How This Briefing Works
This report opens with key findings, then maps the gaps between what Warmly discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Warmly was observed loading and executing before user consent was obtained on 33% of sites where it was detected.
Pending Analysis
8 BTI behavioral codes detected across 21 observations on 8 sites. Full claims extraction required for gap analysis.
Compliance Claim Mismatch
False certification claims
Assurance Gap
Gated or missing due diligence docs
Claims vs. Observed Behavior
Pending Analysis
“Claims analysis pending”
8 BTI behavioral codes detected across 21 observations on 8 sites. Full claims extraction required for gap analysis.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Warmly
- →Implement network-level monitoring for WebSocket/SSE connections to Warmly domains — standard request logging will not capture real-time exfiltration
- →Block Warmly from firing until explicit, informed consent is obtained specifically for visitor deanonymization and real-time data streaming
- →Conduct a DPIA covering Warmly's 8 BTI-C behaviors — this density of detection requires formal privacy impact assessment under GDPR Article 35
- →Audit your first-party analytics with Warmly disabled versus enabled to quantify the signal corruption impact on your measurement stack
If You're Evaluating Warmly
- →Assess whether any deanonymization tool warrants the regulatory exposure created by 8 concurrent BTI-C code triggers and real-time data exfiltration
- →Request Warmly's technical documentation on exactly what data is transmitted via WebSocket and to which endpoints
- →Evaluate whether intent-based lead scoring from first-party signals could replace deanonymization without the compliance burden
- →Consider that Warmly's signal corruption score (70) means your analytics integrity is compromised whenever the tool is active — factor this into ROI calculations
Negotiation Leverage
- →8 BTI-C codes triggered — the most of any vendor in this analysis group — including real-time exfiltration (C16) that makes data streaming invisible to standard monitoring
- →Signal corruption score of 70 is the HIGHEST in the entire VRS 85 tier — Warmly measurably degrades your analytics integrity
- →WebSocket/SSE exfiltration (C16) means visitor data leaves your site in real time before any intervention is possible — demand disclosure of all WebSocket endpoints and transmitted data fields
- →4 domains and 5 scripts for 8 sites — the infrastructure-to-deployment ratio suggests heavy instrumentation per site
- →Demand a consent-first mode, WebSocket data inventory, and contractual prohibition on cross-customer data aggregation as minimum conditions for continued deployment
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Warmly deploys evasion infrastructure capable of modifying its behavior during audits or compliance checks. Combined with 7 other BTI-C triggers, this suggests systematic awareness of and adaptation to detection mechanisms.
Keystroke/mouse tracking
Impact: Behavioral tracking feeds Warmly's AI-powered identification models. Mouse movements, scroll patterns, and interaction sequences are captured and processed to enhance visitor identification accuracy beyond what network-level signals alone provide.
Identity stitching
Impact: Identity stitching across Warmly-enabled sites means visitor profiles are built from behavioral data aggregated across multiple properties. Your site contributes to a cross-domain identity graph controlled entirely by Warmly.
Ignoring CMP signals
Impact: 33% pre-consent firing rate means one-third of observed Warmly deployments begin deanonymization before consent mechanisms engage. For a tool whose primary function is identifying people, any pre-consent activation creates immediate GDPR liability.
Device identification
Impact: Device fingerprinting enables persistent identification across sessions and cookie resets, ensuring Warmly's deanonymization survives standard privacy measures and maintains continuous visitor tracking despite user privacy actions.
PII deanonymization
Impact: Deanonymization is Warmly's core product — resolving anonymous visitors to real company and individual identities. Every visitor on your site becomes a lead record in Warmly's system, identified and enriched in real time without visitor knowledge or consent.
Container/loader (neutral)
Impact: Container/loader behavior allows Warmly to dynamically load and orchestrate its multi-script deployment across 4 domains, potentially introducing additional tracking capabilities without requiring host site code changes.
WebSocket/SSE streaming
Impact: WebSocket/SSE streaming detected — Warmly transmits visitor data off your site in real time as users browse. This is not batch collection for later processing; it is live data streaming that makes exfiltration invisible to standard request-level monitoring and impossible to retroactively prevent.
IOC Manifest
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
27 detection signatures across scripts, domains, cookies, and network endpoints
HAR Forensics
| Destination | Algorithm |
|---|---|