Summary

  • Deloitte Touche Tohmatsu Services, LLC is a verified corporate network operator, not a verified regional internet access provider. RIPE's AS42633 registration names the autonomous system DeloitteToucheTohmatsu-Global and links it to the LLC, while Deloitte's own organization-structure description says the wider organization is a network of legally separate firms that share investments and resources.
  • The current public edge is active and compact. RIPEstat's routing status counted six overlapping IPv4 route entries covering 1,024 unique addresses, two IPv6 /36s equal to 8,192 /48 networks, full visibility from the listed IPv4 and IPv6 route collectors, and three observed neighbours on 10 July 2026.
  • The route set changed materially between late 2025 and April 2026. The current announced-prefix list is built around 170.194.176.0/23, 170.194.178.0/23 and two DGTS Germany-linked IPv6 /36s; RIPEstat's routing history shows a much larger older group of North American-registered routes disappearing from observation by late April 2026. The public data establishes a transition, not its cause.
  • GTT was visible immediately before AS42633 across every current aggregate examined; Verizon Business was also visible on one IPv4 pair and one IPv6 block, and a third adjacency appeared sparsely. That is evidence of logical upstream choice, not proof of separate buildings, ducts, power feeds or carrier entrances. A local office, access circuit or edge site can still fail while AS42633 remains globally reachable.

The category correction is the first finding

The name Deloitte Touche Tohmatsu Services, LLC and the presence of an autonomous system can produce a tempting but incorrect shortcut. An autonomous system connects to the internet, so the holder must be an internet service provider; if the holder has several carrier paths, it must operate a regional connectivity network; if the company is global, that network must reach offices and customers everywhere. None of those conclusions follows automatically from the routing evidence.

The public evidence supports a corporate routing edge. It does not support a retail broadband business. No current Deloitte page found for this company offers household or small-business internet plans, an address checker, installation fees, speed tiers, towers, fixed-wireless coverage, fibre routes, pole access, customer-premises radios or a repair commitment for subscriber drops. The strongest company-controlled material describes professional services and a global organization of independent firms. Deloitte's about page places the organization in 150 countries and territories; its FY2025 revenue announcement reports aggregate revenue of $70.5 billion and more than 470,000 people. These are measures of a professional-services organization, not of an access carrier's service territory.

The distinction matters because the physical infrastructure problem changes with the category. A regional ISP's core obligation is to keep customer access working from a street, building, tower or local exchange to an upstream edge. Its cost and failure surface includes drops, cabinets, ducts, poles, radio sectors, customer equipment, installers and field crews spread across a service area. A corporate autonomous system can be much narrower. It may carry internet-facing enterprise services, secure access, shared systems, cloud connections, office egress or other institutional traffic from a few network locations.

Its users can be numerous and geographically dispersed without the AS holder owning the local access circuit to any one of them.

AS42633 therefore deserves infrastructure analysis, but not under the regional-ISP label. The safe description is a globally relevant enterprise network operated in the name of Deloitte Touche Tohmatsu Services, LLC, with current public routing concentrated in a central-European context. The physical questions are carrier handoffs, edge routers, facilities, local loops, power, security controls, operating staff and failover. The public record does not show a subscriber access plant or a regional connectivity bill paid by outside broadband customers.

This is not a semantic downgrade. Category errors alter who is presumed to be affected and which recovery promises readers expect. If a regional ISP fails, homes and businesses may lose general internet access. If this Deloitte edge fails, the directly affected population would be the people and systems that actually depend on the routed blocks or paths. That could include professionals, shared services, remote access or public applications, but the route table does not identify those workloads.

Deloitte's total workforce should not be treated as the subscriber count of AS42633, and the organization's global revenue should not be treated as network capacity.

One brand, several legal and resource boundaries

The entity name is precise for a reason. Deloitte's own network-structure page says Deloitte Touche Tohmatsu Limited, its member firms and related entities form the Deloitte organization, while the member firms remain separate and independent legal entities. It also says those firms benefit from shared investments and resources. That combination, legal separation alongside shared infrastructure, is the right frame for reading the internet registrations.

