Asurion — Infrastructure Technology Matrix

asurion.com  |  Private ($10B+ Revenue)  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What CLOUDFLARE-VERIFY TXT RECORD EXISTS — SOMEONE EVALUATED CF
DNS
AWS Route 53
No DNSSEC · No CAA · ~2015
CDN
Amazon CloudFront
5+ distributions · ~2018
WAF
AWS WAF (likely)
403 on XSS/SQLi · no vendor headers
Bot Management
DataDome (eval?)
TXT exists · no runtime headers
API Security
None Detected
Origin headers leaking
Network DDoS
None
Own ASN (AS32110) · 11+ prefixes exposed
Email Security
Microsoft 365 (native)
DMARC quarantine · No Proofpoint/Mimecast
Identity / SSO
Okta
+ legacy on-prem SSO (NDC)
VPN / Remote
Self-Managed
vpn.asurion.com · own IP space
AI Platforms
OpenAI + Anthropic
Both domain-verified + Cursor
Cloud / CMS
AWS (primary)
Next.js SSR · Contentful CMS
Competitor on CF
Assurant
#1 rival fully on Cloudflare
Core Infrastructure
AWS Route 53Managed DNS
Category
Managed DNS
Nameservers
4 AWS NS
ns-1340.awsdns-39.org
ns-169.awsdns-21.com
ns-1848.awsdns-39.co.uk
ns-892.awsdns-47.net
DNSSEC
Not Enabled
CAA Records
None Published
IPv6 (AAAA)
None on apex or www
Wildcard
Yes → 11.9.0.1 (sinkhole)
Est. Activation
~2015   High
CF Opportunity: 1-click DNSSEC, CAA mgmt, native IPv6, DNS analytics, no AWS lock-in
Amazon CloudFrontCDN
Category
Content Delivery Network
Coverage
www, my, protection, techcoach, enroll
(5+ CloudFront distributions)
HTTP/3
Supported (alt-svc: h3)
Gaps
blog, help, secure, jobs, hub — NO CDN
Header Leaks
x-amzn-trace-id, x-ssr-region: us-east-2, x-amzn-requestid exposed
Origin Leak
x-adc-osp: 1 — internal app ID exposed
Est. Activation
~2018   High
CF Opportunity: Unified CDN across ALL properties, automatic header stripping, 310+ PoPs vs ~40
AWS WAF (likely)Web Application Firewall
Category
Web Application Firewall
XSS Test
Blocked — HTTP 403
SQLi Test
Blocked — HTTP 403
Vendor Headers
None — no WAF identification headers
Assessment
Blocking mode active on www; likely AWS WAF integrated with CloudFront
Coverage
CloudFront sites only — on-prem services unprotected
Est. Activation
~2020   Medium
CF Opportunity: Managed WAF rulesets, full-domain coverage, WAF analytics dashboard
DataDome (eval?)Bot Management
Category
Bot Management
TXT Record
datadome-domain-verify exists
Runtime Headers
No DataDome headers in responses
JS Challenge
None observed
Assessment
DataDome likely in evaluation, limited deployment, or deactivated
Risk
Claims scraping, credential stuffing, account takeover on customer portals
Confidence
Medium
CF Opportunity: Cloudflare Bot Mgmt — integrated with WAF/CDN, no separate vendor needed
None DetectedAPI Security / Gateway
Category
API Security
API Gateway
None detected
Cookie Leak
_osp_sid — no HttpOnly flag, cross-domain on ubreakifix.com
X-XSS-Protection
Missing
Permissions-Policy
Missing
HSTS Preload
HSTS present but no preload directive
Confidence
High
CF Opportunity: API Shield, Transform Rules for header stripping, API Gateway
Cloud, Hosting & Network
Amazon AWSPrimary Cloud
Category
Cloud Hosting (Primary)
Services
CloudFront CDN, EC2, ELB, SES, ACM
SSR in us-east-2 (Ohio)
IPs
143.204.130.x (www)
18.222.40.69 (id)
ELB (help)
Origin Leak
x-ssr-region: us-east-2 exposed
Trace Leak
x-amzn-trace-id + x-amzn-requestid exposed
Est. Activation
~2018   High
CF Opportunity: Cloudflare in front of AWS — header stripping, caching, WAF, performance
Asurion On-PremAS32110 · Nashville DC
Category
