Pacific Maritime Association × Cloudflare
Talk to Cloudflare →
Executive Brief · Vendor Consolidation

One network for PMA’s edge, email, access & AI.

Cloudflare already sits in front of www.pmanet.org. Fold email security, DNS, the AWS origin, identity and AI governance onto that same network — fewer vendors, one control plane, and audit-ready logging for the association that keeps West Coast ports moving.

See the 8 plays → View the roadmap

Why this matters for PMA

Pacific Maritime Association represents ocean carriers and terminal operators across 29 U.S. West Coast ports — negotiating the ILWU longshore contract and administering payroll, benefits, hiring & dispatch for the longshore workforce. West Coast ports carry 40%+ of U.S. container imports and support roughly 9% of U.S. GDP (source: pmanet.org). That makes PMA a custodian of sensitive workforce PII/PHI and effectively critical supply-chain infrastructure — a profile that rewards fewer security vendors, one policy engine, and unified logging.

From vendor sprawl to one network

Every vendor below was identified from public DNS/headers for pmanet.org. The right is where it can all live — the network already serving the site.
6 vendors → 1 network
Cloudflareedge · today
AWSweb origin
GoDaddyDNS + payments
Mimecastemail security
Microsoft 365mail
WordPressCMS
Cloudflare one network · one bill · one control plane
Already in front of pmanet.org

Eight consolidation plays

Each maps to something running on pmanet.org today — or to a workload PMA already trusts Cloudflare to protect.
01

Cloudflare Email Security

↳ replaces Mimecast

PMA moves large payroll, pension and benefit dollars — a prime BEC/invoice-fraud target. Cloudflare Email Security sits in front of Microsoft 365 to stop phishing, spoofing and malicious links, with no separate gateway to run.

  • Identified: MX & SPF point to Mimecast + M365
  • Already an active upsell in evaluation *per account-team
  • One vendor for email + web + API security
02

Cloudflare One — Zero Trust

Access + WARP + Gateway

Put payroll, benefits and dispatch apps behind identity-aware Access (SSO via Microsoft Entra), and replace VPN for HQ at 555 Market St plus staff across 29 ports. Gateway + WARP add DNS/SWG filtering.

  • ZTNA for sensitive workforce systems — no VPN
  • Active upsell alongside Email Security *per account-team
  • Same edge as the WAF already protecting the site
03

Authoritative DNS

↳ migrate from GoDaddy

PMA already runs Cloudflare Secondary DNS. Promote Cloudflare to primary and retire GoDaddy’s domaincontrol.com nameservers — faster resolution, DNSSEC, and DNS managed beside the WAF.

  • Identified: NS = pdns09/10.domaincontrol.com
  • Cloudflare Secondary DNS already on contract *per account-team
  • One place for DNS, proxy & security records
04

Bring the origin onto Cloudflare

↳ consolidate the AWS origin

The apex resolves to an AWS host while www is already on Cloudflare. Move the WordPress front end to Pages/Workers (or fully proxy the origin) so every request — apex and www — rides one network end to end.

  • Identified: apex A 54.241.73.131 (Amazon)
  • Eliminate a split apex/www path & origin exposure
  • Cache & shield the WordPress origin
05

API Shield

Protect payroll & dispatch APIs

Payroll, benefits, registration and dispatch run on APIs. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline — building on the endpoints PMA already licenses.

  • PMA already holds 15 endpoints on contract *per account-team
  • Schema validation + mTLS / JWT enforcement
  • Stop credential stuffing & scraping at the edge
06

Page Shield

Client-side / payment protection

A WordPress site with a pay.pmanet.org payment link is exposed to client-side (Magecart) script attacks. Page Shield monitors every script and alerts on tampering with payment and form flows.

  • Identified: WordPress + pay.pmanet.org (GoDaddy commerce)
  • Detect rogue/modified third-party scripts
  • PCI-aligned client-side visibility
07

R2 — egress-free records archive

↳ offloads AWS storage egress

PMA retains decades of arbitration decisions, accident/safety data, dispatch summaries and annual reports. R2 stores them with $0 egress — a cheaper origin than AWS for media and the AI retrieval layer below.

  • S3-compatible API; zero egress fees
  • Natural origin for the site, media & AI
  • Web origin observed on AWS today (apex)
08

“Contract Copilot” — Workers AI + AI Gateway

Govern AI on your own network

Build a retrieval assistant over the longshore contract (PCLCD), arbitration history and benefits rules with Workers AI + AutoRAG + Vectorize — gated by Access, governed by AI Gateway (logging, caching, spend caps), guardrailed by DLP.

  • Answer contract/benefits questions instantly & safely
  • AI Gateway gives audit-ready logs across any model
  • AI Crawl Control to manage bots scraping PMA research

Consolidation roadmap

Land the active security expansion first, then consolidate DNS & origin, then unlock data & AI — all on the network already in front of pmanet.org.
Now — active opp

Land the security expansion

  • Email Security in front of M365 → retire Mimecast
  • Zero Trust (Access) on payroll / benefits apps
  • Turn on Page Shield for the payment flow
  • Tune the existing App Security Advantage + Spectrum
Next — consolidate

DNS, origin & APIs

  • Promote Cloudflare to primary DNS → retire GoDaddy
  • Move apex/WordPress origin off AWS onto Pages/Workers
  • API Shield on payroll & dispatch endpoints
  • WARP + Gateway for HQ + port-office staff
Expand — data & AI

One network, end to end

  • R2 archive for records & media → cut AWS egress
  • Contract Copilot on Workers AI + AI Gateway
  • Magic WAN to link HQ + port offices (NaaS)
  • Unified Log Explorer logging for audit

Consolidation snapshot

Current-state vendors are evidence-based from public recon; internal contract facts are marked *per account-team. Nothing here is assumed.
FunctionTodayHow it was identifiedOn Cloudflare
CDN / edge Cloudflare live www CNAME → cdn.cloudflare.net Already on Cloudflare
Email security Mimecast identified MX + SPF us._netblocks.mimecast.com Cloudflare Email Security
Mail platform Microsoft 365 SPF include spf.protection.outlook.com Access SSO via Entra ID
Authoritative DNS GoDaddy NS pdns09/10.domaincontrol.com Cloudflare DNS (Secondary live*)
Web origin AWS apex A 54.241.73.131 (Amazon) Pages / Workers / proxy
Payments GoDaddy Commerce pay CNAME → paylinks.commerce.godaddy.com Page Shield protects flow
CMS WordPress wp-content asset paths WAF + Bot + Page Shield
Non-HTTP apps Cloudflare Spectrum *team Current subscription (SFDC) Already on Cloudflare
SSE / Zero Trust In evaluation *team Active Q1’26 upsell (SFDC) Cloudflare One
AI governance Greenfield Workers AI + AI Gateway

How we know — observed on pmanet.org

No assumptions: every current-state vendor below was identified from public DNS records and mail configuration. Lookups performed 2026-06-30.
Cloudflare www → cdn.cloudflare.net AWS apex origin (Amazon) GoDaddy domaincontrol.com NS + payments Mimecast MX / SPF Microsoft 365 SPF outlook WordPress CMS
LIVE Checking the Cloudflare edge serving this page…