About this investigation

Identity, currency, and source-integrity assumptions hold (RDAP cross-confirms DNS; recon timestamps fresh; primary registry + CT sources). Completeness assumption is MOD-confidence: three independent passive enumerators (AnubisDB, HackerTarget, certspotter) converge on a single subdomain (www), which very likely reflects the actual marketing-apex surface but cannot rule out a separately-hosted PHI client portal. This HIGH-sensitivity / MOD-confidence assumption is reflected in kj_003 confidence and explicitly surfaced as the kj_007 watch judgment.

Three competing hypotheses tested: H1 (WordPress.com platform-default brochureware), H2 (mature security org accepting platform defaults), H3 (dormant brochureware). H2 is contradicted by DMARC p=none + Observatory C- + 51-domain shared cert (A1/A2 inconsistencies). H3 is contradicted by 2025-04 Wayback capture showing active maintenance and 2025-09 RDAP update (A1/A2 inconsistencies). H1 is the leading hypothesis with lowest weighted inconsistency.

Walked back the leading hypothesis from a hypothetical 6-12 month future failure. Dominant failure mode is the existence of a separately-hosted PHI-handling client portal under a different apex that passive recon of the marketing apex did not enumerate. Surfaced as kj_007 (LOW confidence watch judgment) and r_07 / b_07 (recon-scope extension recommendation).

Applied because target.type=org and the evidence base is non-trivial (18 entities, 13 relationships, 5 vulnerabilities surfaced). Generated 7 red vectors anchored to actual recon evidence: DMARC spoofing, XML-RPC amplification, REST API user enumeration, typosquat phishing, WP stack CVE exposure, shared-cert reputation contamination, and undiscovered sibling apex. Each paired with a blue control plus 3 baseline blues.