The Cookie Leak
Their cookie names are their live A/B test names.
Most companies run a dozen experiments at once and treat the list like a state secret. Then they set a cookie in your browser to remember which version of each test you are in, and they name that cookie after the test. The secret is now sitting in your own browser, in plain text, with a helpful label. You just have to look.
What to do: curl -sI site.com | grep -i set-cookie
Why it works: Experiment frameworks store the variant assignment client-side, and almost nobody obfuscates the cookie name. The name is the test name.
Example: Zapier's headers hand you zapier.experiments.homepage_valuemaxxing=control and zapier.experiments.universal_nav_treatment=treatment. Two live tests, the pages they run on, and which arm you landed in, from one request.
Walk it through
I ran this against zapier.com in July 2026. Here is exactly what came back.
1. Ask for the headers, grep for the cookies.

Two names carry the whole message. homepage_valuemaxxing is a test on the homepage. universal_nav_treatment is a test on the site-wide navigation. The value after the equals sign, control or treatment, is the bucket this visit was assigned to. Run the same command against notion.so or vercel.com and you get tracking IDs and consent flags and nothing else. Not every site leaks. The ones running a fast experimentation program almost always do.
2. You do not even need a terminal.
Open the site, open your browser console, and type document.cookie. The experiment cookies are right there, because they are not marked HttpOnly, which means the company's own client-side code has to read them. On zapier.com that returns zapier.experiments.universal_nav_treatment and zapier.experiments.homepage_valuemaxxing sitting alongside the usual tracking cookies. Anyone with a browser can read a competitor's test names in about ten seconds.
3. Go look at the page the test is running on.
homepage_valuemaxxing=control means I was served the control homepage. Here it is.

"Your tools. Your rules. Any AI." with agent counts and MCP tool-call stats front and center. That is the version Zapier is measuring against. Reload in an incognito window enough times and you may get bucketed into treatment, and the homepage that renders then is the variant they are betting will beat it. You are watching their homepage experiment run, live, for free.
The read
A cookie name is an internal label a developer wrote for themselves, never expecting a competitor to read it. So read it literally.
- The name is the hypothesis.
homepage_valuemaxxingsays they think the homepage is leaving money on the table and are testing a harder-selling version.universal_nav_treatmentsays the navigation is in play. That is their own list of doubts about their site. - The prefix is the surface.
homepage,universal_nav, and on other sitespricingorcheckout. The first word tells you exactly which page they are fighting over. - The value is the state.
controlversustreatmenttells you which arm you are in, so you can force the other and compare the two pages side by side.
Steal it
Two moves. First, keep a running log of a competitor's experiment cookies and re-check monthly. A test that shows up, runs for six weeks, then disappears and gets baked into the live site is a test that won. You just learned which change they proved out, without running the experiment yourself. Copy the winners.
Second, check your own headers before you ship. If you run experiments through a client-side framework, your test names are leaking too, named after your unreleased pricing page or your secret redesign. Rename them to something meaningless, or move the assignment server-side, before a competitor reads your roadmap the way you just read theirs.
Gotchas
- Server-side tests leave no cookie. Plenty of experiments run entirely on the server and set nothing you can see. An empty result does not mean they are not testing, only that they are not testing in the browser.
- A cookie is not proof a test is live. A flag can linger in production long after the experiment ended, dead code nobody cleaned up. Confirm by loading the page in different sessions and checking whether the rendered version actually changes.
- Read, do not tamper. Reading your own cookie is fair game, and forcing yourself into the other variant to see it is fine. Scripting thousands of sessions to reverse-engineer a whole test suite is where reconnaissance turns into load. Do not cross that line.