⬇ Download as HTML File

Tractor Supply Company — Infrastructure Technology Matrix

tractorsupply.com  |  NASDAQ: TSCO  |  ~2,270 Stores  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What ⏰ AKAMAI ENTERPRISE CONTRACT — RENEWAL TIMING TBD
DNS
Akamai
Edge DNS · 6 NS · ~2015
CDN
Akamai
edgekey.net · EV cert · ~2014
WAF
Akamai
Kona Site Defender
Bot Management
Akamai
Bot Manager · strict mode · ~2019
API Security
None
API on bare IP — no protection
Network DDoS
None
Transit filtering only (5 providers)
Email Security
Proofpoint
DMARC reject · SPF -all
Identity / SSO
Okta
2 active tenants + legacy ADFS
Firewall / VPN
Palo Alto + Cisco
Next-gen FW + likely VPN
AI Platforms
OpenAI + Perplexity
Active AI expansion
ADC / Load Balancer
Citrix Netscaler
Application delivery controller
CMS / Media
Adobe AEM + Scene7
CMS + Dynamic Media via Akamai
Core Infrastructure
AkamaiEdge DNS
Category
Managed DNS
Nameservers
6 Akamai NS
a1-109, a2-67, a5-65, a9-66, a12-66, a24-64.akam.net
DNSSEC
Not Enabled
CAA Records
None Published
IPv6 (AAAA)
None for web (IPv6 BGP prefixes exist but unused)
Wildcard
Yes → 11.9.0.1 (catch-all sinkhole)
Est. Activation
~2015–2017   High
CF Opportunity: 1-click DNSSEC, CAA mgmt, native IPv6, DNS analytics, faster resolution
AkamaiCDN (edgekey.net)
Category
Content Delivery Network
Coverage
www, m, stores, shop.prod.cms,
shop-resources.prod.cms
CNAME
new-san.tractorsupply.com.edgekey.net
→ e9809.dsca.akamaiedge.net
Media CDN
media → vsan.scene7.com.edgekey.net
(Adobe Dynamic Media / Scene7)
Gaps
api, vendor, portal, adfs — NO CDN
EV Certificate
DigiCert EV 5 SANs · Valid to 2027-02-19
Est. Activation
~2014–2016   High
CF Opportunity: Unified CDN across ALL properties, Polish/Images, header mgmt
AkamaiWAF + Bot Manager
Category
WAF + Bot Management
WAF Status
Active — blocks curl, headless browsers
Bot Mgmt
Strict mode — JS challenge + device fingerprinting
XSS / SQLi Test
All probes blocked before app layer (conn reset / HTTP/2 errors)
Coverage
www/m/media/shop ONLY — api, vendor, portal, adfs UNPROTECTED
Assessment
Very aggressive blocking — may affect legitimate tools/crawlers
Est. Activation
WAF: ~2015 · Bot: ~2019   High
CF Opportunity: ML-based Bot Mgmt (score, not binary), Managed WAF rulesets, ALL-domain coverage
None DetectedAPI Security / Gateway
Category
API Security
API Endpoint
api.tractorsupply.com → 198.140.189.128
CDN / WAF
No CDN or WAF on API origin
Schema Validation
None detected
Rate Limiting
None — basic IP/UA filtering only
Origin Exposed
API IP directly addressable — bypasses edge
Confidence
High
CF Opportunity: CRITICAL — API Shield, schema validation, rate limiting, mTLS, origin masking
Citrix NetscalerADC / Load Balancer
Category
Application Delivery Controller
Purpose
Load balancing, SSL offload, traffic management
Relationship
Managed alongside Akamai infrastructure
Note
On-prem ADC — common in retail with self-hosted services
Confidence
Confirmed (internal)
CF Opportunity: CF Load Balancing + Spectrum can replace Netscaler for internet-facing apps
Network, Hosting & Certificates
Tractor SupplyOn-Prem (AS27632)
Category
Self-Managed Network
ASN
AS27632 (TRACTORSUPPLY)
IP Blocks
198.140.189.0/24
146.88.151.0/24
199.181.220.0/24
8.35.48.0/24
(1,024 total IPs)
Transit
Cogent, Lumen/Level3, Zayo, Hurricane Electric, AT&T
DDoS
No scrubbing service — transit filtering only
IPv6
3 prefixes announced but not used for web
Est. Activation
Pre-2010   High
CF Opportunity: Magic Transit for DDoS on 4 × /24 blocks
Self-Hosted ServicesOn TSC IP Space (198.140.189.x)
API
api → 198.140.189.128 No CDN/WAF
Vendor Portal
vendor → 198.140.189.38 No CDN/WAF
Employee Portal
portal → 198.140.189.232 No CDN/WAF
ADFS
adfs → 198.140.189.23, .24 Identity on bare IP
Exchange
autodiscover → 198.140.189.21 Exposed
Mail Relay
mail → 198.140.189.238
Connect
connect → 198.140.189.50 Unknown service
CF Opportunity: CF Access (ZTNA) to protect all internal services without public exposure
