The Clearing × Cloudflare
Talk to Cloudflare →
Executive Brief · Security & Vendor Consolidation

One FedRAMP-grade network for The Clearing’s site, apps, email & people.

The Clearing advises DoD, DHS, DOJ and FAA — yet theclearing.com runs on a single, publicly-reachable AWS WordPress origin, with DNS at GoDaddy and no security at the edge. Cloudflare puts your website, your team’s access, and your inboxes behind one FedRAMP-authorized network — the posture your federal clients already expect.

See the 6 plays → View the roadmap

The Clearing, Inc. is a Washington, D.C. operations-design and strategy firm (founded 2009, ~50–60 staff per LinkedIn) whose work centers on IT modernization, security compliance and organizational transformation for federal agencies — including the Department of Defense and Department of Homeland Security, per theclearing.com. For a firm of that mission, the digital front door and internal access model are part of the credibility story.

Today that footprint is spread thin: a lone Amazon EC2 instance serves the WordPress site with no edge WAF/CDN, authoritative DNS sits at GoDaddy, email runs on Google Workspace alongside GoDaddy and Pardot/Mailchimp senders, a public dev/staging site is exposed, and the WordPress login page answers openly to the internet. Each is a place Cloudflare can reduce risk and vendors at once.

From scattered vendors to one network

Every item below was identified from public DNS, HTTP headers and the live theclearing.com page — no assumptions. Today it’s spread across AWS, GoDaddy, Google and point tools. The right is where it can all live.
7 vendors → 1 network
AWS EC2web origin
GoDaddyDNS + mail
Google Workspaceemail
Mailchimpmarketing mail
PardotSalesforce MAP
Pickaxeembedded AI
Public stagingdev exposed
Cloudflare one network · one bill · one control plane
FedRAMP-authorized · audit-ready logs

Six consolidation plays

Each maps to something observed on theclearing.com today — and is right-sized for a ~55-person federal-focused firm (no over-build).
01

Cloudflare One — Zero Trust access

FedRAMP-authorized · maps to CMMC / NIST 800-171

Give a distributed, federal-contractor team least-privilege access to internal & SaaS apps without a legacy VPN. One agent, one policy engine — and the access-control + audit trail your DoD/DHS engagements require.

  • Cloudflare’s Zero Trust suite is FedRAMP Moderate authorized
  • Access (ZTNA) + Gateway (SWG/DNS filtering) + WARP, ~55 seats
  • Driver: federal client base — DoD, DHS, DOJ, FAA (theclearing.com)
02

Cloudflare Email Security

↳ layers over Google Workspace

A federal contractor is a prime target for spear-phishing and business-email-compromise. Email Security sits in front of Workspace to catch what native filtering misses — and tightens the sender domains you already run.

  • Identified: MX aspmx.l.google.com (Google Workspace)
  • Also secureserver.net (GoDaddy) mail hosts on subdomains
  • Mailchimp + Pardot senders in SPF → enforce DKIM/DMARC
03

WAF, CDN & DDoS for the site

↳ protects the single AWS origin

The website is one EC2 instance with no edge in front. Put Cloudflare’s managed WordPress WAF, DDoS protection and caching in the path — and stop the open login page from being brute-forced.

  • Identified: Server: Apache + WordPress; origin 52.72.22.19
  • /wp-login.php returns 200 — rate-limit it + add Turnstile
  • Edge cache fixes slow (~1–2s) origin responses
04

Tunnel — hide the origin, gate staging

↳ removes public exposure

Cloudflare Tunnel makes the AWS origin unreachable except through Cloudflare, and Access puts the exposed dev/staging site behind identity so pre-release work isn’t open to the internet.

  • Origin IP 52.72.22.19 is directly reachable today
  • Public staging: dev2021 → dev2025.theclearing.com
  • No inbound ports; staging behind SSO + device posture
05

Authoritative DNS + DNSSEC

↳ migrate off GoDaddy

Move authoritative DNS onto Cloudflare’s anycast network — faster, more resilient, and the foundation that lets everything else proxy through the edge. Add DNSSEC and, optionally, at-cost Registrar.

  • Today: NS ns51 / ns52.domaincontrol.com (GoDaddy)
  • Anycast DNS with built-in DDoS protection + DNSSEC
  • Optional Cloudflare Registrar — no markup on renewals
06

Govern the AI you already embed

AI Gateway + Turnstile · augments Pickaxe

The site embeds a Pickaxe AI assistant. AI Gateway puts a governed front door on LLM calls — logging, rate-limits and spend caps that a federal-facing firm needs for audit — while Turnstile shields forms and the login from bots.

  • Identified: studio.pickaxe.co embedded on the site
  • Request logging + caching across any model provider
  • Privacy-first CAPTCHA on contact forms & wp-login

Consolidation roadmap

A low-risk path sized for a small firm — fix the exposed surface first, then secure people and email, then standardize on one network.
First 30–60 days

Land & quick wins

  • Move DNS to Cloudflare (from GoDaddy) + enable DNSSEC
  • Proxy theclearing.com; turn on WAF + DDoS
  • Rate-limit /wp-login.php + add Turnstile on forms
  • Edge caching to speed up the WordPress origin
Quarter 2

Lock down & secure

  • Cloudflare Tunnel — make the AWS origin unreachable directly
  • Put dev2025 staging behind Access
  • Email Security layered over Google Workspace
  • Zero Trust pilot (Access + WARP) for key internal apps
6–12 months

Consolidate on Cloudflare One

  • Org-wide Zero Trust (SWG + DNS filter + CASB/DLP)
  • Mapped to CMMC / NIST 800-171 with unified audit logs
  • AI Gateway over the Pickaxe / LLM usage
  • Consolidate registrar; one vendor & commercial agreement

Consolidation snapshot

Current-state vendors are evidence-based; nothing here is assumed.
FunctionTodayHow it was identifiedOn Cloudflare
Web origin & CDN Single AWS EC2, no edge identified apex A 52.72.22.19 · AS14618 AMAZON-AES; Server: Apache WAF + CDN + DDoS
CMS WordPress; login exposed risk X-Redirect-By: WordPress; /wp-login.php → 200 Managed WAF + rate limit + Turnstile
Authoritative DNS GoDaddy identified NS ns51/ns52.domaincontrol.com Cloudflare DNS + DNSSEC
Email Google Workspace + GoDaddy MX aspmx.l.google.com; mail.* → secureserver.net Email Security (layered)
Marketing mail Mailchimp + Pardot SPF include servers.mcsv.net, aspmx.pardot.com Keep; enforce DKIM/DMARC
Embedded AI Pickaxe chatbot studio.pickaxe.co loaded on page AI Gateway (govern) + Turnstile
Staging Public dev site risk 301 dev2021 → dev2025.theclearing.com Access (Zero Trust) gate
Secure access Distributed team; model to confirm Federal client base (theclearing.com) Cloudflare One (FedRAMP)

How we know — observed on theclearing.com

No assumptions: every current-state item below was identified from public DNS, HTTP headers and the live theclearing.com page on the recon date.
AWS EC2 52.72.22.19 · AS14618 WordPress / Apache Server header GoDaddy DNS domaincontrol.com Google Workspace aspmx.l.google.com Mailchimp servers.mcsv.net (SPF) Pardot aspmx.pardot.com (SPF) Pickaxe AI studio.pickaxe.co Public staging dev2025.theclearing.com Not yet on Cloudflare no cf-ray on apex
LIVE Checking the Cloudflare edge serving this page…