AWS Route 53Managed DNS
Nameservers
4 AWS NS
ns-1226.awsdns-25.org
ns-1898.awsdns-45.co.uk
ns-455.awsdns-56.com
ns-770.awsdns-32.net
CAA Records
None Published
IPv6 (AAAA)
None on main domain
Yes on mypilot.com (via CF)
Wildcard
Yes → 11.9.0.1 (catch-all sinkhole)
Est. Activation
~2019–2020 High
CF Opportunity: 1-click DNSSEC, CAA mgmt, native IPv6, DNS analytics, fastest authoritative DNS globally
AWS CloudFrontCDN
Category
Content Delivery Network
Coverage
www.pilotcompany.com
order.pilotcompany.com
login.pilotflyingj.com
qa.pilotcompany.com
Gaps
api, portal, loyalty, jobs, mail — NO CDN
Header Leaks
server-timing: traceparent exposes OpenTelemetry trace IDs
S3 Replication
x-amz-replication-status: FAILED on order.*
Est. Activation
~2019 High
CF Opportunity: Unified CDN across ALL properties, header stripping, edge caching
AWS WAFWeb Application Firewall (Partial)
Category
Web Application Firewall
SQLi Test
NOT BLOCKED — HTTP 200
Header XSS
NOT BLOCKED — HTTP 200
RFI Test
NOT BLOCKED — HTTP 200
Coverage
CloudFront properties only — self-hosted IPs unprotected
Est. Activation
~2020 High
CF Opportunity: Managed WAF rulesets block SQLi + RFI out of the box. SQLi demo is a powerful talking point.
Cloudflare Bot Management (mypilotstore only)
Status
Active on mypilotstore.com
Evidence
cf-mitigated: challenge
Client Hints collection active
Main Site
NO bot mgmt on pilotcompany.com
Risk
Price scraping, credential stuffing on loyalty/rewards
Note
Already licensed — extend to primary domain
Confidence
High — cf-ray + cf-mitigated confirmed
CF Opportunity: Already deployed! Extend Bot Mgmt to pilotcompany.com, order.*, api.*
None DetectedAPI Security / Gateway
API Gateway
None detected
api.pilotflyingj.com
Exposed on raw IP 65.196.143.200 — no proxy/WAF
HSTS
Missing on main site
All 6 Headers
ZERO security headers on pilotcompany.com
CF Opportunity: API Shield, API Gateway, Transform Rules for instant headers
Amazon AWSPrimary Cloud
Category
Cloud Hosting (Primary)
Services
CloudFront, S3, ALB, Lambda@Edge, ACM
IPs
3.168.132.77 (www)
13.32.230.99 (order)
18.65.3.2 (qa)
DDoS
AWS Shield Standard only (basic L3/L4)
Origin Leak
AmazonS3 server header, x-nomnom custom headers exposed
Est. Activation
~2019 High
CF Opportunity: Cloudflare in front of AWS — header stripping, caching, WAF, L7 DDoS
Pilot Travel CentersOn-Prem (AS14556)
Category
Self-Managed Network
ASN
AS14556 (PTC - Pilot Travel Centers, LLC)
IP Blocks
74.114.188.0/24
74.114.189.0/24
74.114.190.0/24
70.159.149.0/24
65.196.143.0/24
(1,280 total IPs)
Transit
Verizon (AS701), AT&T (AS7018), Windstream (AS7029), AS12083
DDoS
None — direct transit, no scrubbing
Est. Activation
Pre-2010 High
CF Opportunity: Magic Transit for DDoS on 5 /24 blocks + Spectrum for non-HTTP
Third-Party SaaS HostsFragmented Subdomain Stack
Category
SaaS / PaaS Hosting
Heroku
feedback.pilotcompany.com
Subdomain takeover risk
GitBook
ir.pilotcompany.com (investor relations)
Paradox.ai
careers.pilotcompany.com (recruiting chatbot)
PingFederate
sso.pilotflyingj.com (WiFi SSO on AWS ALB)
Providers Total
7+ different hosting providers across subdomains
CF Opportunity: Consolidate all properties under one proxy — unified security posture
Amazon / GoDaddy / GoogleSSL/TLS Certificates
Category
Certificate Management
Main Cert
Amazon RSA 2048 M02 (DV)
Exp Sep 2026
Legacy Certs
GoDaddy G2 wildcards
*.pilotflyingj.com (Dec 2026)
*.pilottravelcenters.com (Aug 2026)
CF Properties
Google Trust Services WE1
(Cloudflare Universal SSL)
3 CAs
Three separate cert lifecycles across domains
