact

What This Means For You

Organizations face continuous competitive intelligence exposure through Semrush's traffic analytics. Competitors can monitor your website traffic trends, identify your highest-traffic pages, analyze your traffic source mix, and benchmark your performance — updated regularly. For B2B companies with longer sales cycles, this means competitors can detect marketing campaigns, product launches, and strategic pivots by observing traffic pattern changes. The risk is amplified if your own employees use Semrush extensions, as their browsing patterns (including visits to internal tools, staging environments, and partner portals) may be captured and contributed to the clickstream panel.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Semrush

  • - Audit and remove Semrush browser extensions (Semrush Rank, PI Rank) from all corporate-managed browsers and endpoint policies. - Evaluate whether your organization's ISP agreements permit clickstream data resale to third parties, and negotiate opt-out provisions where possible. - Implement browser extension allowlisting policies to prevent employees from installing unvetted extensions that may feed clickstream panels. - Monitor what competitive intelligence about your organization is visible through Semrush's Traffic Analytics tool to understand your current exposure level. - Consider the competitive intelligence asymmetry: if you subscribe to Semrush, your competitors likely do too, and your traffic data flows in both directions.

Negotiation Leverage

  • Leverage: Semrush's reliance on clickstream data from browser extensions and ISP partnerships creates regulatory exposure under GDPR, CCPA, and emerging privacy legislation. The February 2026 finding that affiliated extensions transmitted data over unencrypted HTTP is a material security concern. If your organization uses Semrush products, request contractual guarantees that your employees' browsing data collected via extensions is excluded from the traffic analytics dataset sold to other subscribers.
  • Key questions for Semrush: (1) Can you guarantee our employees' browsing data from your extensions is not included in traffic estimates visible to other subscribers? (2) What encryption standards are currently applied to all extension-collected data in transit? (3) Which ISP and clickstream panel partners contribute data to your Traffic Analytics product? (4) What is the data retention period for raw clickstream data?
  • Protections: Include data exclusion clauses in enterprise agreements. Require notification if Semrush's data collection practices change. Establish the right to audit what data about your organization's web properties is available through their platform.
IOC Manifest

IOC Manifest

135 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.semrush.com/__static__/webpack/mf_widgets.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/observer_limit_options.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/speedcurve_lux.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/track_billing_info_usage.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/runtime.*.js*
Tracking script
EXFIL
*www.semrush.com/__static__/webpack/data_layer_proxy.*.js*
Data collection endpoint
TRACK
*www.semrush.com/__static__/webpack/skip_to_content.*.js*
Tracking script
TRACK
*www.semrush.com/jsi18n/*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/smrwv.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/*.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/footer.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/header.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/258.*.js*
Tracking script
TRACK
*www.semrush.com/__static__/webpack/site_info.*.js*
Tracking script
TRACK
*www.semrush.com/static/index.*.js*
Tracking script
TRACK
*static.semrush.com/ajst/ajst.js*
Tracking script
TRACK
*static.semrush.com/ref-code-script/js/2.4.0/ref.js*
Tracking script
TRACK
*www.semrush.com/olaf*
Tracking script
TRACK
*www.semrush.com/olaf/init*
Tracking script
TRACK
static.semrush.com/ajst/ajst.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/runtime.66203db7fc66102d.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/smrwv.cc821244c9431e86.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/observer_limit_options.d482eb97d9b6d8d3.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/mf_widgets.4cef7b2903cf305c.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/speedcurve_lux.504b1276fad8b7a3.js
Auto-extracted from scan
EXFIL
www.semrush.com/__static__/webpack/data_layer_proxy.9b1146105a65cef2.js
Auto-extracted from scan
TRACK
www.semrush.com/jsi18n/
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/track_billing_info_usage.547c041e99a8fb50.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/skip_to_content.b0c63efadb987070.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/3486.02f8733480a95066.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/258.4e59b4181b95aa5e.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/9752.8f2c21f1a5f1f686.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/1633.c52f33ad814c5e82.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/2579.4104bf74c6b66234.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/header.4cc7257d98b4994c.js
Auto-extracted from scan
TRACK
www.semrush.com/static/index.cbaf481febb1577a9772.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/footer.c9e16dac3f312c39.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/9327.6cbac3b49abad754.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/7353.7d2305b6f074351e.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/9911.8aeede6a31667e86.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/9331.72e4969fbebd4ba5.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/2663.a17897d9abf4cbb1.js
Auto-extracted from scan
TRACK
www.semrush.com/__static__/webpack/site_info.57b6038b07d53181.js
Auto-extracted from scan
TRACK
static.semrush.com/ref-code-script/js/2.4.0/ref.js
Auto-extracted from scan
TRACK
www.semrush.com/olaf
Auto-extracted from scan
TRACK
rp8920cf.semrush.com/assets/wxyz.rb.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Semrush's clickstream data ecosystem spans hundreds of third-party data providers, ISP partnerships, and browser extension networks. The company's extensions include Semrush Rank and PI Rank on the Chrome Web Store. Semrush integrates with Google Analytics, Google Search Console, and major advertising platforms. The company was linked in a February 2026 investigation to a broader network of 287 Chrome extensions collectively installed by 37.4 million users that were found to be leaking browsing history. Semrush competes directly with Similarweb, Ahrefs, and Moz in the SEO intelligence space, with all major players relying on some form of clickstream data collection.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

135 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details