DRM prevents casual ripping. Forensic watermarking handles the case where DRM was already broken: someone screen-recorded the stream, ripped it via a compromised CDM, or captured it from an HDMI splitter, and now the file is on a piracy site. Forensic watermarking embeds a session ID into each viewer's video — modulating low-significance bits in a way that survives recompression, cropping, scaling and even camera-capture-of-screen attacks. When the leaked copy is found, the watermark extracts the session ID, and the OTT can identify the original viewer.
Two technical patterns dominate. Pre-watermarking (also "A/B variant" watermarking) generates two versions of every segment — one "A" and one "B" — and the manifest serves each viewer a unique sequence of A/B picks that encodes their session ID. Post-watermarking (server-side or edge insertion) modifies the bitstream at delivery time to embed the ID directly. Pre-watermarking is more compute-efficient at scale; post-watermarking is more flexible.
Major forensic-watermarking vendors include Friend MTS, NAGRA NexGuard, Verimatrix, Synamedia and ContentArmor. Most tier-1 sports rights deals in 2026 require forensic watermarking as a contract term — UEFA Champions League, NBA League Pass, NFL Sunday Ticket, Premier League all mandate it. OTT engineering teams typically integrate one watermarking SDK at the packager and one verification service that customers use when they find leaks.
