Understanding Findings
Findings are the core entity in BLACKOUT. A finding represents a detected vendor behavior that persists across scans.
Finding vs Detection
| Concept | Definition |
|---|---|
| Detection | A single observation from one scan |
| Finding | A deduplicated entity across all scans |
When you scan a site multiple times, you'll see the same vendors. BLACKOUT groups these into findings so you can track behavior over time without noise.
Finding Lifecycle
NEW → KNOWN → CHANGED → REGRESSED → RESOLVED| Status | Meaning |
|---|---|
new | First time seeing this vendor |
known | Part of baseline, expected |
changed | Behavior differs from baseline |
regressed | Previously removed, now returned |
resolved | No longer detected |
Finding Identity
A finding is uniquely identified by:
finding_key = hash(vendor_id + behavior_signature + endpoint_pattern + page_type)This means:
- Same vendor on different pages = different findings
- Same vendor with different behaviors = different findings
- Same vendor, same behavior, same page = same finding
Classification Recommendations
BLACKOUT suggests one of four actions:
KILL
Remove immediately. The vendor:
- Has no legitimate business purpose
- Collects excessive data
- Shares data with undisclosed parties
- Bypasses consent
CONTAIN
Restrict scope. The vendor:
- Has valid use case BUT
- Needs data minimization
- Should be limited to specific pages
- Requires consent before activation
WATCH
Monitor closely. The vendor:
- Is borderline acceptable
- Has changed behavior recently
- Requires ongoing surveillance
SAFE
Approved for use. The vendor:
- Has legitimate purpose
- Operates within disclosed parameters
- Is properly consented
BTI Categories
BLACKOUT classifies vendor behaviors using BTI (Blackout Threat Intelligence):
| Category | Risk Level | Examples |
|---|---|---|
visitor_identification | HIGH | RB2B, Clearbit Reveal |
crm_enrichment | HIGH | Apollo, ZoomInfo |
session_recording | MEDIUM | FullStory, Hotjar |
analytics | LOW | GA4, Amplitude |
advertising | VARIES | Meta Pixel, LinkedIn Insight |
consent_management | LOW | OneTrust, Cookiebot |
BTSS Score
The Blackout Trust Security Score (0-100) factors:
- Consent compliance
- Data minimization
- Disclosure accuracy
- Piggyback depth
- Storage patterns
Higher = More trustworthy
Evidence
Each finding includes evidence:
{
"evidence_refs": [
{ "type": "har_request", "path": "har/0024_request.json" },
{ "type": "cookie", "path": "cookies/rb2b_session.json" },
{ "type": "script", "path": "scripts/rb2b_tag.js" }
]
}Download an Evidence Pack for forensic-grade documentation.
Actions
From any finding, you can:
- Classify — Set KILL/CONTAIN/WATCH/SAFE
- Create Task — Assign remediation to a team
- Download Pack — Export evidence bundle
- Share — Escalate to Legal/Security
Next Steps
- Drift Detection — Monitor for behavioral changes
- Evidence Packs — Export forensic bundles