Category Reclamation

CHEQ claims “GTM Security.”
Their own customers’ data says otherwise.

CHEQ fingerprints every visitor on 15,000+ websites, flags VPN users as malicious, smuggles in undisclosed vendor scripts, and fires 17-20 trackers before consent. Palo Alto Networks — their own customer — classifies CHEQ cookies as “Targeting.”

Security is the costume. Targeting is the business.

Third-Party Classification

What Palo Alto Networks says about CHEQ.

Palo Alto Networks — Cookies Chart — Targeting Section
Provider
CHEQ
Section
TARGETING
Type
Persistent
Purpose
Analyzes user behavior for audience building

Not “Fraud Prevention.” Not “Bot Detection.” Not “GTM Security.” Targeting. One of the most respected cybersecurity companies on the planet classified CHEQ’s cookies as behavioral targeting technology. On their own website.

Who CHEQ Flags as a “Threat”

Privacy-conscious humans are “MALICIOUS.”

These classifications are published on CHEQ’s own documentation. This is how their product categorizes your website visitors.

VPN users
Invalid Suspicious Activity
Disabled cookies
Invalid MALICIOUS Activity
Disabled JavaScript
Invalid MALICIOUS Activity
Proxy users
Invalid Suspicious Activity
Headless browsers
Suspicious
Privacy tool users
MALICIOUS

A Fortune 500 procurement officer evaluating your product from a corporate VPN is flagged as “Invalid Suspicious Activity.” A CISO — the exact buyer CHEQ claims to serve — is classified as a threat by the product they’re evaluating. A developer testing with disabled JavaScript is “MALICIOUS.”

Meanwhile, an actual automated bot sailed through CHEQ’s infrastructure undetected, mapped every obfuscated domain, and decoded every payload in real-time.

The Business Model

Elegant. And architecturally inaccurate.

1Deploy fingerprinting on 15,000+ customer websites
2Flag anyone with 'unusual' fingerprints — developers, power users, security buyers, privacy-conscious humans
3Show customers a dashboard: 'We blocked 47,000 threats this month'
4Customer renews contract

The dashboard shows big numbers. The customer feels protected. Nobody checks whether the “threats” are actual threats or privacy-conscious humans. When the technology is disproportionate to the stated purpose, the stated purpose isn’t the real business. Palo Alto Networks already told you what the real business is: Targeting.

Claims vs. Reality

What CHEQ says. What BLACKOUT found.

CHEQ Claims
GTM Security
Observed Reality
Palo Alto Networks classifies CHEQ cookies as 'Targeting — Analyzes user behavior for audience building.' Not fraud prevention. Not bot detection. Targeting.
CHEQ Claims
Loved by marketers, trusted by CISOs
Observed Reality
VPN users are flagged as 'Invalid Suspicious Activity.' CISOs use VPNs. CHEQ's own product blocks the buyers it claims to serve.
CHEQ Claims
Bot detection
Observed Reality
BLACKOUT ran an automated bot through CHEQ's infrastructure. It wasn't detected. It wasn't slowed. It mapped every obfuscated domain and decoded every payload. In real-time.
CHEQ Claims
Transparency and trust
Observed Reality
'Reject All' ignored. 32 vendors detected. 3 disclosed subprocessors. 17-20 vendors fire pre-consent. CNAME cloaking to evade detection.
CHEQ Claims
Protects the GTM attack surface
Observed Reality
Deploys canvas, WebGL, and font fingerprinting on 15,000+ customer websites. Flags privacy-conscious users as threats. The product IS the attack surface.
The Actual GTM Threats

What “GTM Security” should actually catch.

While CHEQ is fingerprinting GPUs and flagging VPN users, these threats go completely undetected on customer sites:

Automated bots that don't trigger fingerprint heuristics
Supply chain scripts loaded by vendor initiator chains
Pre-consent tracking by contracted vendors
CRM data exfiltration through marketplace integrations
Cookie sync chains distributing visitor identity to ad networks
Defeat devices on OTHER vendors' scripts

BLACKOUT detects each of these patterns directly in the browser. CHEQ does not. One of us is doing GTM Security.

Their Own Site

CHEQ on cheq.ai

CHEQ Claims On Their Site
  • “Transparency and trust are at the foundation of everything we do”
  • Reject All button present
  • 3 disclosed sub-processors
BLACKOUT Scan Results
  • “Reject All” ignored — vendors fire regardless
  • 32 vendors detected on cheq.ai
  • 3 subprocessors disclosed vs. 32 observed
  • 17-20 vendors fire pre-consent
  • CNAME cloaking to evade detection
  • Multiple obfuscated tracking domains

They are exactly the threat they claim to protect against. The product that calls itself “GTM Security” cannot secure its own GTM stack.

The Collapse Engine

CHEQ doesn’t protect against GTM collapse. It accelerates all four vectors at once.

BLACKOUT classifies GTM risk across four collapse vectors. Vendors that trigger one are a problem. CHEQ triggers all four simultaneously.

Signal Integrity

Your measurement is poisoned.

CHEQ flags VPN users, developers, and privacy-tool users as “MALICIOUS.” Your analytics now say that CISOs evaluating your product from a corporate VPN are threats. You’re making pipeline decisions based on data that’s architecturally wrong. The signal is contaminated at the source.

Data Exposure

Your visitor data flows through targeting infrastructure.

CHEQ deploys canvas, WebGL, and font fingerprinting across 15,000+ customer websites. Palo Alto Networks classified CHEQ’s cookies as “Targeting — Analyzes user behavior for audience building.” Your visitors’ device signatures are flowing into infrastructure built for ad targeting, not security.

Attack Surface

Undisclosed vendor scripts smuggled onto your site.

CHEQ discloses 3 subprocessors. BLACKOUT detected 32 vendors on cheq.ai. The gap — 29 undisclosed vendors — represents code running on your site that you haven’t authorized, your visitors haven’t consented to, and your security team doesn’t know about. CNAME cloaking makes it harder to detect.

Compliance Risk

17-20 vendors fire before consent.

“Reject All” is ignored — vendors fire regardless. On CHEQ’s own website. If the vendor that claims to protect your consent compliance can’t manage consent on its own site, your consent mechanism is theater. When the regulator comes, they fine you. Not the script.

The “security” label is what keeps anyone from noticing. Nobody audits the security vendor. That’s why the costume works — until someone looks at the code.

What GTM Security Actually Means

BLACKOUT.

Runtime Verification

Observe vendor code as it executes in the browser — every network request, cookie, and data flow that fires in-session. Not a questionnaire. Not a fingerprint. Direct observation.

3-Pass Consent Testing

Scan before consent, after accepting, and after rejecting. Reveal which vendors fire regardless. Reveal which vendors ignore rejection. No fingerprinting required.

Claims vs. Reality

Compare what vendors claim in their DPA, privacy policy, and trust page against observed runtime behavior. The gap between claim and reality is the finding. Every time.

BLACKOUT does not fingerprint your visitors. We don’t classify VPN users as threats. We don’t flag privacy tools as malicious. We don’t deploy tracking cookies on your site. We run Plausible analytics on our own site. That’s it. Scan us. We’re clean. That’s the point.

CHEQ is a targeting platform in a security costume.

BLACKOUT is the security that catches companies like CHEQ.

When the technology is disproportionate to the stated purpose, the stated purpose isn’t the real business.

See the Platform