CF Opportunity: Auto cert management, ACM, eliminate GoDaddy cert cost
ContentStack + SvelteKitCMS & Frontend
Category
Content Management & Frontend
CMS
ContentStack (Headless CMS)
cdn.contentstack.io delivery
Frontend
SvelteKit (Svelte framework)
Tag Mgmt
Google Tag Manager (GTM-P2VZ4WGR)
Cookie Consent
OneTrust (CookieLaw)
Marketing
Autopilot/Ortto SDK
CF Opportunity: Cloudflare works with any CMS via standard origin pull
Microsoft 365Exchange Online (No Gateway)
Category
Email & Collaboration
MX
pilotcompany-com.mail.protection.outlook.com (pri 10)
DMARC
p=quarantine (should be reject)
SPF
Soft fail (~all) — should be -all
DKIM
selector1/selector2 active
CNAMEs → pilotflyingj.onmicrosoft.com
Gateway
No email security gateway (no Proofpoint/Mimecast)
Est. Activation
~2018–2020 High
CF Opportunity: CF Email Security — layer anti-phishing on M365, move to p=reject / -all
OktaSSO / Identity (3 Tenants)
Category
Identity & Access
Tenant 1
pilotcompany.okta.com Active
Tenant 2
pilot.okta.com Active
References pilot-admin, pilot.kerberos
Tenant 3
pilotflyingj.okta.com Active
CSP leaks "KNXOKTAPOC"
Hybrid
3 Okta tenants + PingFederate in parallel — unusual
Zero Trust
Not a full ZT architecture
Confidence
High — x-okta-request-id confirmed on all 3
CF Opportunity: Cloudflare One (ZTNA + SASE) — 800+ locations, integrates with existing Okta
PingFederateWiFi / SSO Gateway
Category
SSO / Captive Portal
Endpoint
sso.pilotflyingj.com → pingfedwifi-prod-alb-*.elb.amazonaws.com
Cookies
Secure; HttpOnly on PF session cookies
Headers
X-Frame-Options: SAMEORIGIN
Purpose
Guest WiFi authentication at 800+ travel centers
Confidence
High — PF cookie format confirmed
CF Opportunity: Cloudflare WARP can replace captive portal + PingFed for WiFi auth
Amazon SES / PardotTransactional & Marketing Email
Category
Transactional & Marketing Email
Amazon SES
Referenced in SPF for pilottravelcenters.com, onecallnow.com
Pardot
pardot861501 verification on pilotflyingj.com
(Salesforce Marketing Cloud)
Exclaimer
Email signature management
Referenced in SPF records
Everbridge
Emergency notifications
Referenced in SPF for pilottravelcenters.com
KnowBe4 / OneTrustSecurity & Compliance
Category
Security Training & Privacy
KnowBe4
Security awareness training
Same token across 3 domains — unified
OneTrust
Cookie consent + privacy compliance
CookieLaw SDK on main site
DMARC Reports
Reporting to vali.email
(DMARC analytics service)
Legacy Mail Relays
mail11/mail12.pilottravelcenters.com still in SPF across ALL domains
pilotflyingj.comLegacy Primary Brand
Hosting
Mixed — CloudFront (login), self-hosted (mail, portal, loyalty, API)
WAF/CDN
NONE on self-hosted services
SSL
GoDaddy wildcard *.pilotflyingj.com (Dec 2026)
DMARC
p=quarantine, SPF ~all
Key Services
SSO, API, loyalty portal, rewards, WiFi, mail — all on AS14556
CF Opportunity: CRITICAL — operational services on exposed IPs with zero protection
mypilot.com / mypilotstore.com CLOUDFLARE — E-Commerce
DNS
Cloudflare NS
mypilot: melissa/nitin
mypilotstore: anna/carl
CDN/WAF
Cloudflare CDN + WAF + Bot Mgmt
Bot Mgmt
cf-mitigated: challenge — ACTIVE
Headers
X-Frame, X-Content-Type, Referrer-Policy, Permissions-Policy
IPv6
Dual-stack AAAA via Cloudflare
Accounts
2 different NS pairs = likely 2 separate CF accounts
Confidence
High — cf-ray confirmed
KEY: Existing CF footprint! Procurement/legal already cleared. Expand to Enterprise.
onecallnow.com CLOUDFLARE — Emergency Comms
CDN
Cloudflare CDN — server: cloudflare
Redirect
→ crisis24.com (GardaWorld acquisition)
Email
Microsoft 365
SPF -all (hard fail!)