Self-Managed Network
ASN
AS32110 (Asurion Insurance Services)
IP Blocks
96.63.64.0/21, 96.63.72.0/21
157.10.206.0/24
103.227.40-42.0/23 (APAC)
185.200.175.0/24 (EU)
11 IPv4 + 1 IPv6 prefix
Transit
Lumen, Verizon, AT&T, COLT, Globe Telecom
DDoS
None — direct transit only
Services Exposed
mail, webmail, vpn, crm, connect, hub, ns1, ns2
Est. Activation
Pre-2010   High
CF Opportunity: Magic Transit for DDoS on 11+ prefix blocks — international PoPs in APAC + EU
Amazon ACMSSL/TLS Certificates
Category
Certificate Management
Edge Cert
Amazon RSA 2048 M01 (DV)
Exp Jan 5, 2027
uBreakiFix
Amazon RSA 2048 M04 (Wildcard)
Exp Sep 15, 2026
CAA
No CAA records — any CA can issue
SAN Leak
verizon-bis2.mysoluto.com on prod cert
DNSSEC
Not enabled
Confidence
High
CF Opportunity: Auto cert management, Advanced Certificate Manager, CAA enforcement
Next.js + ContentfulFrontend / CMS
Category
Content Management / Frontend
Framework
Next.js (React SSR)
CMS
Contentful (headless CMS via CSP)
A/B Testing
Optimizely
Analytics
Google Tag Manager, Mixpanel, Segment
Forms
Jotform, Qualtrics
Est. Activation
~2022   Medium
CF Opportunity: Workers for SSR (replace Lambda@Edge), Pages for static
Self-Managed DNSLegacy Nameservers
Category
Legacy Internal DNS
ns1.asurion.com
96.63.68.43 (AS32110)
ns2.asurion.com
96.63.76.43 (AS32110)
Status
Not delegated — Route 53 is authoritative
Risk
Publicly reachable; likely serves internal zones
Assessment
Pre-Route 53 infrastructure never decommissioned
Confidence
High
CF Opportunity: Zero Trust DNS to replace internal resolvers
Email, Identity & Security
Microsoft 365Email + Native Security
Category
Email Security
MX
asurion-com.mail.protection.outlook.com (pri 5)
DMARC
p=quarantine (should be reject)
SPF
Hard fail (-all)
DKIM
M365 (selector1/2) + SendGrid (s1/s2)
Gateway
No Proofpoint/Mimecast — native M365 only
Est. Activation
~2018   High
CF Opportunity: CF Email Security — DMARC to reject, phishing protection, complement M365 Defender
OktaIdentity Provider
Category
Identity & Access
Tenant
asurion.okta.com Active (HTTP 200)
Hybrid
Okta + Azure AD / Entra ID (M365 in use)
Legacy SSO
sso.asurion.com → ndcsso (Nashville DC on-prem)
VPN
vpn.asurion.com → 96.63.70.15 (self-managed, no DDoS)
Est. Activation
~2020   Medium
CF Opportunity: Cloudflare One (ZTNA + Gateway) — replace VPN + on-prem SSO, integrate with Okta
Twilio SendGridTransactional Email
Category
Transactional Email
Account
u25369668.wl169.sendgrid.net
DKIM
s1/s2 active
Tracking
track.asurion.com → spgo.io (SparkPost)
Also
Amazon SES in SPF includes
Confidence
High
Wiz + OneTrustCloud Security & Privacy
Category
Cloud Security / Privacy
Wiz
wiz-domain-verification TXT
OneTrust
In CSP + TXT verification
Dynatrace
dynatrace-site-verification TXT
Cisco
cisco-intersight TXT (x2)
Confidence
High
CF Opportunity: CASB for SaaS security across 30+ verified tools
uBreakiFix Email Inconsistent SPF
Category
Subsidiary Email Policy
SPF
Soft fail (~all) — weaker than asurion.com (-all)
Providers
Google Workspace + SendGrid + M365
Risk
Inconsistent email policy across brands
DMARC
Needs verification — may inherit or differ
Confidence
High
CF Opportunity: Unified email security policy across all Asurion brands
Sister Domains & Acquisitions
ubreakifix.comDevice Repair (Acq. 2019)
DNS
AWS Route 53
CDN
CloudFront + nginx
SSL
Amazon RSA 2048 (Wildcard)
Cookie Leak
Sets _osp_sid on asurion.com domain
SPF
Soft fail (~all)
Cloudflare?
