How it works?
๐Ÿ”How it works

The GTM audit that tells you what's broken, what's missing, and why.

Two engines, not one. Coded rules catch technical failures. AI identifies what your setup is missing for your business. One report. No guessing.

๐Ÿ”’ Read-only access ย ยทย  No credit card ย ยทย  Results in ~2 min

Rules only vs. AI only vs. both.

Rules only

  • You know what's broken.
  • You don't know what's strategically missing.
  • A clean report can give you false confidence.

AI only

  • You get business context.
  • You don't know if the findings are real or hallucinated.
  • Run it twice, get different answers.
โ˜… Our approach

Both โ€” in that order

  • โœ“ What's broken, labeled as violations.
  • โœ“ What's missing, labeled as gaps.
  • โœ“ One report. No overlap. No noise.

From click to report in 3 steps

Total: ~2.5 minutes from login to full report.

1

Connect your GTM account

Login with Google. Read-only access โ€” we never modify your container.

We never write to your container.

~10 seconds
2

Rules engine runs

50+ deterministic checks fire simultaneously against your container. Same results every time.

~5 seconds
3

AI identifies the gaps

The AI layer receives the rule findings and looks for what's missing for your business โ€” not what's broken.

~2 minutes

Deterministic rules first. AI second. Not the other way around.

AI is powerful for pattern-matching. It's unreliable for consistency โ€” run the same audit twice and you might get different answers. That's not useful for anything you're going to act on.

We start with 50+ coded rules that always produce the same result given the same input. Then AI runs after them โ€” building on verified findings, not guessing from scratch. This order prevents hallucination. The AI focuses on what it's actually good at: spotting what's missing.

Rules catch what you did wrong. AI catches what you didn't do at all.

50+ rules that always produce the same answer.

Think of them like a compiler, not a code reviewer. They don't have opinions. They check the same conditions every time. Either the eval() is there or it isn't. Either Consent Mode is configured or it isn't. Same container, same answer, always.

These rules were built from years of GTM auditing โ€” before AI was a platform, before best practices became buzzwords. Refined against real containers across industries, adjusted for the patterns that actually cause problems.

They're not trying to be clever. They're trying to be reliable.

What the AI layer adds.

Rules find technical violations. They're blind to strategy. AI runs after the rules, receives the rule findings plus a structured view of your full container โ€” every tag, trigger, and platform in use โ€” and answers a different question: what should be here that isn't?

Like: you're running Google Ads but Conversion Linker is missing. Or you have an ecommerce site but no purchase events are configured. Rules won't catch those. AI will.

The rule says your syntax is right.

The AI says you can't measure campaign ROAS โ€” Conversion Linker is missing.

The rule checks that Meta Pixel is present.

The AI checks whether you're actually measuring what your business needs โ€” zero purchase events configured.

What we check across six dimensions.

Each dimension scores independently. Your overall health grade is a weighted average based on the type of site you run.

๐Ÿ”’

Security

Rules flag eval() in custom scripts, hardcoded credentials, and API keys in plain text. Common culprits: map embed keys, chat widget tokens, third-party service credentials left in Custom HTML. These aren't hypotheticals โ€” they're patterns we see in production containers.
๐Ÿ›ก๏ธ

Privacy & Compliance

Consent Mode v2 missing. PII leaking through parameters. Marketing tags that fire before a user has consented. These are the checks that keep your business out of headlines.
๐Ÿ“Š

Tracking Quality

Rules catch broken tags and missing triggers. AI catches what your setup is missing for your business โ€” no purchase events on an ecommerce site, no Conversion Linker despite running Google Ads.
โšก

Performance

Synchronous scripts that block page rendering. Container bloat from tags that outlived their purpose. Things that slow down your site quietly, in the background.
๐Ÿ—‚๏ธ

Organization

Naming inconsistency. Undocumented variables. Folders that made sense to whoever built the container and to nobody since. This is where maintenance debt hides.
๐Ÿ—๏ธ

Tag Health

Broken variable references. Duplicate triggers. Tags that are paused but not deleted. The configuration debt that accumulates between audits.

What each layer finds.

The same container. Two different types of problems. Two different engines.

CriticalDeterministicSecurity

Hardcoded API key in custom HTML tag

A live API key is embedded in plain text inside one of your custom scripts. It's visible in client-side traffic, in GTM's container export, and in browser dev tools. Anyone can extract it.

Recommendation

Remove the key from the client. Route the API call through a server-side endpoint where credentials stay private.

WarningAITracking Quality

Google Ads running without Conversion Linker

Your conversion tag is configured correctly and fires on the right pages. But Conversion Linker isn't installed. Without it, Google Ads can't reliably link clicks to conversions โ€” Smart Bidding works on incomplete data.

Recommendation

Add the Conversion Linker tag and ensure it fires on all pages, before any conversion pixels.

Finding A is binary: the key is there or it isn't. Finding B is strategic: the configuration is correct, but the setup is incomplete for how you're using Google Ads. Rules catch A. AI catches B.

Ready to see what's in yours?

Takes 2.5 minutes. Read-only access. No changes to your container.

Deep GTM audit. Focused by design.

We audit the GTM container โ€” deeply. We don't spread thin across your entire measurement stack:

Not included in this audit:

  • โ€”Server-side implementations (sGTM)
  • โ€”Your analytics property configuration (GA4 settings, Ads account setup)
  • โ€”CRM or CDP data pipelines
  • โ€”Your actual data โ€” traffic, conversions, audiences
  • โ€”Privacy policy alignment with your tracking (that's a legal review)

For most teams, GTM is where the real problems are. That's where we focus.

Common questions

  • Is this actually accurate, or is it full of false positives?

    The deterministic checks are binary โ€” either the pattern is present or it isn't. No interpretation, no scoring subjectivity. The AI layer is labeled separately so you always know which findings are rule-based vs. contextual.

  • What if my GTM container is very complex?

    The engine was built for production containers, not toy examples. The more tags and custom scripts your container has, the more the audit finds โ€” that's when the security and performance checks matter most.

  • What about server-side GTM (sGTM)?

    Server-side containers are out of scope for this audit. We focus on web containers where configuration debt and compliance risks are most common.

  • Do you store my container data?

    No. Your GTM data is fetched at audit time, used to generate the report, and never persisted. Read-only access, nothing stored.

See what your container reveals.

Rules first. AI second. No surprises.

๐Ÿ”’ Read-only ย ยทย  No account needed ย ยทย  50+ checks ย ยทย  ~2.5 min