Secure
Gap
Partial
ℹ Info
CF Opportunity
At-a-Glance — Who Runs What
⏰ F5 DISTRIBUTED CLOUD — CONTRACT TIMING UNKNOWN
DNS
AWS Route 53
4 NS · est. since ~2018
CDN
F5 Distributed Cloud
Volterra · ~30 PoPs · since ~2020
WAF
F5 Distributed Cloud
volt-adc · wes-sea PoP
Bot Management
F5 XC (Binary)
Allow/block only — no scoring
API Security
None Detected
api.unum.com on bare IP
Network DDoS
None
15 prefixes, direct transit
Email Security
Proofpoint
+ Agari/Fortra DMARC analytics
Identity / SSO
Okta + Google Cloud
Replaced ADFS · dual SSO paths
APM / Monitoring
Dynatrace
RUM active on login.unum.com
AI Platform
Anthropic (Claude)
Domain-verified on unum.com + coloniallife.com
CMS
Sitecore v10
Delivered via F5 XC
Cloud / CRM
AWS + Salesforce
CloudFront (portal) · SFDC (my.unum)
Core Infrastructure
AWS Route 53Managed DNS
Nameservers
4 AWS NS
ns-498.awsdns-62.com
ns-754.awsdns-30.net
ns-1424.awsdns-50.org
ns-1613.awsdns-09.co.uk
CAA Records
None Published — any CA can issue certs
IPv6 (AAAA)
None — entire estate is IPv4-only
Wildcard
Yes → 11.9.0.1 (sinkhole catch-all)
Est. Activation
~2018 High
CF Opportunity: 1-click DNSSEC, CAA mgmt, native IPv6, DNS analytics, DDoS-resilient anycast
F5 Distributed CloudCDN (Volterra)
Category
Content Delivery Network
Coverage
www.unum.com, coloniallife.com, unumgroup.com
+ Sitecore CMS delivery
PoPs
~30 global PoPs (vs CF 300+)
Location Header
x-volterra-location: wes-sea (Seattle)
Gaps
portal (CloudFront), my (SFDC), login (bare nginx) — NO F5 CDN
HSTS
1yr, no preload (login has 2yr + preload)
Est. Activation
~2020–2021 Medium
CF Opportunity: 300+ PoPs — 10x F5 XC coverage. Unified CDN across ALL properties
F5 Distributed CloudWAF (volt-adc)
Category
Web Application Firewall
XSS Test
HTTP 403 — blocked or bot detection
SQLi Test
HTTP 403 — blocked or bot detection
Assessment
Cannot distinguish WAF blocks from bot blocks — aggressive 403 to all non-browser agents
Coverage
Main sites only — portal, login, api unprotected
Missing Headers
No CSP, X-Frame-Options, X-Content-Type-Options on www
Est. Activation
~2020–2021 Medium
CF Opportunity: Managed WAF rulesets, Transform Rules for missing headers, ALL-domain coverage
F5 XC (Binary)Bot Management
Approach
Binary allow/block — returns 403 to all non-browser agents
JS Challenge
None observed — no graduated scoring
Risk
Credential stuffing on login/SSO, claims fraud, scraping
Comparison
Binary vs CF's ML-based 1-99 scoring
CF Opportunity: CF Bot Mgmt — ML scoring (1-99), JS challenge, Turnstile CAPTCHA
None DetectedAPI Security / Gateway
API Gateway
None detected
api.unum.com
Bare IP (192.136.182.127) — no WAF/gateway
X-Frame-Options (www)
Missing
X-Content-Type-Options (www)
Missing
CF Opportunity: API Shield (schema validation, mTLS, rate limiting), Transform Rules
Cloud, Hosting & Network
Unum GroupOn-Prem (AS29888)
Category
Self-Managed Network
ASN
AS29888 (UNUMGROUP-AS)
IP Blocks
192.136.176.0/22
192.136.180.0/22
204.10.44.0/23
+ 12 more prefixes
(~5,632 total IPs)
Transit
Lumen (AS3356), BT (AS2856), + 4 others
DDoS
None — direct transit only
IPv6
Not deployed anywhere
Est. Activation
Pre-2010 High
CF Opportunity: Magic Transit for DDoS on 15 announced /24 blocks + Spectrum for non-HTTP
