Clayton Homes (Berkshire Hathaway) — Infrastructure Technology Matrix

claytonhomes.com  |  Berkshire Hathaway Subsidiary  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What API ALREADY ON CLOUDFLARE (via cct-pubweb.com)
DNS
GoDaddy
2 NS · No DNSSEC · ~15+ years
CDN
AWS CloudFront
www only · F5 BigIP on apex
WAF
AWS WAF
Basic rules · S3 error page
Bot Management
None
No bot protection in place
API Security
Cloudflare
api.claytonhomes.com on CF
Network DDoS
ISP-only (Charter & AT&T)
768 IPs · No scrubbing
Email Security
Proofpoint
DMARC reject · SPF ~all
Identity / SSO
Okta
Active tenant confirmed
Firewall / SD-WAN
Cisco
FMC + Meraki + Intersight
AI Platform
Anthropic (Claude)
Domain-verified via TXT
Load Balancer
F5 BigIP
Apex redirect · On-prem legacy
Cloud / Platform
AWS + GCP
API Gateway · React SPA
Core Infrastructure
GoDaddyManaged DNS
Category
Managed DNS
Nameservers
2 GoDaddy NS
ns71.domaincontrol.com
ns72.domaincontrol.com
DNSSEC
Not Enabled
CAA Records
None Published
IPv6 (AAAA)
None
Wildcard
Yes → 11.9.0.1 (catch-all)
Est. Activation
~2005–2010   Medium
CF Opportunity: 1-click DNSSEC, CAA mgmt, native IPv6, DNS analytics, sub-10ms global resolution
AWS CloudFrontCDN
Category
Content Delivery Network
Coverage
www, images, careers, staging
Via claytonbuilthomes.com CNAME
Caching
Active x-cache: Hit from cloudfront
Gaps
Apex (F5 BigIP), blog (ELB), smtp/pop — NO CDN
Double-Hop
API: CF → CloudFront → origin (extra latency)
Header Leaks
x-amz-cf-pop, x-amzn-trace-id, x-amz-apigw-id exposed
Est. Activation
~2018–2020   Medium
CF Opportunity: Unified CDN across ALL subdomains + sister domains, eliminate double-hop, header stripping
AWS WAFWeb Application Firewall
Category
Web Application Firewall
XSS Test
Blocked — HTTP 403
SQLi Test
Blocked — HTTP 403
Error Page
Static S3 page — reveals AWS WAF vendor
Coverage
www only — apex, blog, smtp unprotected
Rate Limiting
None detected
Est. Activation
~2020–2022   Medium
CF Opportunity: Managed WAF rulesets, custom error pages, ALL-domain coverage, rate limiting
None DetectedBot Management
Category
Bot Management
Status
No bot mgmt visible
JS Challenge
None observed
Bot Headers
None
Risk
Home search scraping, lead-gen bot abuse, competitor intelligence
Note
No CAPTCHA, no JS challenge, no bot score headers on any subdomain
Confidence
Medium
CF Opportunity: Cloudflare Bot Mgmt — homebuilder-specific protection for search & lead forms
Cloudflare API Security (api.claytonhomes.com)
Category
API Security / CDN
CF-Ray
Confirmed server: cloudflare
X-Frame-Options
DENY
CSP
frame-ancestors 'none'
Double-Hop
CF → CloudFront → origin (unnecessary)
Platform
Via cct-pubweb.com (Clayton's web platform)
Confidence
High
CF Opportunity: Expand from API-only to full stack. Remove CloudFront double-hop. Add API Shield.
Cloud, Hosting & Network
Amazon AWSPrimary Cloud
Category
Cloud Hosting (Primary)
Services
CloudFront CDN, API Gateway, ELB, S3
Subdomains
www, api, blog, media, images, careers, staging
API Gateway
x-amzn-requestid, x-amz-apigw-id exposed
Blog/Media
prod-claytonhomes-external-alb (us-east-1)
Est. Activation
~2018–2020   High
CF Opportunity: Cloudflare in front of AWS — header stripping, caching, WAF for all subdomains
F5 BigIP Legacy Load Balancer
Category
On-Prem Load Balancer
Location
Apex (claytonhomes.com) → 216.77.95.79
Function
301 redirect to www.claytonhomes.com
Header
Server: BigIP exposed
Protection
No CDN, no WAF, no DDoS on apex
Est. Activation
Pre-2010   High
CF Opportunity: Replace F5 redirect with Cloudflare Page Rule — eliminate SPOF hardware
Clayton HomesOn-Prem (AS395227)
Category
Self-Managed Network
ASN
AS395227 (CMH Services Inc.)
