Willis Towers Watson (WTW) — Infrastructure Technology Matrix

wtwco.com  |  NASDAQ: WTW  |  ~$10B Revenue  |  Analysis Date: June 30, 2026

Secure Gap Partial ℹ Info CF Opportunity
At-a-Glance — Who Runs What NO INCUMBENT WAF/CDN — GREENFIELD OPPORTUNITY
DNS
MarkMonitor
Clarivate · Brand protection registrar
CDN
Vercel (basic)
Edge only for www · No true CDN
WAF
None
Vercel bot challenge ≠ WAF
Bot Management
None
Basic rate-limiting only
API Security
None
No API gateway detected
Network DDoS
None
2 dormant ASNs · No scrubbing
Email Security
Valimail + M365 EOP
DMARC reject · No dedicated SEG
Identity / SSO
Okta (×4 tenants)
+ Legacy ADFS on old domain
Cloud Security
Wiz
CSPM · OneTrust for privacy
AI Platform
Anthropic (Claude)
Domain-verified on both domains
Cloud / Hosting
Azure + AWS + Vercel
Multi-cloud · 7+ providers
CF Footprint
Already Present
wtwglobal.com on CF DNS · events via Cvent
Core Infrastructure
MarkMonitorManaged DNS (Clarivate)
Category
Managed DNS
Nameservers
4 MarkMonitor NS
ha1–ha4.markmonitor.zone
DNSSEC
Not Enabled
CAA Records
4 CAs authorized
amazonaws, digicert, globalsign, letsencrypt
IPv6 (AAAA)
None
Wildcard
Yes → 11.9.0.1 (sinkhole)
Est. Activation
~2010 (pre-merger)   Medium
CF Opportunity: 1-click DNSSEC, native IPv6, DNS analytics, sub-5ms resolution
VercelWeb Hosting / Edge (www)
Category
CDN / Web Hosting
Coverage
www.wtwco.com only
CNAME → vercel-dns-013.com
SSL
Let's Encrypt R12 (DV, single-domain)
Bot Protection
Vercel challenge (rate-limit only)
Gaps
careers, media, benefits, events — different CDNs
Server Header
server: Vercel (disclosed)
Est. Activation
~2022 (rebrand)   Medium
CF Opportunity: Unified CDN across ALL properties, Vercel origin-pull compatible
None DetectedWeb Application Firewall
Category
Web Application Firewall
XSS Test
HTTP 429 — Vercel rate-limit, NOT WAF
SQLi Test
HTTP 000 — connection dropped, NOT WAF
Path Traversal
HTTP 429 — same rate-limit, NOT path-aware
Assessment
NO WAF — $10B financial services company
Exception
careers.wtwco.com has AWS WAF (only subdomain)
Confidence
High
CF Opportunity: CRITICAL — Managed WAF rulesets, immediate protection for main site
None DetectedBot Management
Category
Bot Management
Status
No enterprise bot mgmt
JS Challenge
None — Vercel challenge is rate-based
Bot Headers
None (x-vercel-mitigated only)
Risk
Content scraping, credential stuffing, brand impersonation
Note
Financial services firms are high-value bot targets
Confidence
High
CF Opportunity: Cloudflare Bot Mgmt — financial services-grade protection
None DetectedAPI Security / Gateway
Category
API Security
API Gateway
None detected
HSTS
Missing on www
CSP Header
Missing on www
X-Frame-Options
Missing on www
Referrer-Policy
Missing on www
Confidence
High
CF Opportunity: API Shield, Transform Rules for headers, API Gateway
Cloud, Hosting & Network
Microsoft AzurePrimary Cloud
Category
Cloud Hosting (Primary)
Services
Azure Front Door (UAT), VMs (dev/test), Traffic Manager (auth/ADFS)
IPs
40.75.116.156 (dev)
52.252.49.214 (test)
Public Exposure
dev + test publicly resolvable on internet
Auth Infrastructure
ADFS + auth + access all on Azure via legacy domain
Est. Activation
~2016 (merger)   High
CF Opportunity: Cloudflare Access for dev/test; CF in front of Azure origins
Amazon AWSSecondary Cloud
Category
Cloud Hosting (Secondary)
Services
CloudFront (careers), Global Accelerator (benefits, UK sites)
IPs
careers → d1npvk2p6yfyn6.cloudfront.net
benefits → 15.197.173.102 (GA)
UK → 3.33.139.32 (GA)
WAF
AWS WAF on careers only
Note
Different cloud from main site — separate teams
Confidence
High
CF Opportunity: Multi-cloud proxy — fronts Azure + AWS seamlessly
WTW NetworkASNs (Dormant)
Category
Self-Managed Network
ASNs
AS21872 (WILLIS TOWERS WATSON)
AS54653 (WILLIS TOWERS WATSON)
Announced Prefixes