Amazon AWSCloudFront + Route 53
Services
Route 53 (DNS), CloudFront (portal CDN), SES (email)
Portal
portal.unum.com → d1yo0so699pivn.cloudfront.net
Portal WAF
No WAF on portal — CloudFront alone
Portal Headers
No CSP, X-Frame-Options, X-Content-Type-Options
CF Opportunity: CF in front of CloudFront — WAF + headers + caching + bot mgmt
CSC / Corporation Service Co.SSL Certificates + DNS (partial)
Category
Certificate Authority + DNS
Edge Cert
CSC RSA OV SSL CA 2
CN: sitecore.unum.com
Validity
6-month cert (May–Nov 2026)
SANs
50+ SANs incl. temp.* and v10pub.*
SAN Leak
Staging (temp.*) + CMS version (v10pub.*) in production cert
Split DNS
CSC DNS on dental/vision domains — not Route 53
CF Opportunity: Universal SSL (auto-renew), Advanced Certificate Manager, consolidate DNS
F5 BigIP (Legacy)On-Prem Load Balancer
Category
Load Balancer (Legacy)
Active On
careers.unum.com → server: BigIP
Behavior
302 redirect to unumgroup.com/careers
Status
Legacy — F5 XC migration incomplete
Note
Unum migrated from BigIP to F5 XC cloud; this is a remnant
Sitecore v10Content Management System
Delivery
sitecore.unum.com → ves-io-*.ac.vh.ves.io (F5 XC)
Version
v10 exposed via v10pub.* in cert SANs
Brands
sitecore.unum.com, sitecore.coloniallife.com, sitecore.unumgroup.com
Staging
temp.* subdomains in prod SSL cert
Est. Activation
~2020 Medium
CF Opportunity: CF works with Sitecore via standard origin pull — no CMS changes needed
Email, Identity & Security
ProofpointEmail Security Gateway
MX
mxa/mxb-004bf101.gslb.pphosted.com (pri 10)
DMARC
p=reject (strongest)
SPF
Soft fail (~all) — should be -all
DKIM
M365 + SendGrid + Mailchimp selectors
DMARC Analytics
Agari/Fortra (rua/ruf → unum@r*.agari.com)
Est. Activation
~2020 High
CF Opportunity: CF Email Security — complement or replace Proofpoint. SPF ~all is a conversation starter
Microsoft 365Email & Collaboration
Category
Email & Collaboration
Tenant
unum.onmicrosoft.com
Verification
MS=ms23553980
DKIM
selector1/selector2 active
Autodiscover
autodiscover.unum.com → email.unum.com (204.10.45.10)
Okta + Google CloudSSO / Identity Provider
Category
Identity & Access
Okta Tenant
unum.okta.com Active (x-okta-request-id confirmed)
Google SSO
sso.unum.com — via: 1.1 google header
Former IdP
ℹ Microsoft ADFS — adfs/sts/idp/fs all sinkholed
Zero Trust
In progress — VPN/Citrix/remote sinkholed, Okta active
Est. Activation
~2022 Medium
CF Opportunity: Cloudflare One (ZTNA) — unify Okta + Google SSO under one policy engine
Twilio SendGridTransactional Email
Category
Transactional Email
Account
u27078921.wl172.sendgrid.net
DKIM
s1/s2 selectors active
Purpose
Policy notifications, claims updates, benefits alerts
MailchimpMarketing Email
DKIM
k1 selector (dkim.mcsv.net)
Purpose
Marketing campaigns, newsletters, open enrollment comms
AI Platforms, SaaS & Third-Party Services
AnthropicClaude AI
Evidence
anthropic-domain-verification TXT on unum.com AND coloniallife.com
Use Cases
Likely: claims processing, customer service, internal productivity
CF: AI Gateway — observability, caching, rate limiting, model fallback
DynatraceAPM / Real User Monitoring
Evidence