The corporate status evidence is current. Florida's official foreign LLC record lists Deloitte Touche Tohmatsu Services, LLC as active, formed in Delaware, with its principal and mailing address at 1221 Avenue of the Americas in New York and a 2026 annual report filed on 7 February. RIPE's organization record for ORG-DEO1-RIPE names the same LLC, gives US country status and New York and Delaware registration numbers, and links the organization to the AS registration.

Those addresses establish legal and administrative touchpoints. They do not establish a router location. A principal office in New York, a RIPE contact address in Tennessee and a corporate filing address in Florida are not evidence that AS42633's current packets enter the internet in any of those places. Corporate registries answer who is registered and where notices can be sent. Route collectors and network measurements answer where a route is visible. Neither, by itself, identifies a rack, a cage or a fibre entrance.

The resource registrations reveal another boundary. ARIN's RDAP record for 170.194.0.0/16 lists a direct allocation named DTTS-IP, registered in 1994, and names Deloitte Touche Tohmatsu Services, Inc. as registrant. The record also exposes operational contact roles labelled DTTL GNOC, DTT Domain Admin and DTS Level 3 Network Engineers. RIPE, meanwhile, names the LLC as the holder of AS42633. The present IPv4 routes sit inside that older ARIN allocation.

The current IPv6 space has a European registration boundary. RIPE's search result for 2a10:4780::/32 records the allocation to DGTS Germany GmbH under country code DE. RIPE's organization record for that allocation holder lists a Dusseldorf address and identifies it as the sponsoring organization on AS42633's current RIPE record. Two /36s from that /32 are now originated by the LLC's AS.

These records should not be stretched into a corporate organization chart. They do show a practical control chain that any resilience assessment has to resolve: one name holds the AS, another related Deloitte name remains on the North American address allocation, and a Germany-registered Deloitte name holds the IPv6 parent allocation. The public records do not say which legal entity owns the routers, signs each carrier contract, controls each facility access list, pays each power bill or dispatches each engineer. In a failure, those distinctions determine who can authorize a change and who must call a supplier.

What AS42633 announces now

The live edge is clearer than the ownership map. RIPEstat's AS overview identified the holder as DeloitteToucheTohmatsu-Global Deloitte Touche Tohmatsu Services, LLC and marked AS42633 announced at the 10 July 2026 observation point. The routing-status result reported visibility from all 327 listed IPv4 RIS peers and all 321 listed IPv6 RIS peers. This is strong evidence that the current edge was globally propagated, not a dormant registration.

The IPv4 footprint needs careful counting. RIPEstat's announced-prefix result lists six IPv4 route entries: 170.194.176.0/23 and its two more-specific routes, 170.194.176.0/24 and 170.194.177.0/24; plus 170.194.178.0/23 and its two more-specific routes, 170.194.178.0/24 and 170.194.179.0/24. Six entries do not mean six independent address blocks. The four /24s are contained inside the two /23s. The unique address coverage is 1,024 IPv4 addresses, exactly the figure in RIPEstat's AS routing status.

That overlap is operationally meaningful. Advertising both an aggregate and more-specific routes can support traffic engineering or controlled fallback. A network may announce an aggregate through one set of paths and /24s through another to influence where inbound traffic enters. The existence of the advertisements does not reveal the intended policy, and the public paths do not prove every route is accepted equally by every network. What can be said is that the route design is deliberate enough to maintain both covering and more-specific entries.

The prefix records confirm the common origin. RIPEstat shows 170.194.176.0/23 and 170.194.178.0/23 announced by AS42633, with each aggregate related to its two /24s. The individual views for 170.194.176.0/24, 170.194.177.0/24, 170.194.178.0/24 and 170.194.179.0/24 show the same origin.

The IPv6 footprint consists of 2a10:4780:4000::/36 and 2a10:4780:5000::/36, both originated by AS42633. A /36 contains 4,096 /48 networks, so the two routes represent 8,192 /48 equivalents. That is a large addressing canvas, but it is not a count of connected offices, users, devices or active subnets. IPv6 address mathematics describes allocation depth; usable service depends on routing, security policy, host configuration, local access and operational design.

