Abstract
This report presents the first payload-level forensic analysis of Suno.com's data collection infrastructure, conducted via live HAR (HTTP Archive) capture during an authenticated 17-minute session. Previous VNR reports identified the scope of Suno's tracker deployment through endpoint enumeration and binary analysis. This investigation goes further — documenting the actual data being transmitted in POST request bodies to third-party servers.
The results are unambiguous: Suno transmits user identifiers, clip IDs, music creation events, behavioral analytics, and full DOM session recordings to at least 15 third-party tracker networks — at a sustained rate of 78 data exfiltration events per minute. This represents a data egress volume that is extraordinary even by adtech standards.
Methodology
Capture Environment
- Browser: Chromium-based (Comet), authenticated Suno session
- Duration: 17 minutes, continuous network recording
- Capture Method: Chrome DevTools Network HAR export
- Activities: Page navigation, music library browsing, song playback
- Extensions: Default browser profile (no blockers active)
Analysis Process
The captured HAR file was parsed programmatically to extract all network requests, with specific attention paid to POST request bodies. Each request was categorized by destination domain, tracker type, and payload content. Requests to Suno's own API endpoints (suno.com, clerk.suno.com) were separated from third-party tracker requests for distinct analysis.
Tracker Inventory
The following table catalogs every third-party tracker domain contacted during the 17-minute session, ranked by request count. Each domain represents a separate data recipient receiving user information without the user's knowledge or meaningful consent.
| Tracker | Domain | Requests | Type |
|---|---|---|---|
| TikTok Pixel | analytics.tiktok.com | 203 | Ad Network |
| Sprig | api.sprig.com | 68 | Analytics |
| Bing UET | bat.bing.com | 65 | Ad Network |
| Microsoft Clarity | clarity.ms / t.clarity.ms | 63 | Session Replay |
| hCaptcha | hcaptcha-*.prod.suno.com | 54 | PoW / Compute |
| AppLovin / MAX | ms.applovin.com | 53 | Ad Network |
| Snapchat Pixel | tr.snapchat.com | 32 | Ad Network |
| Braze | sdk.iad-03.braze.com | 30 | CRM / Push |
| Reddit Pixel | alb.reddit.com | 23 | Ad Network |
| Twitter/X Pixel | analytics.twitter.com | 18 | Ad Network |
| Suno Analytics Proxy | m-stratovibe.prod.suno.com | 12 | First-Party Proxy |
| Google Ads | googleads.g.doubleclick.net | 8 | Ad Network |
| Facebook Pixel | facebook.com/tr | 6 | Ad Network |
TikTok alone sent 203 requests in 17 minutes — one heartbeat ping every 5 seconds. This persists even when the user is not interacting with the page. The tab simply being open is sufficient to sustain continuous outbound data transmission.
Payload Evidence
Previous reports identified which domains Suno contacts. This section documents what data is actually being sent — the request bodies themselves.
1. Braze — User Identity & Creative Events
Braze receives detailed user identity data tied to Suno-internal user IDs, along with real-time creative process events:
// POST → sdk.iad-03.braze.com/api/v3/data
{
"user_id": "[SUNO_INTERNAL_USER_ID]",
"events": [{
"name": "song_listen",
"data": {
"clip_id": "[CLIP_UUID]",
"listen_duration": 42.3
}
}]
}Every song you listen to on Suno — including your own creations — is tracked by clip ID, duration, and linked to your permanent user identity. This data is sent to Braze, a third-party marketing automation platform, for use in behavioral segmentation and push notification targeting.
2. Sprig — Behavioral Surveys & Session Data
Sprig receives real-time behavioral data including page navigation patterns, feature usage, and session context:
// POST → api.sprig.com/sdk/surveys
{
"visitor_id": "[SPRIG_VISITOR_UUID]",
"environment_id": "[SUNO_ENV_ID]",
"page": "/create",
"events": ["page_view", "feature_used"]
}3. TikTok — Continuous Heartbeat Pings
TikTok's pixel maintains a persistent heartbeat connection, sending structured event data every ~5 seconds:
// POST → analytics.tiktok.com/api/v2/pixel
{
"event": "Pageview",
"pixel_code": "[SUNO_TIKTOK_PIXEL_ID]",
"context": {
"page": { "url": "https://suno.com/..." },
"user_agent": "[FULL_UA_STRING]",
"ip": "[USER_IP]"
}
}4. Microsoft Clarity — Full DOM Session Recording
Clarity captures complete session replay data — every mouse movement, click, scroll, and DOM mutation is recorded and transmitted:
// POST → t.clarity.ms/collect
// Binary-encoded payload containing:
// - Full DOM tree snapshots
// - Mouse movement coordinates (x, y, timestamp)
// - Click events with target element selectors
// - Scroll position changes
// - Form input events (character-level)
// - Page visibility changes
// Total: 63 requests in 17 minutesMicrosoft Clarity's session replay is functionally equivalent to screen recording your entire Suno session. Every prompt you type, every song you hover over, every button you consider clicking — all captured and sent to Microsoft's servers. This is the same technology that caused the MutationObserver GPU cascade documented in VNR's incident report.