dynatrace-site-verification TXT + X-OneAgent-JS-Injection header on login.unum.com
Purpose
Application Performance Monitoring, RUM, synthetic monitoring
SalesforceCustomer Community Portal
Evidence
my.unum.com → *.live.siteforce.com (sfdcedge server)
Purpose
Policyholder self-service, benefits portal
JamfApple Device Management
Evidence
jamf-site-verification TXT record
Purpose
MDM — Apple device fleet management
MongoDB AtlasCloud Database
Evidence
mongodb-site-verification TXT record
Purpose
Cloud database services
Other SaaSCollaboration & Tools
Verified
Foxit · Adobe Sign · Canva x2 · Miro · Smartsheet · VMware Cloud · Zywave · Meltwater · Validity · Amazon SES x2 · Apple x2 · Google x3
Note
20+ SaaS vendors domain-verified
Subsidiaries & Sister Domains
coloniallife.comPrimary Sister Brand
WAF/CDN
F5 Distributed Cloud (volt-adc)
Email
Same Proofpoint setup
AI
ℹ Also has Anthropic domain verification
unumgroup.comCorporate Domain
WAF/CDN
F5 Distributed Cloud (volt-adc)
Purpose
Investor relations, careers, corporate comms
Careers
careers.unum.com → 302 → unumgroup.com/careers (BigIP)
Dental & Vision Domains Split DNS Provider
Domains
unumdentalcare.com
unumvisioncare.com
coloniallifedental.com
DNS
CSC DNS (dns1.cscdns.net) — NOT Route 53
Hosting
192.136.182.239 (same Unum IP)
Risk
GOVERNANCE — different DNS mgmt from core brands
CF Opportunity: Consolidate ALL domains under one DNS platform
benefitslearningcenter.comBenefits Education
IP
192.136.182.238 — different IP from main (.239)
WAF/CDN
Connection timeout — may be firewalled or down
Risk
Separate IP, unclear protection
Legacy Brand DomainsMixed Status
colonial-paulrevere.com
Route 53 · resolves to main IP · legacy brand
ftp.unum.com
204.10.44.188 — NOT sinkholed (legacy FTP)
temp.* in SSL SAN
Staging hostnames in production cert
v10pub.* in SSL SAN
Sitecore version exposed in cert metadata
CF Opportunity: CF Registrar for domain consolidation + cert hygiene
Legacy Infrastructure & Shadow IT
Microsoft ADFS / Citrix / VPN Properly Decommissioned
Sinkholed
adfs · sts · idp · fs · vpn · citrix · remote · owa · webmail · exchange — all → 11.9.0.1
Meaning
Unum migrated from on-prem ADFS + Citrix + VPN to Okta + Google SSO + Zero Trust
Risk
LOW — properly decommissioned via DNS sinkhole
Note
25+ subdomains sinkholed — strong hygiene discipline
ftp.unum.com Legacy FTP — NOT Sinkholed
Finding
ftp.unum.com → 204.10.44.188 (live IP, not sinkholed like others)
Risk
HIGH — FTP is insecure protocol, publicly resolvable
Status
Connection timeout — likely firewalled, but DNS record should be removed
Fix
Sinkhole to 11.9.0.1 or delete A record entirely
Security Header Inconsistency Config Drift
login.unum.com
Strong — CSP, HSTS preload, X-XSS, X-Content-Type, nosniff
www.unum.com
Weak — HSTS only. No CSP, XFO, XCTO
portal.unum.com
Weak — HSTS only. No CSP, XFO, XCTO
Risk
MEDIUM — inconsistent posture across endpoints
DNS Governance Gaps Multiple Issues
DNSSEC
Not enabled — DNS spoofing risk
CAA
Not published — any CA can issue certs
IPv6
Not deployed — compliance risk increasing
SPF
Soft fail (~all) — should be hard fail (-all)
Split DNS Management GOVERNANCE
Route 53
unum.com, coloniallife.com, unumgroup.com, benefitslearningcenter.com, colonial-paulrevere.com