ZERO — both ASNs completely dormant
Transit
None — all traffic via provider networks (AWS AS16509, Azure AS8075)
DDoS
None — no dedicated scrubbing
Est. Registration
~2015   High (RIPE confirmed)
CF Opportunity: BYOIP + Magic Transit if ASNs reactivated
GlobalSign / Let's Encrypt / ACMSSL/TLS Certificates
Category
Certificate Management
Enterprise Cert
GlobalSign RSA OV wildcard
13+ domains, 6 countries in SAN
Vercel Cert
Let's Encrypt R12 (DV)
www.wtwco.com only
Careers Cert
Amazon ACM (DV)
careers.wtwco.com
DNSSEC
Not enabled
Confidence
High
CF Opportunity: Auto cert management, 1-click DNSSEC, Universal SSL
ImageEngine / CventSpecialized CDNs
Category
Specialized Content Delivery
ImageEngine
media.wtwco.com → imgeng.in
Varnish server · Image optimization CDN
Cvent
events.wtwco.com → pld.na1.cventcustom.com
Served via Cloudflare (cf-ray confirmed)
Exponential-E
cd.wtwco.com → 31.221.113.78 (UK ISP, AS25180)
Unknown purpose
Fragmentation
5+ CDN providers across subdomains
Confidence
High
CF Opportunity: Consolidate all CDN providers under one Cloudflare dashboard
Email, Identity & Security
Valimail + M365 EOPEmail Security
Category
Email Security
MX
willistowerswatson-com.mail.protection.outlook.com (pri 10)
DMARC
p=reject (strongest)
SPF
Soft fail (~all) — macro-based via Valimail
DKIM
M365 + SendGrid + Mailchimp
Dedicated SEG
No Proofpoint / Mimecast
Est. Activation
M365 ~2015 · Valimail ~2019   High
CF Opportunity: CF Email Security — pre-delivery phishing protection on top of EOP
OktaSSO / Identity Provider (×4)
Category
Identity & Access
Tenants
wtw.okta.com
wtwco.okta.com
willistowerswatson.okta.com
willis.okta.com
Identity Sprawl
4 active Okta tenants = merger debt
Zero Trust
Not a full ZT architecture
Est. Activation
~2018   Medium
CF Opportunity: Cloudflare One (ZTNA + SASE) — unify 4 tenants, replace legacy ADFS
MicrosoftADFS / Entra ID (Legacy)
Category
Legacy Authentication
ADFS
adfs.willistowerswatson.com → wtwcorpadfs.trafficmanager.net
Auth Gateway
auth.willistowerswatson.com → Azure Front Door
Access Portal
access.willistowerswatson.com → accesswtw.trafficmanager.net
Risk
All auth on legacy pre-rebrand domain
Status
Likely being phased out for Okta
CF Opportunity: CF Access replaces ADFS — no VPN, identity-aware proxy
SendGrid / MailchimpTransactional & Marketing Email
Category
Email Delivery
SendGrid
DKIM selectors s1/s2
Active
Mailchimp
DKIM selector k2
Active
Purpose
Transactional notifications (SendGrid)
Marketing campaigns (Mailchimp)
SPF Macro
Valimail macro covers all senders
Confidence
High
Wiz / OneTrust / HashiCorpCloud & Privacy Security
Category
Cloud Security & Compliance
Wiz
CSPM — cloud security posture
Domain-verified
OneTrust
Privacy/consent (4 verifications)
Heavy deployment
HashiCorp
HCP — Vault/Consul/Terraform
Domain-verified
Note
Strong cloud security posture but no edge security
Confidence
High
CF Opportunity: CASB visibility across 20+ SaaS vendors
AI Platforms, SaaS & Third-Party Services
AnthropicClaude AI
Evidence
anthropic-domain-verification on BOTH wtwco.com and willistowerswatson.com
Use Cases
Enterprise AI assistants, risk analysis, actuarial modeling
Confidence
Confirmed
CF: AI Gateway for rate limiting, caching, audit logging
SalesforceCRM (×2 Instances)
Evidence
2 org IDs verified:
00Db0000000YzaP
00Db0000000HZir
Note
2 instances = likely merger inheritance
Confidence
Confirmed
AtlassianJira / Confluence
Evidence
2 atlassian-domain-verification TXT records
Purpose
Project mgmt, wiki, collaboration
Confidence
Confirmed
DocuSign / FoxitDocument Management
Evidence
docusign + foxit TXT verifications
Purpose
E-signatures (DocuSign), PDF mgmt (Foxit)
Confidence
Confirmed
Miro / Airtable / SmartsheetCollaboration
Evidence
miro (×2), airtable (×2), smartsheet TXT records
Purpose
