Category Definition

Security ratings measure
the vendor’s walls.
Not what happens inside yours.

SecurityScorecard, BitSight, and RiskRecon scan a vendor’s external infrastructure — their DNS, their SSL, their open ports. That tells you whether the vendor’s own house is secure.

It tells you nothing about what they do inside yours.

The Measurement Gap

What Security Ratings Measure

DNS Configuration
SPF, DKIM, DMARC records properly configured
SSL/TLS Certificates
Certificate validity, cipher strength, protocol version
Open Ports
Exposed services on vendor infrastructure
Patching Cadence
How quickly vendor patches known CVEs
Dark Web Mentions
Vendor credentials or data on dark web forums
Breach History
Known data breaches in public records
IP Reputation
Vendor IP ranges flagged for spam or malware
Email Security
Header configuration and anti-phishing measures

All of this is measured from OUTSIDE the vendor’s infrastructure. No interaction with your environment.

What Security Ratings Cannot Measure

Pre-consent tracking
Does the vendor's script fire before the user consents? Security ratings have no mechanism to test client-side consent timing.
Cookie theft
Does the vendor's script read and exfiltrate cookies set by other vendors? External infrastructure scans cannot observe runtime JavaScript behavior.
CRM data access scope
What fields does the vendor actually read from your HubSpot, Salesforce, or Marketo? Marketplace integrations are invisible to external scanners.
Supply chain loading
Does the vendor's script silently load 13 other vendors you didn't contract with? External scans see the vendor's servers, not what their code loads on your site.
Defeat devices
Does the vendor's code detect auditing tools and change behavior? A security rating is itself an external observation that the defeat device is designed to fool.
Data exfiltration endpoints
Where does the vendor actually send your visitor data? External scans of the vendor's DNS tell you nothing about what their pixel transmits from your site.
Competitor data sharing
Is your intent data being resold to your competitors? This is a business practice, not an infrastructure signal. No external scan can detect it.
Undisclosed subprocessors
Who else receives data through the vendor's script? The vendor's own infrastructure is clean. The third-party chain loaded by their JavaScript is not.

All of this happens INSIDE your environment. External infrastructure scans have zero visibility.

The Blind Spot

A-rated vendors. Active threats.

These vendors have strong security ratings. Their infrastructure is well-configured. Their external posture is clean. Here’s what BLACKOUT found running on customer sites.

6sense
A
BLACKOUT Finding
Pre-consent beacon transmitting visitor UUID, session ID, and IPv6 address to b.6sc.co. 12-month persistent cookie. Session replay active before consent interaction.
ZoomInfo
A
BLACKOUT Finding
Full CRM read access via marketplace integration — deal stages, pipeline values, internal communications. Data used to enrich ZoomInfo's own product and resold to competitors.
CHEQ
A
BLACKOUT Finding
Canvas, WebGL, and font fingerprinting on customer sites while marketing itself as 'GTM Security.' Bot detection to evade compliance tools.
RB2B
B+
BLACKOUT Finding
60+ bot detection strings to freeze when audited. HubSpot session cookie theft. Consent polling loop with 600ms retry. SOC 2 obtained while actively blocking SOC 2 auditors.

Every vendor above has a clean security rating. Every vendor above is actively compromising their customers’ revenue infrastructure. The rating measures the wrong surface.

Where Each Tool Looks

Different vantage point. Different findings.

Vendor’s Infrastructure
DNS, SSL, ports, patches, breach history
SecurityScorecard looks here
vendor’s code
crosses into
your environment
Your Environment
Your site, your CRM, your visitors, your data
BLACKOUT looks here

A security rating tells you the vendor’s front door is locked. It doesn’t tell you what they’re doing with the key you gave them to yours.

Positioning

You need the rating. You also need the observation.

Security ratings are a valid signal for infrastructure risk. If a vendor’s SSL is misconfigured or they’ve been breached, you should know. Keep your SecurityScorecard subscription.

But also know that an A-rated vendor with perfect infrastructure can still fingerprint every visitor to your website, steal your HubSpot session tokens, load 13 undisclosed third-party scripts, and sell your intent data to your biggest competitor. The rating won’t tell you. The observation will.

Security Rating Answers
  • Is the vendor’s infrastructure secure?
  • Have they been breached before?
  • Are they patching vulnerabilities?
  • Is their email properly configured?
BLACKOUT Answers
  • What does their code do on my website?
  • Are they firing before consent?
  • Who else are they sharing my data with?
  • Are they hiding behavior from auditors?
  • Are they reading my CRM deal stages?
  • Are they selling my data to competitors?

Security ratings grade the vendor’s house.

BLACKOUT watches what they do inside yours.

See the Platform