IP Blocks
216.77.95.0/24
71.86.252.0/24
12.187.19.0/24
(768 total IPs)
Transit
Charter/Spectrum (AS20115)
AT&T (AS7018)
DDoS
None — direct transit only
Est. Activation
~2016–2018   High
CF Opportunity: Magic Transit for DDoS scrubbing on 3 /24 blocks
Starfield / GoDaddySSL/TLS Certificates
Category
Certificate Management
Cert Type
Extended Validation (EV)
Clayton, Inc., Maryville TN
Issuer
Starfield Secure CA - G2 (GoDaddy subsidiary)
Expires
Oct 5, 2026
EV Value
EV green bar removed from all browsers since 2019 — paying premium for no UI benefit
Confidence
High
CF Opportunity: Free Universal SSL, Advanced Certificate Manager, auto-renewal
cct-pubweb.comClayton Web Platform
Category
Internal Web Platform
Frontend
React SPA
Subdomains
api, staging, careers, admin, images
Analytics
Segment + Google Tag Manager (2 containers)
Marketing
Salesforce MC (my.claytonhomes.com → sfmc-content.com)
Est. Activation
~2020–2022   Medium
CF Opportunity: Cloudflare works as edge proxy in front of the cct-pubweb platform
Email, Identity & Security
ProofpointEmail Security Gateway
Category
Email Security
MX
mxa/mxb-000e6302.gslb.pphosted.com (pri 10)
DMARC
p=reject (strongest)
SPF
Soft fail (~all) — should be -all
DKIM
SendGrid (s1/s2/cm) + custom (k1)
Est. Activation
~2018–2020   High
CF Opportunity: CF Email Security (CES) — complement or replace Proofpoint for BEC protection
OktaSSO / Identity Provider
Category
Identity & Access
Tenant
claytonhomes.okta.com Active
Verification
HTTP 302 → /app/UserHome + x-okta-request-id
Also Active
Microsoft 365 (MS=ms59724742) + Google Workspace (3× verified)
Zero Trust
No ZT architecture detected
Est. Activation
~2020   High
CF Opportunity: Cloudflare One (ZTNA + SASE) — Okta integration is straightforward
CiscoNetwork Security (FMC / Meraki)
Category
Firewall / SD-WAN
FMC
Firewall Management Center (TXT record)
Meraki
SD-WAN / networking
Intersight
Cloud infrastructure mgmt
VPN
Likely Cisco AnyConnect (inferred from FMC)
Confidence
High (TXT records)
CF Opportunity: Cloudflare WARP replaces VPN · Magic WAN replaces SD-WAN
Twilio SendGridTransactional Email
Category
Transactional Email
DKIM
s1/s2/cm selectors
Purpose
Order confirmations, home purchase updates, notifications
Also
Emma (e2ma) x3 — email marketing
Oracle Cloud — email delivery
Note
3 email delivery vendors (SendGrid, Emma, Oracle) — fragmented
Confidence
High
ValimailDMARC Reporting & Auth
Category
Email Authentication
SPF
Valimail macro-based SPF (%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email)
DMARC RUA
dmarc_agg@vali.email
SPF Issue
~all (soft fail) — not enforcing hard rejection
Sister Gap
vanderbiltmortgage DMARC reports to onsecureserver.net, not Valimail
Confidence
High