Visual collaboration, low-code DB, project tracking
Confidence
Confirmed
Cisco Webex / Pexip / MongoDBCommunications & Data
Evidence
webexdomainverification, pexip, mongodb TXT records
Purpose
Video (Webex/Pexip), Document DB (MongoDB)
Confidence
Confirmed
Subsidiaries & Sister Domains
willistowerswatson.comLegacy Primary Domain
DNS
MarkMonitor (same NS)
Hosting
Vercel (same as wtwco.com)
Auth Services
ADFS, auth, access, SSO all still here
Email
Same M365 + Valimail · DMARC reject
SSL
GlobalSign OV wildcard (13+ domain SAN)
Confidence
High
Note: ALL authentication infra remains on this pre-rebrand domain — significant tech debt
wtwglobal.com ON CLOUDFLARE DNS
DNS
Cloudflare NS
dahlia / james.ns.cloudflare.com
Hosting
GoDaddy parking page (184.168.119.238)
Status
Parked but CF account exists
Implication
Someone at WTW has a Cloudflare dashboard
Action
Identify the account owner — foot in the door
Confidence
High
CF Opportunity: Existing CF account is proof of trust — expand to full portfolio
wtw.com NOT OWNED BY WTW
DNS
flygt.com NS (Xylem Inc.)
Email
Proofpoint (Xylem's infrastructure)
Owner
Xylem Inc. (water technology, formerly WTW GmbH)
Risk
HIGH — brand confusion for a company named "WTW"
Action
WTW rebranded to "WTW" but doesn't own wtw.com
Confidence
High
Note: Mention in meeting — brand risk talking point
wtwbenefits.com Separate Infrastructure
DNS
Linode (giantpanda.com NS) — NOT MarkMonitor
Hosting
Linode — multiple IPs
Risk
HIGH — no central governance
Note
Benefits division on completely separate infra stack
Security
Unknown security posture
Confidence
Medium
CF Opportunity: Consolidate under Cloudflare with rest of portfolio
Other Brand DomainsMixed Status
willis.com
MarkMonitor · Vercel · pre-merger redirect
towerswatson.com
MarkMonitor · Vercel · pre-merger redirect
wtwco.co.uk
MarkMonitor · AWS Global Accelerator (UK)
gras-savoye.com
CSC DNS — acquired French broker, different registrar
wtw-group.com
HiChina (Alibaba) — China defensive reg
willisgroup.com
DnsOwl — parked defensive registration
CF Opportunity: DNS consolidation across 11+ domains, 3+ registrars
Legacy Infrastructure & Shadow IT
dev / test Environments Publicly Resolvable
Endpoints
dev.wtwco.com → 40.75.116.156 (Azure)
test.wtwco.com → 52.252.49.214 (Azure)
Risk
HIGH — pre-production on public DNS
Exposure
IP addresses visible to any scanner
Fix
Move behind Cloudflare Access or remove from public DNS
CF Opportunity: IMMEDIATE — Cloudflare Access, no VPN needed, afternoon deploy
Legacy ADFS Auth on Old Domain
Finding
adfs.willistowerswatson.com → Azure Traffic Manager
Risk
HIGH — legacy Windows auth = known attack vector
Also
auth + access + SSO endpoints on legacy domain
Fix
Modernize to Entra ID or Cloudflare Access
CF Opportunity: CF Access replaces ADFS — identity-aware reverse proxy
cd.wtwco.com Unknown UK Service
Finding
cd.wtwco.com → 31.221.113.78 (Exponential-E, UK ISP)
ASN
AS25180 — small UK ISP, not enterprise-grade
Risk
MEDIUM — possible orphaned CI/CD endpoint
Fix
Identify purpose; decommission or consolidate
Sitecore / Old Provider Remnants Stale Records
Sitecore
sitecore-site-verification TXT still present
(likely replaced by Vercel)
Autodiscover
autodiscover.wtwco.com → willistowerswatson.com (legacy ref)
Cert SAN Leaks
grassavoye.be/com/fr, willisre.com, wtwco.cn in GlobalSign cert
Risk
MEDIUM — info disclosure
Dormant ASNs Governance Risk
ASNs
AS21872 — Willis Towers Watson
AS54653 — Willis Towers Watson
Status
Zero prefixes announced — fully dormant
Risk
Governance — orphaned network assets still registered
Fix
Deregister or activate under BYOIP program
CF Opportunity: BYOIP + Magic Transit for any reactivated space
Competitive Landscape — Who Uses What
Aon~$15B Revenue · Direct Rival
DNS
Cloudflare gabe/jacqueline.ns.cloudflare.com
CDN/WAF
Cloudflare FULL STACK
Cloudflare?
