Investigation Colophon · Methodology · Provenance

About this investigation

Full audit trail of how this report was produced — target identification, analytical techniques applied, tools that ran, gaps recorded, and the schema and skill versions used. Reproducibility is a forensic posture.

Confirmed Target · Type: Org

Allied Advisors Group, LLC

alliedadvisorsgroup.com

A health and welfare consulting firm providing advisory services to insurance agencies and financial practices.

Domain registered 2017, expires 2026
Member of Benefit Advisors Network (BAN)
Hosted on WordPress platform

§ 01

Investigation Metadata

Provenance

Investigation ID: 26540acd-67cf-4dfa-8e6e-e34a3ed98ba1
Created: 2026-05-28 18:40:20.02
Recon Started: —
Recon Completed: 2026-05-28 18:55:18.65 · 14m 58s
Analysis Completed: 2026-05-28 19:05:00.00 · 10m 0s
Total Duration: 24m 58s · within 60-minute walltime budget
Wave Budget: 39 enabled tools × multiplier 5 = 195 tool calls per wave
Stopping Rule M: 4 consecutive empty calls · fired in Wave 1
Artifact Location: D:/RECON/allied-advisors-26540a

§ 02

Analytical Methodology

Structured analytic techniques · ICD 203

KAC Applied

Surfaced four assumptions worth stress-testing: identity (Allied Advisors Group LLC is the actual operating entity — supported by NAHU affiliation + registrar locks); currency (Wayback staff slugs reflect current staff — moderate-sensitivity, low-confidence); completeness (passive enumeration captured the actual surface — high-sensitivity, but corroborated across four independent corpora returning the same answer); intentionality (the sparse surface is incidental, not deceptive — supported by deception check). The currency assumption is the load-bearing limit on personnel-attribution confidence.

ACH Applied

Three hypotheses tested: H1 small-firm-with-incidentally-weak-posture (leading), H2 sophisticated-front-with-hidden-infrastructure (eliminated — four independent enumeration corpora corroborate the apex-only surface, A1-grade), H3 mid-transition-entity-with-unstable-footprint (eliminated — no M&A or rebrand signal in registry data, 9-year stable registration). H1 is supported by every load-bearing high-Admiralty evidence row with no surviving inconsistencies.

Premortem Applied

Identified two plausible failure modes for the leading hypothesis. (1) Staff currency: Wayback could include former staff; mitigated by emphasizing moderate confidence on individual personnel and the operator's ability to cross-check NAHU directories. (2) Hidden parallel infrastructure (e.g., cloud SaaS, vendor portals, internal apps not reachable from the apex domain): this would not appear in passive collection and cannot be ruled out from the current evidence base. Both failure modes are flagged in the relevant key_judgments rather than blocking the report.

Red Hat Applied

Constructed the adversary perspective for a phishing/BEC operator targeting the firm's insurance-agency client base. Seven red vectors identified, three severe (email spoofing via dual SPF + DMARC=none; spear-phishing roster from Wayback slugs + NAHU directories; domain hijack at near-term expiry), three moderate (Divi exploitation, M365 OAuth phishing, Mailchimp account compromise), one low (unsigned DNS). Paired blue controls for all seven plus two baseline hardening recommendations.

§ 03

Coverage

Schema v1.0

Entities

Relationships

Evidence

Judgments

Timeline

Geo

Confidence Distribution · Key Judgments

3 · High

4 · Moderate

High · multi-source, no surviving alternatives Moderate · KAC stress or ACH margin Low · sparse base or explicit caveat

§ 04

Tools Engaged

39 enabled · 9 fired · 0 gap

prestage:/enrich/domain 1

certspotter_enumerate 1

hackertarget_host_search 1

anubisdb_subdomains 1

wayback_cdx_search 1

commoncrawl_search 1

rapidapi_subdomain_finder 1

dns_lookup 1

dns_mail_auth 1

Integrity Hash

sha256:7582517a9af075f82d521c2853527d3936b43be6563b56584ef69ceef8c57160