Security Headers — www.claytonhomes.com vs api.claytonhomes.com
HSTSHTTP Strict Transport Security
www
MISSING
api
MISSING
Risk
Vulnerable to SSL stripping / downgrade attacks
CF: One-click HSTS via Transform Rules
CSPContent Security Policy
www
MISSING
api
frame-ancestors 'none'
Risk
No XSS/injection protection at browser level on main site
CF: Response header Transform Rules
X-Frame-OptionsClickjacking Protection
www
MISSING
api
DENY
Risk
Main site can be embedded in malicious iframes
CF: Auto-added with Cloudflare proxy
X-Content-Type-OptionsMIME Sniffing
www
MISSING
api
MISSING
Risk
Browser may interpret files as wrong content type
CF: Transform Rules, zero code change
Referrer-PolicyReferrer Control
www
MISSING
api
MISSING
Risk
Full referrer URLs leaked to third-party scripts
CF: Transform Rules, zero code change
Permissions-PolicyFeature Restrictions
www
MISSING
api
MISSING
Risk
No restrictions on camera, mic, geolocation access
CF: Transform Rules, zero code change
AI Platforms, SaaS & Third-Party Services
AnthropicClaude AI
Evidence
anthropic-domain-verification TXT record
Use Cases
Likely: AI assistants, home configuration, analysis tools
Confidence
Confirmed
CF: AI Gateway for observability + rate limiting + caching
AtlassianJira / Confluence
Evidence
2× atlassian-domain-verification TXT records
Purpose
Project mgmt, wiki, engineering collaboration
Confidence
Confirmed
DocuSignE-Signature
Evidence
2× docusign TXT verification
Purpose
Home purchase contracts, mortgage docs, dealer agreements
Confidence
Confirmed
DockerContainer Platform
Evidence
docker-verification TXT record
Purpose
Docker Business/Enterprise — containerized apps
Confidence
Confirmed
SmartsheetProject Management
Evidence
smartsheet-site-validation TXT record
Purpose
Project tracking, manufacturing coordination
Confidence
Confirmed
Zoom / TeamViewerRemote Access
Evidence
ZOOM_verify + teamviewer-sso-verification TXT
Purpose
Video conferencing, remote support for plants/dealers
Confidence
Confirmed
Subsidiaries & Sister Domains
vanderbiltmortgage.comMortgage Subsidiary
DNS
GoDaddy NS
Hosting
AWS Global Accelerator (3.33.251.168, 15.197.225.128)
WAF/CDN
NONE — zero edge protection
Email
DMARC reporting to onsecureserver.net, not Valimail
MX
No MX records visible
Confidence
High
CF Opportunity: Unprotected mortgage subsidiary — sensitive financial data with no WAF/CDN
21stmortgage.com Isolated Subsidiary
DNS
Network Solutions (worldnic.com) — different from parent
Hosting
Self-hosted (143.59.192.103) — own IP
Email
FortiMail Cloud — NOT Proofpoint like parent
DMARC
p=quarantine (should be reject)
Security
HSTS + X-Frame-Options SAMEORIGIN
Confidence
High
CF Opportunity: Most isolated sub — different DNS, email, hosting. Easy consolidation target.