No
soluto.comTech Support (Acq. 2018, Israel)
DNS
AWS Route 53
CDN
CloudFront
mysoluto.com
AZURE DNS — only non-R53 domain
Legacy IP
85.64.106.17 (Israel)
SSL Leak
verizon-bis2.mysoluto.com in prod cert SAN
Cloudflare?
No
phoneclaim.comClaims Redirect
DNS
AWS Route 53
Behavior
Redirects → asurion.com/phoneclaim
SSL
Amazon RSA 2048 M01
Status
Functioning redirect
 
 
Cloudflare?
No
gosimplr.com → simplr.aiAI Customer Service (Acq. ~2023)
DNS
AWS Route 53
Behavior
Redirects → simplr.ai
Status
Legacy brand — still active
 
 
 
 
Cloudflare?
No
asurion53.comPartner/Carrier Portal
DNS
AWS Route 53
Non-prod
nonprod-asurion53.com in CSP headers
Purpose
Carrier/retailer partner integrations
CSP Reveals
guitarcenter.com in frame-ancestors
 
 
Cloudflare?
No
Defensive RegistrationsBrand Protection
Owned
asurion.net, .org, .co, .io
ubif.net, anywhereexpert.us
All on
AWS Route 53
ubif.net
Resolves to 172.25.24.9 (private-range-like)
Missing?
asurion.tech, .app, .ai, .insurance not confirmed
 
 
Cloudflare?
No
Shadow Infrastructure & DNS Leaks
*.asurion.com Wildcard HIGH RISK
Record
*.asurion.com → 11.9.0.1
Risk
ANY subdomain resolves — masks dangling CNAMEs, enables phishing
Impact
attacker.asurion.com resolves; hides decommission failures
blog.asurion.com HIGH RISK
Host
DreamHost shared hosting (208.97.176.31)
Risk
Enterprise brand on shared hosting — no HTTPS response
Impact
Neighbor-site compromise, no WAF/CDN protection
exchange.asurion.com MEDIUM
Target
ndcexchange.asurion.com (Nashville DC)
Risk
On-prem Exchange resolvable post-M365 migration
Impact
Common attack target for ProxyLogon/ProxyShell
smtp.asurion.com MEDIUM
IP
12.163.201.18 (AT&T)
Risk
Legacy SMTP relay — modern mail via SES/M365
Impact
SPF still includes on-prem ranges
jobs.asurion.com MEDIUM
IP
63.131.135.105 (DataPipe/Rackspace)
Risk
Separate from careers (Phenom People) — likely legacy
Impact
Duplicate job portal; brand confusion
secure.asurion.com MEDIUM
IP
207.86.219.180 (XO/Verizon Business)
Risk
Legacy Verizon Business infrastructure
Impact
Possibly decommissioned portal; still publicly routable
AI Stack, SaaS Tools & Tech Stack (from TXT Verification Records)
AI / ML PlatformsVerified via TXT Records
OpenAI
openai-domain-verification
Anthropic
anthropic-domain-verification
Cursor
cursor-domain-verification
Assessment
Active enterprise AI adoption across GPT + Claude + AI code editor
CF Opportunity: AI Gateway — centralized logging, rate limiting, caching, cost mgmt across AI providers
Dev / EngineeringVerified via TXT Records
Atlassian
x2 verifications
Docker
docker-verification
Postman
postman-domain-verification
MongoDB
x2 verifications
Also
Quickbase, Smartsheet
Security & ComplianceVerified via TXT Records
Wiz
Cloud security
OneTrust
Privacy/consent
Cisco Intersight
x2 infra mgmt
Infoblox
DNS/DHCP/IPAM
DataDome
Verified but not deployed
CollaborationVerified via TXT Records
Slack
