All Vendors
deanon
Vector

Vector

Vector de-anonymizes website visitors and fires 62.3% of its tracking pre-consent across 34 monitored sites, turning your prospect intelligence into competitive advertising fuel before visitors ever consent.

55 IOCs54 detections63% pre-consent35 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Vector discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

54 detections across 35 sites63% pre-consent activity1 critical disclosure gap
CRITICAL

Compliance Claim Mismatch

62.3% pre-consent tracking rate across 34 monitored sites

GDPR Article 6GDPR Article 7CCPA 1798.100
CRITICAL

Pre-Consent Activity

Vector was observed loading and executing before user consent was obtained on 63% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Subprocessor

pro.ip-api.com receives visitor IP addresses but is not disclosed

GDPR Article 28GDPR Article 13(1)(e)
HIGH

Security Vulnerabilities

Q4 2025 pentest found 1 Critical, 1 High, 5 Low vulnerabilities

SOC2 Trust PrinciplesGDPR Article 32
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X08

Compliance Claim Mismatch

GDPR Article 6 · GDPR Article 7 · CCPA 1798.100CRITICAL
They Claim

GDPR compliant, CCPA compliant

Observed Behavior

62.3% pre-consent tracking rate across 34 monitored sites

BLACKOUT runtime detection data from intel_detections table

Undisclosed Subprocessor

GDPR Article 28 · GDPR Article 13(1)(e)HIGH
They Claim

Privacy policy lists data recipients

Observed Behavior

pro.ip-api.com receives visitor IP addresses but is not disclosed

Pixel script makes requests to pro.ip-api.com/json/ with API key 82LH3HgJ6w0DP7N

Security Vulnerabilities

SOC2 Trust Principles · GDPR Article 32HIGH
They Claim

SOC2 ready, security-focused

Observed Behavior

Q4 2025 pentest found 1 Critical, 1 High, 5 Low vulnerabilities

Oneleet Penetration Test Report Q4 2025 - VCTR-001 through VCTR-007

Self-Contradictory Privacy Practice

GDPR Article 13 · ePrivacy DirectiveMEDIUM
They Claim

Privacy-aware platform

Observed Behavior

21 third-party vendors running pre-consent on vector.co, only 3 disclosed

BLACKOUT scan of www.vector.co showing AOL, Clarity, DoubleClick, LiveIntent etc.

Customer Impact

What This Means For You

YOUR website visitors are being identified and matched to contact records before consent is collected. YOUR demand signals — which pages prospects visit, how long they stay, what they research — flow to Vector's advertising platform where competitors can target those same contacts on LinkedIn and Google. If you deploy Vector, YOUR privacy policy likely fails to account for 21 undisclosed third-party vendors operating on your properties. Under GDPR Article 30, YOUR records of processing are incomplete, exposing you to regulatory action.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Vector

  • Audit consent flow — Vector's 62.3% pre-consent rate suggests improper CMP integration; verify your deployment blocks Vector until explicit consent
  • Review subprocessor agreements — 21 undisclosed vendors means your DPA likely has gaps; request updated subprocessor list
  • Implement server-side gating — do not rely on client-side consent checks given Vector's pre-consent behavior patterns
  • Request Vector's latest pentest report — critical vulnerabilities were documented in their infrastructure

If You're Evaluating Vector

  • Request Vector's consent architecture documentation before any trial
  • Compare with RB2B, Clearbit, and 6sense on pre-consent behavior — Vector's 62.3% rate is among the highest in identity resolution
  • Require contractual guarantees that your visitor data will not be used for competitive advertising targeting
  • Verify Vector's GDPR and CCPA compliance claims against BLACKOUT runtime evidence

Negotiation Leverage

  • Pre-consent rate documentation: BLACKOUT runtime data shows 62.3% of Vector tracking fires before consent across 34 monitored sites — use this to negotiate consent architecture improvements or termination rights
  • Undisclosed subprocessor gap: 21 vendors detected that are not in Vector's privacy disclosures — request updated subprocessor list and contractual indemnification for regulatory exposure
  • Competitive signal leakage: Vector's model explicitly identifies your visitors for retargeting on LinkedIn and Google — negotiate data usage restrictions preventing your demand signals from reaching competitors
  • Pentest vulnerability evidence: Critical security findings documented in Vector's infrastructure — leverage for security audit requirements and data protection guarantees in your contract
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

38 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*cdn.vector.co/pixel.js*
Tracking script
TRACK
cdn.vector.co/pixel.js
Tracking script
Ecosystem

Ecosystem & Supply Chain

Vector operates in the B2B visitor identification ecosystem alongside RB2B, Clearbit, and 6sense. Unlike RB2B (which BLACKOUT has documented with defeat device characteristics), Vector implements compliance features including opt-out mechanisms and consent management functions. Vector is frequently bundled by other platforms - notably Warmly uses Vector for contact advertising. The pixel depends on pro.ip-api.com for IP enrichment, creating a two-vendor data chain. Vector integrates with ad platforms (Facebook, LinkedIn, Google Ads) for cross-platform retargeting of identified visitors. The company uses PropelAuth for authentication and appears to use standard SaaS infrastructure. Their Q4 2025 pentest reveals a startup security posture with critical vulnerabilities in multi-tenant isolation.
Loads (2)
LiveintentIdvisitors
Loaded By (15)
CommonroomBreakcoldCloseDatadog RumFingerprintjsFlowlaFullenrichLeadiqMutinyTheswarmUnify IntentWarmlyOsanoUserpilotZendeskchat
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

55 detection signatures across scripts, domains, cookies, and network endpoints

HAR Forensics

HAR Forensics

Email Hash Exfiltration (1)
DestinationAlgorithm
Vendor Details