clayton.comCorporate Brand Domain
DNS
DigiCert DNS — yet another DNS provider
Hosting
Google Cloud Platform (35.215.123.236)
Stack
Completely different from homes division (GCP vs AWS)
WAF/CDN
None detected
Note
Corporate rebrand site — separate IT ownership
Confidence
High
CF Opportunity: Consolidate corporate domain under same CF account
claytonbuilthomes.comPrimary Website CNAME Target
DNS
AWS Route53
Role
www.claytonhomes.com CNAMEs here
CDN
CloudFront (inherited)
Note
Operational domain — not user-facing brand
Confidence
High
claytonproperties.com No Email Security
DNS
GoDaddy NS
Hosting
AWS Global Accelerator (15.197.148.33, 3.33.130.190)
Email
No MX, No DMARC, No SPF — phishing vector
WAF/CDN
None
Also
claytonconnectedhome.com → 11.9.0.1 (parked/abandoned)
Confidence
High
CF Opportunity: Zero email protection — brand impersonation risk
Legacy Infrastructure & Shadow IT
admin.claytonhomes.com PRIVATE IP LEAKED
Finding
Resolves to 10.190.11.51 (RFC 1918 private address)
Risk
HIGH — reveals internal network topology
CNAME
admin.claytonhomes.com.cct-pubweb.com
Fix
Remove from public DNS or proxy via Cloudflare Access
smtp / pop Legacy Mail Servers
Finding
smtp: 216.77.95.10
pop: 216.77.95.9 (Clayton-owned IP space)
Risk
HIGH — POP3 is unencrypted; direct IP exposure
Note
Self-hosted mail alongside Proofpoint — never decommissioned
Fix
Migrate to modern mail or restrict access
staging.claytonhomes.com Staging Exposed
Finding
claytonhomes.prod-staging.cct-pubweb.com → publicly accessible
Risk
MEDIUM — pre-release content visible
Fix
Gate behind Cloudflare Access (Zero Trust)
Also
Wildcard *.claytonhomes.com → 11.9.0.1 masks real shadow services
Header / Origin Leaks Info Disclosure
AWS API GW
x-amzn-requestid, x-amz-apigw-id exposed
CloudFront
x-amz-cf-pop, x-amz-cf-id (data center IDs)
F5 BigIP
Server: BigIP (appliance type revealed)
AWS ELB
Full ALB hostname reveals us-east-1 region
Architecture Debt Double-Proxy
API Path
Client → CloudflareCloudFront → Origin
(unnecessary double-hop)
www Path
Two CloudFront distributions in via header chain
Impact
Added latency (~30-50ms), double CDN cost
Fix
Remove CloudFront from API path; use Cloudflare exclusively
Competitive Landscape — Who Uses What
Cavco Industries#1 Competitor — ON CLOUDFLARE
DNS
GoDaddy
CDN/WAF
Cloudflare HSTS enabled
Also on CF
palmharbor.com
fleetwoodhomes.com
(all Cavco subsidiaries)
Cloudflare?
FULL PORTFOLIO — best competitor reference
D.R. Horton$36B Revenue — ON CLOUDFLARE
DNS
DNS Made Easy
CDN/WAF
Cloudflare
Note
Largest US homebuilder by revenue
Cloudflare?
YES
Lennar$34B Revenue — ON CLOUDFLARE
DNS
Cloudflare NS (full delegation)
CDN/WAF
Cloudflare
Note
Deepest CF integration — NS fully on Cloudflare
Cloudflare?
FULL STACK
PulteGroup$16B Revenue — ON CLOUDFLARE
DNS
Self-managed (ns1.pulte.com)
CDN/WAF
Cloudflare
Note
Self-managed DNS + CF CDN/WAF
Cloudflare?
YES
Champion / Skyline / MarletteOther Competitors
Champion
Network Solutions · unnamed CDN
Skyline
Network Solutions · unnamed CDN
Marlette
GoDaddy · no CDN detected
Cloudflare?
No
Top 5 Cloudflare Sales Entry Points
#1 — Expand from APICDN + WAF + Bot Mgmt
API is already on Cloudflare. Main site has zero security headers, no bot mgmt, no rate limiting. "Why isn't your main site getting the same protection as your API?"
Urgency
IMMEDIATE
#2 — Competitor GapCavco + DR Horton + Lennar on CF
Your #1 competitor (Cavco) and the 3 largest homebuilders are all on Cloudflare. Clayton is the outlier. "Are you comfortable with that gap?"
Urgency
HIGH
#3 — On-Prem DDoSMagic Transit + Spectrum
3 /24 blocks (AS395227) with no DDoS scrubbing. Direct transit via Charter + AT&T. F5 BigIP on apex unprotected. 768 IPs vulnerable.
Urgency
HIGH
#4 — Zero Trust / SASECloudflare One
Okta + Cisco FMC/Meraki but no ZTNA. Admin subdomain leaking private IPs. Staging exposed. WARP + Access replaces VPN + gates internal apps.
Urgency
STRATEGIC
#5 — AI GatewayAI Gateway
Confirmed Anthropic (Claude AI) via TXT. AI Gateway: observability, caching, rate limiting for AI API calls. Also: Email Security to complement Proofpoint.
Urgency
STRATEGIC