slack-domain-verification
Miro
miro-verification
Notion
notion-domain-verification
DocuSign
docusign
Also
Adobe IDP, Jamf, Neat Pulse
Marketing & AnalyticsVerified via TXT/CSP
Mixpanel
x2 verifications
Segment
segment-site-verification
Google
x3 (GSuite + GTM + Analytics)
Optimizely
A/B testing (CSP)
Also
D365 Marketing (x2), Qualtrics, Jotform
Domain Registration
Domain
asurion.com
ASN
AS32110 — Asurion Insurance Services, Inc. (ARIN)
Total Prefixes
11 IPv4 + 1 IPv6 (2620:118:b001::/48)
Transit
Lumen (AS3356) · Verizon (AS701) · AT&T (AS7018) · COLT · Globe Telecom
Competitive Landscape — Who Uses What
Assurant~$10B Revenue · #1 Direct Rival
DNS
Cloudflare
CDN/WAF
Cloudflare
Evidence
cf-ray header confirmed; full Cloudflare NS
Cloudflare?
FULL STACK — best peer reference
Allstate / SquareTradeProtection Plans
DNS
Self-managed (Allstate) · Self-managed (SquareTrade)
CDN
nginx (Allstate) · Amazon S3 (SquareTrade)
WAF
Unknown (Allstate) · None visible (SquareTrade)
Cloudflare?
No
Likewize / BrightstarDevice Lifecycle
DNS
AWS Route 53 (both)
CDN
Unknown
Revenue
~$1.5B (merged entity)
Cloudflare?
No
GEICO / State FarmInsurance Majors
DNS
Akamai (GEICO) · Self-managed (State Farm)
CDN
Akamai (GEICO) · Unknown (State Farm)
Pattern
Insurance majors avoid Cloudflare — vertical whitespace
Cloudflare?
No
AmTrust / FrontdoorSpecialty Insurance / Home
DNS
Self-managed (AmTrust) · Akamai (Frontdoor)
CDN/WAF
F5 Volt-ADC (AmTrust) · Google Frontend + Akamai (Frontdoor)
Revenue
~$5B (AmTrust) · ~$1.8B (Frontdoor)
Cloudflare?
No
Top 5 Cloudflare Sales Entry Points
#1 — DNS + CDN ConsolidationReplace Route 53 + CloudFront
Route 53 + CloudFront + AWS WAF = three AWS services replaceable with one Cloudflare platform. No DNSSEC, no CAA, no IPv6, origin headers leaking. cloudflare-verify TXT already exists — someone evaluated CF.
Urgency
HIGH — competitor Assurant already on Cloudflare full stack
#2 — Magic TransitDDoS for AS32110
11 IPv4 + 1 IPv6 prefix on own ASN with zero DDoS scrubbing. mail, vpn, crm, hub all directly exposed on 96.63.x.x. International PoPs in APAC (Philippines) + EU.
Urgency
HIGH — on-prem services exposed, 5 transit providers
#3 — Email SecurityCF Email Security
DMARC at quarantine, not reject. No Proofpoint/Mimecast — relying on native M365 Defender. uBreakiFix SPF uses soft fail (~all) vs hard fail. Inconsistent policy across brands.
Urgency
HIGH — phishing gap, no email gateway
#4 — Zero Trust / SASECloudflare One
Okta identity + self-managed VPN on own IP space + legacy on-prem SSO (Nashville DC). 30+ SaaS tools verified via TXT. Classic ZTNA migration: Access + Gateway + CASB.
Urgency
STRATEGIC — VPN replacement cycle
#5 — AI GatewayAI Gateway
Confirmed OpenAI + Anthropic + Cursor via TXT. Active enterprise AI adoption. AI Gateway: observability, caching, rate limiting, model routing, cost management across providers.
Urgency
STRATEGIC — AI spend visibility