How This Briefing Works
This report opens with key findings, then maps the gaps between what Zenrows discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Pre-Consent Activity
Zenrows was observed loading and executing before user consent was obtained on 93% of sites where it was detected.
Claims vs. Observed Behavior
pending
“Requires claims extraction via CDT”
Defeat device, behavioral biometrics, session recording, cross-domain sync, consent bypass, fingerprinting, persistence, and tag manager detected in runtime
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Zenrows
- →Audit defeat device deployment within fraud detection infrastructure
- →Review session recording retention for security challenge workflows
- →Verify cross-domain sync scope for fraud detection continuity
- →Audit tag manager capabilities for third-party script injection risk
- →Verify fingerprinting scope does not exceed fraud prevention requirements
- →Require consent collection before Zenrows surveillance initialization
If You're Evaluating Zenrows
- →Fraud detection solutions without embedded visitor surveillance
- →Privacy-respecting anti-bot platforms limiting tracking scope
- →Self-hosted security workflows eliminating cross-customer intelligence leakage
Negotiation Leverage
- →Challenge defeat device mechanisms within anti-bot infrastructure
- →Require disclosure of all surveillance capabilities beyond fraud detection
- →Demand opt-out from cross-customer fraud pattern analysis
- →Request data processing agreement amendments addressing visitor tracking through security layer
- →Audit tag management capabilities for third-party data sharing risk
- →Negotiate liability indemnification for maximum tracking deployed through fraud detection infrastructure
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Impact: Detection evasion mechanisms obscure surveillance deployment within anti-bot infrastructure.
Keystroke/mouse tracking
Impact: Interaction patterns captured to distinguish human from bot behavior and enhance fraud detection models.
Full session replay
Impact: Security challenge sessions captured in full fidelity, exposing how visitors navigate bot detection and revealing fraud trigger patterns.
Identity stitching
Impact: Fraud detection synchronized across organizational properties and external security touchpoints.
Ignoring CMP signals
Impact: Tracking mechanisms active within security layer before visitor consent collection completes.
Device identification
Impact: Comprehensive device characteristics harvested for fraud detection persistence and bot identification.
Long-lived identifiers
Impact: Long-lived tracking identifiers maintain fraud detection history beyond reasonable security timeframes.
Container/loader (neutral)
Impact: Tag management capabilities enable dynamic third-party script injection through security infrastructure.
IOC Manifest
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
80 detection signatures across scripts, domains, cookies, and network endpoints