All Vendors
data_enrichment

Serpstat

Serpstat operates as data enrichment infrastructure with behavioral biometrics, consent bypass, and persistence capabilities. SEO platform extends to visitor tracking, creating hybrid SEO-surveillance threat profile.

44 IOCs33 detections88% pre-consent31 sites
70
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Serpstat discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

33 detections across 31 sites88% pre-consent activity
CRITICAL

Pre-Consent Activity

Serpstat was observed loading and executing before user consent was obtained on 88% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

seo_surveillance

MODERATE
They Claim

Pending claims extraction

Observed Behavior

Runtime shows SEO tracking with behavioral capture before consent

Customer Impact

What This Means For You

Marketing teams gain SEO analytics but expose visitor behavior through tracking extension (Broker). Legal teams face consent bypass liability from pre-consent tracking activation. SEO teams must evaluate whether platform requires visitor surveillance beyond keyword analytics.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Serpstat

  • Audit SEO tracking scope - verify separation from visitor surveillance
  • Map behavioral tracking integration with SEO analytics
  • Verify DPA covers visitor tracking beyond SEO measurement

If You're Evaluating Serpstat

  • Require consent-first visitor tracking with SEO analytics isolated
  • Demand disclosure of behavioral tracking methodology in SEO context
  • Negotiate data isolation ensuring SEO analytics remain separate from visitor surveillance

Negotiation Leverage

  • C06+C09 tracking extension: Demand DPA clarifying SEO analytics vs visitor surveillance scope
  • Request written confirmation that SEO measurement does not require behavioral tracking
  • Require audit rights covering visitor tracking beyond keyword analytics
  • Negotiate liability provisions if SEO platform requires consent bypass for core functionality
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

38 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*serpstat.com/home/search-bar.js*
Tracking script
TRACK
*serpstat.com/home/main.js*
Tracking script
TRACK
serpstat.com/home/search-bar.js
Auto-extracted from scan
TRACK
serpstat.com/home/main.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Serpstat operates in SEO analytics layer, potentially feeding data to marketing platforms and competitive intelligence tools. Creates exposure when SEO tracking extends to behavioral visitor identification. Co-deployment with analytics vendors multiplies visitor tracking surface.
Loads (2)
VwoSlides Google
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

44 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details