Benefit Advisors Network (BAN)

DNS evidence (ev_002, ev_024) shows BAN's DMARC record is published as v=DMARC1; p=none;. Under that policy, any message that fails SPF or DKIM alignment is still delivered to the recipient inbox — receivers will not quarantine or reject impersonation attempts. The vector is very likely attractive to commodity adversaries because BAN's core audience (independent broker member firms, plan participants, insurance carriers) is exactly the kind of money-movement counterparty that responds to authoritative-looking benefit-administration messages. Confidence is high because the underlying evidence is authoritative DNS (Admiralty A1) and the failure mode is mechanical, not interpretive. The alternative interpretation — that the policy is a deliberate monitoring-only phase preceding enforcement — is not corroborated by any other defensive-posture signal in the recon evidence base.

Mozilla Observatory's scan (ev_023, Admiralty A2) returned grade F with score 0 and five of ten tests failing, indicating absent or misconfigured Content-Security-Policy, X-Frame-Options, Referrer-Policy, HSTS, X-Content-Type-Options, or cookie-security flags. DNS analysis (ev_024) confirms DNSSEC is disabled and no CAA records are published; either CA can mint a certificate for benefitadvisorsnetwork.com if compromised. This combination is very likely the byproduct of a small marketing-driven web property rather than a broker-facing portal hardened to financial-services norms. Confidence is high because the indicators are mechanical scans of public infrastructure. The competing hypothesis — that meaningful broker-facing functionality lives on an unenumerated subdomain or behind Zywave's hosted platform — cannot be ruled out, but the primary domain itself is the brand-bearing surface and remains weak.

BAN's DNS publishes a zywave-domain-verification TXT token (ev_002, ev_019; Admiralty A1) — the standard tenant-binding mechanism Zywave uses to authorise platform access for a customer domain. Combined with Zywave's Wikipedia / Wikidata profile (ev_003, ev_004) showing 350,000+ broker users and dominance in broker-workflow SaaS, the most consistent reading is that Zywave hosts at least one operational broker-facing surface for BAN members. The dependency is very likely material rather than experimental because TXT-token issuance is a deliberate cross-organisation commitment. Confidence is high. The retained alternative is that the token reflects a discontinued or staging integration; the recon evidence does not surface direct contradiction but cannot independently age the token.

npm registry data (ev_022, Admiralty A2) shows 80 packages in the @zywave scope, all marked UNLICENSED (closed-source) and primarily maintained by patrick.obrien@zywave.com (npm user zywavepobrien) and john.cruikshank@zywave.com (npm user cruikshank). Compromise of either maintainer account would enable malicious package updates for @zywave/zui-bundle and adjacent packages, which downstream tenants — including BAN by way of kj_003 — would pull at the next build. The vector is very likely high-impact to Zywave and proportionally material to BAN; confidence is moderate because closed-source UNLICENSED packages may be deployed via private channels rather than the public npm tarballs, in which case the public registry would be informational rather than a live distribution channel. The competing hypothesis that these packages are demonstrations is weakly supported (active versioning through 2026-03-04 and 6,838 monthly downloads of zui-bundle alone indicate live use).

Trade-press evidence (citybiz / benefitspro / benefitnews, all Admiralty B2) consistently confirms the April 2023 acquisition by Perry Braun (ev_009, ev_010), Bobbi Kloss's appointment as VP of HCM in May 2023 (ev_011), the MASA Medical Transport partnership in November 2023 (ev_017), and continuing member admission of Carroll Insurance in May 2025 (ev_015) and Packard Wheeler Succession in approximately April 2026 (ev_016). The pattern is very likely that of an actively operated B2B network rather than a stalled or distressed entity. Confidence is high on going-concern status. The alternative — that the press cadence reflects PR activity decoupled from operational health — is not supported by any countervailing signal in the recon evidence.

BAN's SPF (ev_002, ev_024; Admiralty A1) lists ip4:3.13.39.22 alongside the named vendors (EncryptTitan, Shield Security, Microsoft 365). The 3.13.0.0/16 range is AWS us-east-2 (Ohio). Recon could not bind this IP to a specific vendor in the evidence base. There is a roughly even chance the entry is an intentional, current, low-risk SaaS relay (HR tool, survey platform, benefits notification service) versus an inherited or stale authorisation that no one currently owns. Either reading produces the same operational concern: a sender that can authenticate as BAN with no overarching DMARC enforcement layer above it. Confidence is moderate because the ambiguity is the finding; identifying the operator requires either active contact (out of opsec scope) or operator-side knowledge of the vendor stack.

GitHub searches across 'benefitadvisorsnetwork.com', 'benefit advisors network', and several adjacent queries returned zero BAN-attributable results (ev_027, Admiralty A2). Zywave's own GitHub org (ev_025) holds only four C# repos, three archived. The lack of breach, CVE, or leak indicators is consistent across all queries. The conclusion is unlikely to be falsified by additional surface in trivial volumes, but the recon evidence base does not include certificate-transparency enumeration of *.benefitadvisorsnetwork.com or passive-DNS expansion. The premortem failure mode is that broker-facing portals (e.g., portal.* or members.*) exist and inherit the parent domain's weak DNS hygiene without being directly probed in this run. Confidence is moderate. Operator should treat completeness here as a working assumption rather than a closed question.