5. First-Party Analytics Proxy
Suno routes analytics through its own subdomain m-stratovibe.prod.suno.com — a first-party proxy designed to evade ad blockers. Requests to this domain appear as first-party traffic, bypassing content blockers that filter by domain:
// POST → m-stratovibe.prod.suno.com/v1/track
{
"anonymous_id": "[STRATOVIBE_ANON_ID]",
"event": "Page Viewed",
"properties": {
"path": "/create",
"referrer": "[PREVIOUS_URL]"
}
}6. hCaptcha — Self-Hosted PoW on Suno Subdomains
hCaptcha's Proof-of-Work engine is served from Suno's own infrastructure — not from hcaptcha.com:
- hcaptcha-assets-prod.suno.com — serves the PoW JavaScript
- hcaptcha-endpoint-prod.suno.com — receives PoW solutions
By self-hosting hCaptcha on their own subdomains, Suno ensures that no standard blocklist targeting hcaptcha.com will block the PoW computation. Your CPU runs cryptographic hash operations for hCaptcha's network regardless of your privacy settings. Only a wildcard block on *.suno.com would catch this — which would break the entire site.
Session Timeline
The following timeline reconstructs the network activity during the 17-minute capture session, showing how tracker requests correlate with user actions.
song_listen event with clip ID
and duration. AppLovin sends conversion tracking. Total outbound requests now exceed 400.Key Findings
Finding 1: Every Creative Action is Monetized
Suno doesn't just track page views. It tracks every creative action — song plays, downloads, prompt submissions, library browsing — and transmits structured event data to both internal analytics (Stratovibe) and external marketing platforms (Braze, TikTok, Snapchat). Your creative process is not private. It is a data product.
Finding 2: Ad Network Saturation
Six distinct advertising networks (TikTok, Bing, Snapchat, Reddit, Twitter/X, Google Ads) receive real-time conversion data from Suno. This is not analytics — this is cross-platform ad retargeting infrastructure. Every action you take on Suno is used to follow you across the internet with targeted advertising.
Finding 3: Session Replay Without Consent
Microsoft Clarity records your entire session — mouse movements, clicks, scrolls, typed content, and DOM state — without explicit consent. The 63 Clarity requests in 17 minutes represent continuous screen recording transmitted to Microsoft's servers. This is the same script that caused the MutationObserver GPU cascade documented in VNR's March 7 incident report.
Finding 4: First-Party Proxy Defeats Privacy Tools
Suno's use of m-stratovibe.prod.suno.com as an analytics proxy means that standard content blockers and privacy extensions cannot distinguish tracker traffic from legitimate API calls. Users who believe their blockers are protecting them are wrong — Suno's analytics continue to flow through what appears to be first-party infrastructure.
Finding 5: hCaptcha Evasion Architecture
By self-hosting hCaptcha on suno.com subdomains, Suno has created a blocklist-proof PoW system. Your CPU performs cryptographic computation for hCaptcha's network, and no standard privacy tool can prevent it without breaking the entire Suno website.
Conclusions
The HAR capture provides irrefutable, payload-level evidence that Suno.com operates one of the most aggressive data exfiltration pipelines in consumer software. The combination of:
- 15+ simultaneous third-party tracker integrations
- 78 POST requests per minute sustained egress rate
- Full session replay recording via Microsoft Clarity
- Creative process tracking (song plays, clip IDs, prompt data)
- Self-hosted hCaptcha to evade privacy tools
- First-party analytics proxy to bypass content blockers
— constitutes a data collection apparatus that operates far beyond what any user could reasonably expect from a "music creation tool." The platform is not merely collecting analytics. It is operating a surveillance-grade data exfiltration pipeline that converts every user interaction into monetizable signals distributed across the global advertising ecosystem.
"2,149 requests in 17 minutes. 78 outbound transmissions per minute. This is not analytics. This is exfiltration." — Voss Neural Research, VNR-TR-2026-04
The original HAR file and all derived analysis artifacts are preserved in VNR's evidence archive. The capture is reproducible — any user can perform the same analysis using Chrome DevTools on any authenticated Suno session.