pilottravelcenters.com / pilotcorp.comLegacy Corporate Domains
pilottravelcenters
Self-hosted (74.114.188.119)
GoDaddy wildcard cert (Aug 2026)
Redirects to pilotcompany.com
pilotcorp
Legacy corporate — DNS/TXT only, no active web
flyingj.com
Self-hosted (74.114.189.73)
No redirect configured
pilotthomas.com
Anodyne (3rd-party) — Pilot Thomas Logistics subsidiary
CF Opportunity: Registrar consolidation + redirect mgmt for all legacy domains
Unowned Brand Domains BRAND RISK
pilotfuel.com
Parked — Afternic/Sedo marketplace
pilottruckstop.com
Parked — Afternic/Sedo marketplace
pilotfleet.com
Third-party (ns2.atom.com)
pilotpoints.com
Third-party (GoDaddy)
pilotrewards.com
GoDaddy DNS, Google Workspace — outside corporate IT
Risk
Phishing vector — brand-adjacent domains not controlled
CF Opportunity: CF Registrar for domain consolidation + brand protection
feedback.pilotcompany.com Heroku — Subdomain Takeover
Finding
CNAME → herokudns.com
Server: Heroku confirmed
Risk
HIGH — if Heroku app deprovisioned, attacker can claim subdomain
Status
Currently redirects to /surveys — still active
Fix
Remove CNAME or lock Heroku app permanently
qa.pilotcompany.com Staging Exposed
Finding
QA/staging environment publicly accessible on CloudFront (18.65.3.2)
Risk
HIGH — staging data, pre-release features potentially visible
Also
order-api-mobile.* publicly resolvable
Fix
IP allowlist, Cloudflare Access, or WAF rule
CF Opportunity: Cloudflare Access — lock down in under 1 hour, zero-trust auth
Legacy Mail Relays mail11/mail12 Still in SPF
Endpoints
mail11.pilottravelcenters.com → 74.114.188.69
mail12.pilottravelcenters.com → 74.114.188.68
mail.pilotflyingj.com → 74.114.188.192
Risk
MEDIUM — legacy relays on self-hosted IPs, still in SPF for ALL domains
Status
Likely replaced by M365 but DNS/SPF never cleaned up
Fix
Remove from SPF, decommission DNS records
Header / Origin Leaks Info Disclosure
OpenTelemetry
server-timing: traceparent;desc="00-..." on pilotcompany.com
S3 Replication
x-amz-replication-status: FAILED on order.*
Custom Headers
x-nomnom-encoding, x-nomnom-rules-matched (internal framework)
Lambda@Edge
x-cache: LambdaGeneratedResponse on login.*
Okta POC
"KNXOKTAPOC" leaked in CSP on pilotflyingj.okta.com
Redundant Systems Parallel Services
Jobs vs Careers
jobs.pilotcompany.com (self-hosted, 74.114.188.63)
careers.pilotcompany.com (Paradox.ai)
Both live — redundant
M365 Tenant
DKIM CNAMEs reference pilotflyingj.onmicrosoft.com
Legacy tenant name not updated
3 Okta Tenants
Unusual — suggests incomplete identity consolidation
Overall
3 generations of brand names still live in DNS (Pilot Travel Centers → Pilot Flying J → Pilot Company)
Love's Travel Stops$40B+ Revenue
DNS
Self-managed (dns03/04.loves.com)
Casey's General Stores$15B Revenue
Cloudflare?
FULL STACK — best peer reference
RaceTrac / MaverikRegional Chains
Cloudflare?
BOTH full stack
7-Eleven / Speedway / Kwik TripImperva Stack
7-Eleven
CSC DNS, Imperva CDN/WAF
Speedway
UU.net DNS, Imperva CDN/WAF
Kwik Trip
Azure DNS, Imperva CDN/WAF
Murphy USA
Azure DNS, Imperva CDN/WAF
Cloudflare?
No — all Imperva
Sheetz / Wawa / Buc-ee'sOther Regional
Sheetz
F5 Cloud DNS + F5 Volt ADC
Wawa
AWS Route 53, no CDN/WAF
Buc-ee's
GoDaddy DNS, no CDN/WAF
Circle K
CSC DNS, CloudFront CDN
#1 — Extend CF from mypilotstoreWAF + CDN + Bot Mgmt → pilotcompany.com
Already a CF customer on mypilotstore.com with Bot Mgmt. Main site has partial WAF (SQLi passes through), zero security headers, no bot protection. Extend existing deployment to primary brand.
Urgency
IMMEDIATE — procurement already cleared, SQLi gap is demo-ready
#2 — On-Prem DDoSMagic Transit + Spectrum
5 /24 blocks (AS14556) with no DDoS scrubbing. API endpoint, loyalty portal, SSO, mail relays all on exposed origin IPs. Direct transit via Verizon/AT&T.
Urgency
HIGH — 1,280 IPs unprotected
#3 — Zero Trust / SASECloudflare One
800+ travel centers, massive distributed workforce. 3 Okta tenants + PingFederate but no ZTNA. WARP + Access + Gateway replaces VPN, secures guest WiFi, integrates with existing Okta.
Urgency
STRATEGIC — large deal, longer sales cycle
#4 — Email SecurityCF Email Security (Area 1)
No email security gateway — M365 only. DMARC at quarantine (not reject), SPF soft fail (~all). No Proofpoint or Mimecast. CF Email Security layers anti-phishing on M365.
Urgency
COMPETITIVE — greenfield, no incumbent to displace
#5 — Security Headers + Shadow CleanupTransform Rules + Access
Main site has 0 of 6 security headers. QA environment publicly exposed. Heroku subdomain takeover risk. Transform Rules add all headers instantly. Access locks down staging.
Urgency
QUICK WIN — demonstrate value in first week