DigiCert / GeoTrustSSL/TLS Certificates
Edge Cert
DigiCert EV RSA CA G2
Valid to 2027-02-19
EV SANs
www, apex, stores, shop.prod.cms, shop-resources.prod.cms
API Cert
DigiCert OV · 6-month cycle
Valid to 2026-09-27
Vendor Cert
GeoTrust OV
Valid to 2026-09-30
Login Cert
Amazon ACM (DV) via CloudFront
Valid to 2027-01-05
CAA
No CAA records — any CA can issue
Confidence
High (TLS verified)
CF Opportunity: Advanced Certificate Manager, auto-renewal, CAA + DNSSEC
SAP Gigya / CDCCustomer Identity (CIAM)
Category
Customer Identity & Access
Endpoint
login.tractorsupply.com
CNAME
6642191.gigya-api.com → CloudFront
CDN Mismatch
On CloudFront, not Akamai — different CDN from main site
Purpose
Neighbor's Club loyalty auth, customer registration/login
Est. Activation
~2019–2021   Medium
CF Opportunity: Proxy login for WAF + bot protection on auth endpoints
AdobeAEM + Dynamic Media (Scene7)
Category
CMS + Media / DAM
CMS Evidence
adobe-idp-site-verification TXT
shop.prod.cms subdomain pattern
Media
media → vsan.scene7.com.edgekey.net
(Adobe Dynamic Media via Akamai CDN)
Lock-in
Scene7 tightly coupled to Akamai CDN chain
Est. Activation
~2016–2018   Medium
CF Opportunity: Works with AEM via standard origin pull; Images/Polish as Scene7 alternative
Email, Identity & Security
ProofpointEmail Security Gateway
Category
Email Security (SEG)
MX
mxa/mxb-0022f601.gslb.pphosted.com (pri 10)
DMARC
p=reject (strongest) fo=1 forensic reporting
SPF
-all (hard fail) — 17+ IPs, 3 includes
DKIM
SendGrid (s1/s2) + Mailchimp (k2)
Est. Activation
~2018–2020   High
CF Opportunity: CF Email Security as pre-filter complement — catches what SEGs miss
OktaSSO / Identity Provider
Category
Identity & Access Management
Tenants
tractorsupply.okta.com (Active)
tsc.okta.com (Active)
Dual Tenant
Two active tenants — employees vs. partners? migration?
Hybrid State
Okta + AD FS running concurrently
ADFS still on bare public IPs
Zero Trust
Not a full ZT architecture — ADFS/portal/vendor exposed
Est. Activation
~2020–2022   High
CF Opportunity: Cloudflare One (ZTNA + SASE) — Okta integration native, ~2,270 stores
MicrosoftADFS / Exchange (Legacy)
Category
Legacy Identity & Email Infrastructure
ADFS
adfs.tractorsupply.com
198.140.189.23, .24 — bare IPs, no WAF
Autodiscover
autodiscover.tractorsupply.com
198.140.189.21 — Exchange exposed
Mobile
mobile.tractorsupply.com → same IP as autodiscover — possibly deprecated
Risk
Identity federation endpoints publicly resolvable without protection
Status
Legacy — Okta replacing but NOT fully decommissioned
CF Opportunity: IMMEDIATE — CF Access to protect ADFS/Exchange without public exposure
Palo Alto NetworksFirewall / Network Security
Category
Next-Gen Firewall / Security
Evidence
paloaltonetworks-site-verification TXT record
Products
Likely: NGFW, Prisma Cloud/Cortex, network perimeter security
ZT Gap
Firewall-centric — not full Zero Trust
Confidence
Confirmed (TXT verified)
CF Opportunity: CF Gateway + WARP can complement or replace firewall/VPN
CiscoNetworking / VPN
Category
Networking / Remote Access
Evidence
cisco-ci-domain-verification TXT record
Products
Likely: Webex, Meraki, or AnyConnect VPN
VPN Risk
Traditional VPN — ripe for ZTNA replacement
Confidence
Medium (TXT verified)
CF Opportunity: CF Access + WARP replaces VPN — direct Cisco displacement
AI Platforms, SaaS & Third-Party Services
OpenAIAI Platform
Evidence
Confirmed via internal records
Use Cases
AI agents, enterprise AI applications
Confidence
Confirmed
CF: AI Gateway for observability, caching, rate limiting, cost control
Perplexity AIAI Search
Evidence
perplexity-ai-domain-verification TXT
Use Cases
AI-powered search, customer service, ecommerce
Confidence
Confirmed
CF: AI Gateway model routing + security
HashiCorpInfrastructure as Code
Evidence
hcp-domain-verification TXT (HashiCorp Cloud Platform)
Products
Terraform, Vault, Consul — cloud infra mgmt
Confidence
Confirmed
CF: Terraform provider mature — easy infra-as-code adoption
AtlassianJira / Confluence
Evidence
