Category Reclamation

CHEQ claims “GTM Security.”
Their own customers’ data says otherwise.

CHEQ fingerprints every visitor on 15,000+ websites, flags VPN users as malicious, smuggles in undisclosed vendor scripts, and fires 17-20 trackers before consent. Palo Alto Networks — their own customer — classifies CHEQ cookies as “Targeting.”

That’s not GTM Security. That’s the threat GTM Security should catch.

Third-Party Classification

What Palo Alto Networks says about CHEQ.

Palo Alto Networks — Cookies Chart — Targeting Section
Provider
CHEQ
Section
TARGETING
Type
Persistent
Purpose
Analyzes user behavior for audience building

Not “Fraud Prevention.” Not “Bot Detection.” Not “GTM Security.” Targeting. One of the most respected cybersecurity companies on the planet classified CHEQ’s cookies as behavioral targeting technology. On their own website.

Who CHEQ Flags as a “Threat”

Privacy-conscious humans are “MALICIOUS.”

These classifications are published on CHEQ’s own documentation. This is how their product categorizes your website visitors.

VPN users
Invalid Suspicious Activity
Disabled cookies
Invalid MALICIOUS Activity
Disabled JavaScript
Invalid MALICIOUS Activity
Proxy users
Invalid Suspicious Activity
Headless browsers
Suspicious
Privacy tool users
MALICIOUS

A Fortune 500 procurement officer evaluating your product from a corporate VPN is flagged as “Invalid Suspicious Activity.” A CISO — the exact buyer CHEQ claims to serve — is classified as a threat by the product they’re evaluating. A developer testing with disabled JavaScript is “MALICIOUS.”

Meanwhile, an actual automated bot sailed through CHEQ’s infrastructure undetected, mapped every obfuscated domain, and decoded every payload in real-time.

The Business Model

Elegant. And architecturally inaccurate.

1Deploy fingerprinting on 15,000+ customer websites
2Flag anyone with 'unusual' fingerprints — developers, power users, security buyers, privacy-conscious humans
3Show customers a dashboard: 'We blocked 47,000 threats this month'
4Customer renews contract

The dashboard shows big numbers. The customer feels protected. Nobody checks whether the “threats” are actual threats or privacy-conscious humans. The data is architecturally inaccurate by design.

Claims vs. Reality

What CHEQ says. What BLACKOUT found.

CHEQ Claims
GTM Security
Observed Reality
Palo Alto Networks classifies CHEQ cookies as 'Targeting — Analyzes user behavior for audience building.' Not fraud prevention. Not bot detection. Targeting.
CHEQ Claims
Loved by marketers, trusted by CISOs
Observed Reality
VPN users are flagged as 'Invalid Suspicious Activity.' CISOs use VPNs. CHEQ's own product blocks the buyers it claims to serve.
CHEQ Claims
Bot detection
Observed Reality
BLACKOUT ran an automated bot through CHEQ's infrastructure. It wasn't detected. It wasn't slowed. It mapped every obfuscated domain and decoded every payload. In real-time.
CHEQ Claims
Transparency and trust
Observed Reality
'Reject All' ignored. 32 vendors detected. 3 disclosed subprocessors. 17-20 vendors fire pre-consent. CNAME cloaking to evade detection.
CHEQ Claims
Protects the GTM attack surface
Observed Reality
Deploys canvas, WebGL, and font fingerprinting on 15,000+ customer websites. Flags privacy-conscious users as threats. The product IS the attack surface.
The Actual GTM Threats

What “GTM Security” should actually catch.

While CHEQ is fingerprinting GPUs and flagging VPN users, these threats go completely undetected on customer sites:

Automated bots that don't trigger fingerprint heuristics
Supply chain scripts loaded by vendor initiator chains
Pre-consent tracking by contracted vendors
CRM data exfiltration through marketplace integrations
Cookie sync chains distributing visitor identity to ad networks
Defeat devices on OTHER vendors' scripts

BLACKOUT catches every one of these. CHEQ catches none of them. One of us is doing GTM Security.

Their Own Site

CHEQ on cheq.ai

CHEQ Claims On Their Site
  • “Transparency and trust are at the foundation of everything we do”
  • Reject All button present
  • 3 disclosed sub-processors
BLACKOUT Scan Results
  • “Reject All” ignored — vendors fire regardless
  • 32 vendors detected on cheq.ai
  • 3 subprocessors disclosed vs. 32 observed
  • 17-20 vendors fire pre-consent
  • CNAME cloaking to evade detection
  • Multiple obfuscated tracking domains

They are exactly the threat they claim to protect against. The product that calls itself “GTM Security” cannot secure its own GTM stack.

What GTM Security Actually Means

BLACKOUT.

Runtime Verification

Observe every vendor’s code executing in your environment. Every network request, every cookie, every data flow. Not a questionnaire. Not a fingerprint. Direct observation.

3-Pass Consent Testing

Scan before consent, after accepting, and after rejecting. Reveal which vendors fire regardless. Reveal which vendors ignore rejection. No fingerprinting required.

Claims vs. Reality

Compare what vendors claim in their DPA, privacy policy, and trust page against observed runtime behavior. The gap between claim and reality is the finding. Every time.

BLACKOUT does not fingerprint your visitors. We don’t classify VPN users as threats. We don’t flag privacy tools as malicious. We don’t deploy tracking cookies on your site. We run Plausible analytics on our own site. That’s it. Scan us. We’re clean. That’s the point.

CHEQ calls itself GTM Security while fingerprinting your visitors.

BLACKOUT protects your GTM stack from vendors like CHEQ.

Positioning is all fun and games until you run across somebody actually doing the work.

See the Platform