Route-origin authorization is present across the current set. RIPEstat reported the two aggregates 170.194.176.0/23 and 170.194.178.0/23 valid for origin AS42633. Each more-specific also has its own valid authorization, including 170.194.176.0/24 and 170.194.179.0/24. The two IPv6 routes are likewise valid in the checks for 2a10:4780:4000::/36 and 2a10:4780:5000::/36. That reduces one class of accidental or unauthorized origin risk. It does not protect against a correct origin withdrawing its routes, a carrier circuit failing or an edge site losing power.

A visible route transition, with no public explanation

The most company-specific infrastructure fact is not the raw size of AS42633. It is the recent change in what the AS originates. The routing-status pages date the first observation of 170.194.176.0/23 and 2a10:4780:4000::/36 to 29 October 2025. They date the first observation of 170.194.178.0/23 and 2a10:4780:5000::/36 to 6 February 2026. All four aggregate routes remained fully visible at the July observation point.

RIPEstat's 2025-2026 routing history shows an older portfolio alongside the new one for several months. The older visible set included 170.194.72.0/21, 170.194.80.0/21, 170.194.96.0/20, 170.194.104.0/21, 170.194.112.0/20, 170.194.120.0/21, 170.194.144.0/21 and 2620:118:a000::/47, among related entries. Those routes ended their observed timelines between 20 and 28 April 2026 in the queried period.

That history explains why third-party ASN pages can disagree about the current address total. Some still report more than 15,000 IPv4 addresses or list many older ranges. Such figures can be accurate for an earlier route snapshot and wrong for the live edge. The July RIPEstat count is 1,024 unique announced IPv4 addresses. The larger ARIN /16 allocation still exists, but an allocation is not the same as a current BGP announcement. Registered, announced, configured and actively used capacity are four different quantities.

The sequence looks like a controlled migration: new IPv4 and IPv6 routes appeared in two pairs, older routes continued for a time, and the old set later left the observed table. That is an inference from timing, not a disclosed project description. Public routing data cannot tell whether Deloitte moved applications, consolidated internet gateways, adopted a new architecture, changed carriers, renumbered systems, shifted to cloud services, retired facilities or simply changed route policy. It also cannot say whether workloads on the old ranges moved to the new ranges at all.

The absence of an explanation makes change risk part of the analysis. A route transition can improve resilience by introducing new sites, dual-stack service and more coherent origin security. It can also expose dependencies during DNS changes, firewall updates, allow-list maintenance, certificate renewal, remote-access configuration and carrier cutovers. A clean public route state after the change is encouraging. It does not show whether every dependent application, office and third party removed old address assumptions.

The old IPv6 allocation illustrates the same distinction. ARIN's 2620:118:a000:: allocation is registered to Deloitte Touche Tohmatsu Services, Inc. and covers a /44 parent range; AS42633's history shows a /47 from that space until April 2026. The current IPv6 routes instead come from the Germany-registered 2a10:4780::/32. Registration persists after routing can stop. A buyer, supplier or security team that relies only on registry ownership can miss an operational migration already visible in BGP.

The upstream picture is diverse in logic, unknown in concrete

AS42633's registered policy is broad. The RIPE aut-num record declares import and export policy for ten autonomous systems, including AS3257, AS702 and AS286. Registered policy is an operator-maintained statement of intended relationships; it is not proof that every session is active, carries the same routes or exists at a physically independent site.

The observed view is narrower. RIPEstat's ASN-neighbours result counted three unique left-side neighbours on 10 July 2026: AS3257, AS702 and AS286. RIPEstat's identity view names AS3257 GTT-BACKBONE and AS702 Verizon Business. AS286 appears as a sparse third direct adjacency in the collected paths; its registry naming reflects legacy carrier history and is less useful than the ASN for identifying the path.

The path distribution is not uniform. RIPEstat's looking-glass data for 170.194.176.0/23 contains many paths ending AS3257 AS42633 and many ending AS702 AS42633, plus a sparse AS286 adjacency. The 170.194.178.0/23 view is dominated at the final hop by AS3257. The IPv6 views show a similar split: 2a10:4780:4000::/36 is visible through both GTT and Verizon paths, while 2a10:4780:5000::/36 is overwhelmingly visible through GTT immediately before AS42633.