atlassian-domain-verification TXT
Purpose
Project management, wiki, dev collaboration
Confidence
Confirmed
MongoDBDatabase Platform
Evidence
mongodb-site-verification TXT
Purpose
MongoDB Atlas — cloud database services
Confidence
Confirmed
CF: Hyperdrive for edge DB acceleration
HackerOneBug Bounty
Evidence
h1-domain-verification TXT
Signal
Proactive security posture — runs vulnerability disclosure program
Confidence
Confirmed
Email Senders, Device Mgmt & Additional SaaS
Twilio SendGridTransactional Email
DKIM
s1/s2 selectors active
Purpose
Order confirmations, receipts, notifications
Confidence
High
MailchimpMarketing Email
DKIM
k2 selector active
Purpose
Marketing campaigns, newsletters, promotions
Confidence
Medium
JamfApple MDM
Evidence
jamf-site-verification TXT
Purpose
Apple device management — ~2,270 stores' iPads/devices
Confidence
Confirmed
CF: WARP for device posture checks — integrates with Jamf
OneTrustPrivacy Compliance
Evidence
onetrust-domain-verification TXT
Purpose
CCPA/GDPR consent management, cookie banners
Confidence
Confirmed
FarEyeLogistics Tracking
Endpoint
tracking.tractorsupply.com → whitelabel-usaz.fareye.co
Purpose
Last-mile delivery tracking, customer shipment visibility
Confidence
Medium (CNAME verified)
Microsoft 365 / SAP SF / UKGCorporate Email & HR
M365
SPF: spf.protection.outlook.com
SAP SuccessFactors
SPF: _spf-dc4.sapsf.com (HR/recruiting)
UKG Kronos
SPF: _spf01.mykronos.com (workforce mgmt)
Subsidiaries & Sister Domains
petsense.comTSC Subsidiary (Shopify)
DNS
idp365.net NS (parking service)
Hosting
Shopify (23.227.38.64)
www → shops.myshopify.com
WAF/CDN
Shopify platform-managed
SSL
Let's Encrypt (Shopify auto-renewed)
Email
Same Proofpoint as TSC
Confidence
High
CF Opportunity: Separate conversation — Shopify has native CF integration
allivet.comTSC Subsidiary (Fastly + PerimeterX)
DNS
shopco.com NS — not Akamai, not TSC DNS
CDN
Fastly CDN (Varnish)
t.sni.global.fastly.net — THIRD CDN vendor
Bot Mgmt
PerimeterX (HUMAN Security)
_pxhd cookie detected
Hosting
Azure (4.152.70.34)
HSTS
max-age=300 (only 5 min — very weak)
Email
Same Proofpoint as TSC (pphosted.com)
CF Opportunity: Replace Fastly + PerimeterX with CF CDN + Bot Mgmt — separate IT team = separate deal path
tractorsupply.orgBrand Redirect
DNS
idp365.net NS (parking service)
Hosting
198.140.189.15 (same as apex)
Purpose
Redirects to tractorsupply.com
WAF/CDN
NONE — no edge protection
Status
Properly configured redirect
Confidence
High
CF Opportunity: Free DNS + redirect rules
tractorsupplyco.com / .netBrand Protection Domains
DNS
idp365.net NS (parking service)
Hosting
217.19.248.132 (parked IP)
Purpose
Brand protection — parked/redirect
WAF/CDN
NONE — on parking DNS, not enterprise
Risk
Not on Akamai DNS — managed via parking service
Confidence
High
CF Opportunity: CF Registrar for domain consolidation + free DNS
neighborsclubrewards.comLoyalty Program Brand
Hosting
11.9.0.1 (wildcard sinkhole)
Purpose
Neighbor's Club loyalty program brand domain
Status
Resolves to sinkhole — no HTTPS, no redirect
Also Parked
petsensepets.com → 11.9.0.1
Risk
GOVERNANCE — brand domains not properly configured
Confidence
Medium
CF Opportunity: Registrar + redirect to login.tractorsupply.com
Legacy Infrastructure & Shadow IT
Microsoft ADFS Legacy Identity Exposed
Endpoints
adfs.tractorsupply.com
198.140.189.23, 198.140.189.24
Risk
HIGH — federation endpoints on bare IPs, no WAF, no geo-restriction
Dual Servers
Two IPs suggest HA config or post-incident redundancy
Status
Okta is replacing — but NOT fully decommissioned
Exchange Autodiscover Infrastructure Exposed
Finding
autodiscover.tractorsupply.com → 198.140.189.21
Risk
MEDIUM — reveals Exchange topology and version info
Also
mobile.tractorsupply.com → same IP
Possibly deprecated mobile OWA
Note
On-prem Exchange still in use alongside M365 (both in SPF)
SPF IP Sprawl 17+ Legacy Relay IPs
Count
17+ individual IPs in SPF record
AWS IPs
13.58.x, 34.209.x, 35.161.x, 52.14.x, 52.15.x, 54.71.x, etc.
