How Cassandra works

What it does

Cassandra loads the target URL in a real browser (Chromium via Playwright) and records every network request, cookie, JavaScript global variable, and DOM element present on the page. It then compares this data against a library of detection rules for known third-party tracking technologies.

Where a consent banner is detected, the scanner attempts to locate and click a reject option, then re-runs the same analysis to capture what fires before and after consent interaction.

Detection thresholds

A tracker is only reported when at least two independent signal types match: for example, a network request to a known domain and the presence of a known JavaScript global. Single-signal matches are discarded to reduce false positives. Confidence is marked Confirmed when three or more signal types match, and Likely at two.

What it cannot determine

• —Whether data collected by a detected tracker is actually transmitted, stored, or shared with third parties.
• —Whether a correctly configured server-side consent check gates any tracker not visible at the browser layer.
• —Whether a privacy policy adequately discloses the tools detected.
• —Whether a detected tracker's implementation is lawful under any applicable regulation.
• —The content or payload of encrypted network requests.

Privacy & Data collection

Cassandra is designed as a zero-data application. It does not use internal tracking, analytics, or third-party pixels on its own domain.

• —No Cookies: Cassandra does not set browser cookies for its own operation.
• —Ephemeral IP Handling: Visitor IP addresses are read strictly for rate-limiting, stored in ephemeral memory, and are never saved to a database.
• —Isolated Scan History: Scan results are stored by unique ID and are not linked to user accounts or visitor identities.

Scope

Each scan covers up to six pages on the same domain (homepage + 5 high-priority internal links). It does not test authenticated states or simulate mobile viewports.