CSC DNS
unumdentalcare.com, unumvisioncare.com, coloniallifedental.com
Risk
MEDIUM — config drift, inconsistent security policy
Fix
Migrate all to single DNS platform with RBAC
Competitive Landscape — Big Players (Employee Benefits / Life & Disability Insurance)
MetLifemetlife.com
DNS
Self-managed (ns2.metlife.com)
Prudentialprudential.com
DNS
Imperva (impervasecuredns.net)
CDN/WAF
Imperva / Incapsula
Guardian Lifeguardianlife.com
CDN/WAF
Imperva / Incapsula
Competitive Landscape — Aligned Competitors (Unum's Direct Market Segment)
Reliance Standardreliancestandard.com — ON CLOUDFLARE
DNS
Self-managed (ns1.rsli.com)
CDN/WAF
Cloudflare (104.18.x IPs)
Status
Full Cloudflare CDN + WAF
Talking Point
"Your direct competitor already chose Cloudflare."
Voya Financialvoya.com — CLOUDFLARE DNS
DNS
Cloudflare (will.ns.cloudflare.com)
Status
Cloudflare DNS with Fastly CDN
Talking Point
"Voya trusts Cloudflare for DNS. You still use Route 53."
Lincoln Financiallincolnfinancial.com
DNS
Self-managed (ns2.lfg.com)
Mutual of Omahamutualofomaha.com
Anthem (Elevance)anthem.com
Top 5 Cloudflare Sales Entry Points
#1 — Competitors Are HereCompetitive Proof Point
Finding
Reliance Standard runs full Cloudflare CDN/WAF. Voya Financial uses Cloudflare DNS. Zero of the top 10 big players use CF — greenfield industry.
Talk Track
"Your direct competitors already chose Cloudflare. You'd be joining, not pioneering."
Products
DNS CDN WAF Bot Mgmt
Confidence
High — verified via DNS/IP
#2 — Security Header GapInconsistent Posture
Finding
login.unum.com has excellent security headers (CSP, HSTS preload, X-XSS, nosniff). But www.unum.com is missing CSP, X-Frame-Options, and X-Content-Type-Options entirely.
Talk Track
"Your login page is locked down, but your main site is wide open to clickjacking. Cloudflare fixes this in one rule — no code changes."
Products
Transform Rules WAF API Shield
Confidence
High — verified via HTTP headers
#3 — 10x Network AdvantagePerformance & Reach
Finding
F5 Distributed Cloud has ~30 global PoPs. Cloudflare has 300+. For a company serving policyholders in all 50 states, latency matters.
Talk Track
"Your policyholder in rural Tennessee hits a Seattle PoP. With Cloudflare, they hit one within 50 miles."
Products
CDN WAF Argo Smart Routing
Confidence
High — x-volterra-location confirmed
#4 — Unprotected APIAPI Security Gap
Finding
api.unum.com resolves to a bare IP (192.136.182.127) within Unum's ASN — no WAF, no API gateway, no rate limiting, no schema validation detected.
Talk Track
"Your API sits on a bare IP with no gateway. For an insurance company handling PII, that's a conversation worth having."
Products
API Shield mTLS Rate Limiting
Confidence
High — verified via DNS + timeout
#5 — AI + Zero TrustPlatform Modernization
Finding
Anthropic domain verification on BOTH unum.com and coloniallife.com confirms AI evaluation. VPN/Citrix/ADFS all sinkholed — Zero Trust transition underway.
Talk Track
"You're already betting on AI and Zero Trust. Cloudflare AI Gateway + ZTNA is purpose-built for where you're headed."
Products
AI Gateway Cloudflare One Access
Confidence
High — Anthropic TXT + sinkholed VPN/ADFS