On-Prem
198.140.189.43, .250, 146.88.151.20, .47, 74.209.251.23
Risk
May include decommissioned relays · approaching 10-DNS-lookup limit
Dual Okta Tenants Governance Question
Tenant 1
tractorsupply.okta.com (302 → Active)
Tenant 2
tsc.okta.com (200 OK → Active)
Question
Why two? Employees vs. partners? Migration? Acquisition legacy?
Risk
GOVERNANCE — consolidation opportunity
Vendor / Internal Portals Exposed Services
Vendor Portal
vendor.tractorsupply.com → 198.140.189.38
GeoTrust cert, no WAF
Employee Portal
portal.tractorsupply.com → 198.140.189.232
Publicly resolvable
Connect
connect.tractorsupply.com → 198.140.189.50
Unknown service
Fix
CF Access (ZTNA) — protect without public IP exposure
Competitive Landscape — Who Uses What
Rural King~$2.5B · Direct Competitor
DNS
Cloudflare NS
CDN/WAF
Cloudflare CDN + WAF
Bot Mgmt
Cloudflare Bot Management (__cf_bm cookie)
Stack
Next.js · Dynatrace · Optimizely
Cloudflare?
FULL STACK — best peer reference
Atwoods~$400M · Direct Competitor
DNS
Cloudflare NS (kia.ns.cloudflare.com)
CDN/WAF
Cloudflare CDN + WAF
Cloudflare?
FULL STACK
Ace Hardware~$9B · Industry Peer
DNS
Cloudflare NS
CDN/WAF
Cloudflare CDN + WAF
Headers
server: cloudflare, cf-ray, cf-cache-status, HSTS
Cloudflare?
FULL STACK — largest hardware retailer on CF
Home Depot / Lowe's$157B / $83B · Big Players
DNS
Both on Akamai
CDN
HD: Nginx (custom) · Lowe's: Akamai
WAF
Akamai on both
Cloudflare?
No
Farm & Fleet / Bass Pro / Cabela'sAdjacent Retail
Farm & Fleet
AWS Route53 + CloudFront · ~$1B est.
Bass Pro / Cabela's
Brandshelter / Akamai · ~$9B est.
Cloudflare?
No
Summary
3 of TSC's competitors already on CF
Top 5 Cloudflare Sales Entry Points
#1 — API SecurityAPI Shield + API Gateway
api.tractorsupply.com on bare IP (198.140.189.128) with zero WAF, no schema validation, no rate limiting. Origin directly addressable — bypasses all edge security.
Urgency
CRITICAL
#2 — Zero Trust / ZTNACloudflare Access + Gateway
ADFS, vendor portal, employee portal all on public IPs without protection. Okta already in place — CF Access integration is native. Cisco VPN likely in use.
Urgency
HIGH
#3 — WAF + Bot MgmtAkamai Displacement
Akamai CDN + WAF + Bot Manager is heavily integrated. 3 direct competitors already on CF. Rural King uses CF Bot Mgmt. Cost + performance advantages at TSC's scale.
Urgency
STRATEGIC — contract timing dependent
#4 — Magic TransitNetwork DDoS Protection
AS27632 with 4 × /24 prefixes (1,024 IPs) and no DDoS scrubbing. Five transit providers but transit filtering only. Protects entire announced IP space.
Urgency
STRATEGIC
#5 — Email SecurityCF Email Security
Proofpoint incumbent with strong posture (DMARC reject, SPF -all). CF Email Security as pre-filter complement — catches advanced phishing that SEGs miss.
Urgency
COMPETITIVE