You sent 47 vendor questionnaires.
Nobody lied.
They just didn’t mention the other 13 vendors their script loads.
Vendor security questionnaires ask vendors to describe their own practices. The vendor fills out the form. The vendor defines the scope. The vendor decides what counts as a “third party.” And nowhere in the process does anyone observe what the vendor’s code actually does on your site.
The questionnaire industrial complex.
Your procurement team spent 6 weeks waiting for 850 answers. BLACKOUT scans runtime behavior in 60 seconds.
Right answers. Wrong questions.
Every answer below is technically truthful. None of them address the actual risk.
“Yes. AES-256.”
The vendor's encryption is fine. The problem is they're transmitting your visitor data to 13 undisclosed third parties before it gets encrypted anywhere.
“Yes. 12-month retention with automated deletion.”
Their retention policy covers data they store. It says nothing about the data they've already syndicated to intent data networks, ad exchanges, and identity resolution partners.
“Yes. Annual third-party pen test by [firm].”
The pen test evaluates the vendor's infrastructure. It does not test what their JavaScript does on YOUR site. Their servers can be hardened while their script exfiltrates your CRM.
“Yes. We maintain a DPA and appointed a DPO.”
Their DPA covers their internal operations. It does not prevent their script from firing 6 tracking cookies before your consent banner loads. BLACKOUT found this on 80% of vendors claiming GDPR compliance.
“Only with authorized subprocessors listed in our DPA.”
Their DPA lists 4 subprocessors. Their script loads 17 external domains. The 13 undisclosed recipients are not 'third parties' under their definition — they're vendor supply chain loaded through script initiator chains.
“No. We respect user consent preferences.”
BLACKOUT's 3-pass consent test found this vendor fires a tracking beacon with visitor UUID, session ID, and IP address 340ms before the consent banner renders. Technically, consent hasn't been 'declined' yet — it hasn't been presented.
Four reasons questionnaires fail.
Self-reported
The vendor fills out the form about themselves. They choose what to disclose, how to frame it, and what to omit. There is no independent verification of any answer.
Point-in-time
A questionnaire captures what the vendor claims today. Their script can change tomorrow. No questionnaire monitors ongoing behavior. The assessment is stale the moment it's submitted.
Wrong questions
Standard questionnaires were designed for infrastructure security. They ask about encryption, access controls, and incident response. They don't ask about pre-consent tracking, cookie theft, defeat devices, or supply chain script loading.
Scope-limited
Questionnaires ask about the vendor's internal operations. They do not ask about what the vendor's code does when it executes on YOUR website, inside YOUR CRM, with YOUR customer data. The entire client-side attack surface is out of scope.
850 questions. Or 60 seconds.
The Questionnaire
- Send form to vendor
- Wait 2-8 weeks
- Receive vendor’s self-reported answers
- Review 180-850 responses
- Trust that answers are accurate
- File in risk register
- Repeat annually
BLACKOUT
- Scan your site
- 60 seconds
- Observe vendor code executing in real-time
- 3-pass consent testing (pre, accept, reject)
- Map every network request, cookie, and data flow
- Compare claims to observed behavior
- Monitor continuously
Questionnaires ask vendors to describe themselves.
BLACKOUT observes what they actually do.
See the Platform