FULL STACK — best peer reference for WTW
Marsh McLennan~$23B Revenue · #1 Broker
DNS
Self-managed (ns01–05.mmc.com)
CDN
AWS CloudFront · Apache
Cloudflare?
No
Gallagher~$11B Revenue · #4 Broker
DNS
Akamai (akam.net)
CDN/WAF
Imperva / Incapsula (incapdns.net)
Cloudflare?
No
Lockton / Brown & BrownMid-Market Brokers
Lockton DNS
Cloudflare barbara/sam.ns.cloudflare.com
B&B DNS
Cloudflare betty/hans.ns.cloudflare.com
Cloudflare?
FULL STACK — both on CF DNS + CDN + WAF
Hub Int'l / USI InsuranceSpecialty Brokers
Hub DNS
CSC DNS · Cloudflare CDN
USI DNS
GoDaddy · Cloudflare CDN
Cloudflare?
CDN LAYER — cdn.cloudflare.net confirmed
Peer Scorecard — WTW vs. Industry
Metric
Enterprise WAF
Enterprise CDN
Bot Management
DNSSEC
IPv6
Cloudflare?
WTW
None
Vercel only
None
No
No
Inherited only
Aon
Cloudflare
Cloudflare
Cloudflare
ℹ Likely
Yes
Full Stack
Marsh McL.
None visible
CloudFront
Unknown
Unknown
Unknown
No
Gallagher
Imperva
Akamai
ℹ Likely
Unknown
Unknown
No
Top 5 Cloudflare Sales Entry Points
#1 — WAF + Bot MgmtMain Site Unprotected
~$10B financial services company with zero WAF on main site. Vercel bot challenge is rate-limiting only. Competitor Aon runs full Cloudflare stack. 5 of 7 peers already on CF.
Urgency
IMMEDIATE — GREENFIELD
#2 — Zero Trust / SASECloudflare One
4 Okta tenants + legacy ADFS on pre-rebrand domain. dev/test publicly resolvable. CF Access protects internal apps without VPN, deployable in an afternoon.
Urgency
HIGH — dev/test exposure
#3 — AI GatewayAI Gateway + API Shield
Confirmed Anthropic Claude deployment (domain-verified on both domains). No API governance. CF AI Gateway: rate limiting, caching, cost control, audit logging.
Urgency
STRATEGIC
#4 — Email SecurityCF Email Security
No dedicated SEG — only M365 EOP. SPF soft-fail (~all) despite DMARC reject. CF Email Security adds pre-delivery phishing protection on top of existing M365.
Urgency
COMPETITIVE
#5 — CASB + DLPSaaS Visibility
20+ SaaS vendors verified via TXT records (Salesforce×2, Atlassian, MongoDB, Anthropic, Miro, Box, Airtable…). No CASB detected. CF CASB provides shadow IT governance.
Urgency
STRATEGIC
Conversation Starters for AE
Peer Pressure
"Your direct competitor Aon runs their entire stack on Cloudflare. Your main site has no WAF. Five of your seven peers already use us."
Quick Win
"Your dev and test environments are publicly resolvable on Azure. Cloudflare Access can fix that in an afternoon — no VPN needed."
Existing Footprint
"You already have Cloudflare through Cvent and wtwglobal.com. Extending to your main properties is a natural next step."
AI-Native
"You're deploying Anthropic's Claude at enterprise scale. Cloudflare AI Gateway gives you rate limiting, cost control, and audit logging."
Identity Debt
"Four Okta tenants and legacy ADFS on a domain you rebranded from years ago — that's a lot of identity debt to carry."