Category Definition

Nudge Security tells you
what vendors have access to.
BLACKOUT tells you what they
do with it.

Nudge Security discovers SaaS applications through OAuth grants and SSO patterns. It answers “what apps are connected to our systems?” That’s SaaS discovery.

BLACKOUT answers “what are those apps actually doing?” That’s GTM Security.

Access vs. Action

Knowing what’s connected is step one. Watching what it does is step two.

Nudge Security — What Has Access

OAuth grant discovery
Identifies every SaaS application that has been granted OAuth access to your Google Workspace, Microsoft 365, or other identity providers
Shadow SaaS detection
Finds applications employees are using that IT didn't approve — discovered through SSO and OAuth grant patterns
Permission scope analysis
Shows what permissions each connected application has been granted (read email, access calendar, manage contacts, etc.)
SaaS inventory
Builds a complete catalog of every SaaS tool in use across the organization
Access revocation
Enables IT to revoke OAuth grants for unauthorized or risky applications

Discovers the keys. Doesn’t watch the doors.

BLACKOUT — What They Do With It

Runtime behavior observation
Nudge knows WHAT access a vendor has. BLACKOUT watches what they DO with that access. Having read permission on your CRM doesn't mean they're reading your deal stages — but BLACKOUT can prove they are.
Client-side script behavior
Nudge discovers apps through OAuth grants. It doesn't see JavaScript executing on your website — the tracking pixels, the consent bypasses, the cookie sync chains. That's an entirely different surface.
Pre-consent data collection
Nudge can't tell you that a vendor fires 340ms before your consent banner loads. It sees the OAuth grant, not the runtime behavior.
Supply chain resolution
Nudge knows you connected 6sense via OAuth. It doesn't know that 6sense's script loads 12 additional vendors you never contracted with. The OAuth grant is one integration. The script loads 13.
Claims vs. reality analysis
Nudge inventories what vendors HAVE access to. BLACKOUT compares what vendors CLAIM to do (DPA, privacy policy, trust page) against what they ACTUALLY do (observed runtime behavior). The gap is the finding.
Defeat device detection
Nudge looks at OAuth scopes. It can't detect that a vendor's script changes behavior when compliance tools are watching. Defeat devices are invisible to permission-based analysis.

Watches the doors. Shows you what went through them.

The Example

Same vendor. Two views.

6sense connected via HubSpot Marketplace
What Nudge Security Sees
  • OAuth grant: HubSpot → 6sense
  • Scopes: contacts.read, companies.read, deals.read
  • Connected by: marketing@company.com
  • Connected on: Jan 15, 2026
  • Status: Active
Assessment: 6sense has CRM read access. Scope is broad.
What BLACKOUT Sees
  • 6sense beacon fires pre-consent (12ms after page load)
  • Transmits visitor UUID, session ID, IPv6 address to b.6sc.co
  • Sets 12-month persistent cookie (6suuid)
  • Loads 4 undisclosed third-party scripts via initiator chain
  • Session replay active before consent interaction
  • DPA claims 3 subprocessors — scanner observes 7 data recipients
  • Visitor intent data resold to competing accounts
Assessment: 6sense is exfiltrating visitor data pre-consent and sharing it with undisclosed recipients.

Nudge correctly identified the OAuth grant and its scope. That’s valuable. But the scope doesn’t tell you what’s happening at runtime. The grant says “contacts.read” — the behavior says “pre-consent beacon with session replay to undisclosed third parties.”

Positioning

Discovery + Observation = Complete vendor accountability.

Nudge Security tells you what’s connected. BLACKOUT tells you what it’s doing. Together they close the loop: know what has access, then verify it’s behaving as agreed.

Separately, each solves half the problem. Nudge without BLACKOUT is an inventory with no behavioral verification. BLACKOUT without Nudge is behavioral observation that may miss apps connected through OAuth grants that don’t inject client-side scripts. The complete picture requires both surfaces.

Nudge Security discovers what’s connected.

BLACKOUT discovers what it’s doing.

See the Platform