This is stronger than a single-upstream edge, but it is not a resilience certificate. Two carrier ASNs can enter the same building through the same duct. Two logical sessions can terminate on one router. A primary and backup circuit can share a metro provider before reaching their named upstreams. Separate IPv4 and IPv6 policies can fail differently. One carrier may carry only selected more-specific routes, leaving an aggregate path that is less preferred or too small for peak traffic after failover.

The carrier mix also does not reveal commercial capacity. BGP says which path can advertise reachability. It does not expose committed information rates, burst allowances, congestion, packet loss, denial-of-service controls, repair priority or contract escalation. A route may fail over correctly while application performance collapses because the surviving path cannot carry the normal load. Installed transit is not the same as tested usable transit under stress.

The right conclusion is therefore balanced. AS42633 has visible upstream choice and globally propagated routes. Its current edge does not look abandoned or casually configured. Yet the public record cannot prove that GTT, Verizon and the sparse third adjacency are independent in facility, local-loop, power and router terms. Logical diversity lowers risk only to the extent that physical and operational diversity support it.

The strongest location signal points to central Europe

The corporate holder is US-registered, but the current routes carry a European operating signal. The IPv6 parent allocation is registered in Germany. RIPE's looking-glass community interpretation repeatedly marks GTT paths for the current routes as customer routes originating in Europe and central Europe, with Frankfurt or Dusseldorf labels appearing across the route set. Those labels are carrier routing metadata, not a facility lease, but they are more relevant to packet entry than a New York mailing address.

An independent measurement signal points the same way. IPinfo's 170.194.176.0/23 page reports a June 2026 traceroute reaching AS42633 from Frankfurt through AS3257 and lists responding routers in Frankfurt. It also warns that the displayed country is the legal home of the resource holder and may not be where addresses are used. This is exactly the distinction the Deloitte records require.

The evidence supports a central-European edge and likely activity around German carrier locations. It does not identify an exact building. Frankfurt and Dusseldorf are different metro areas; community labels can reflect where a carrier learned a route rather than where every router or workload sits. A traceroute endpoint can be a border interface, a tunnel endpoint or an anycast-like service location. Geolocation databases can copy each other's assumptions. The prudent wording is that current route-origin and measurement signals are concentrated in Germany and central Europe, not that Deloitte owns a named data centre there.

This uncertainty affects the recovery model. If the two route pairs correspond to two metro sites, they may offer geographic separation. If they are two address groups in one facility, they do not. If one is Frankfurt and one Dusseldorf, the distance could reduce some shared metro risks while preserving common carrier, cloud or operational dependencies. If the routes are delivered through managed services, Deloitte may control policy while a supplier controls the last physical intervention.

The public record also does not describe power. No source examined states the number of utility feeds, UPS runtime, generator arrangement, fuel contract, cooling design or maintenance access behind the current edge. Enterprise routing equipment needs little space compared with a data hall, but it still needs conditioned power, cooling, physical security and hands capable of replacing a failed line card, optic, power supply or cable. A globally visible /36 can disappear because of a very local electrical fault.

Installed address space is not usable service capacity

The numbers around AS42633 are easy to overread. The ARIN /16 contains 65,536 IPv4 addresses. Only 1,024 unique IPv4 addresses were announced by the AS at the July observation point. The six visible IPv4 entries include four more-specifics inside two covering routes, so adding their nominal sizes would double count the same addresses. The two IPv6 /36s are vast in address count but modest as a routing design, representing two aggregate blocks from one /32 allocation.

None of these figures measures throughput. A /23 can sit behind a 1Gbps circuit or a 100Gbps edge. It can host many lightly used services or a few demanding gateways. It can be reserved, firewalled or sparsely populated. An IPv6 /36 can serve thousands of routed sites or only a small number of test and production segments. Prefix count is useful for understanding routing policy and blast radius; it is a poor substitute for bandwidth, session load, application demand or customer count.

The more-specific /24s add another capacity question. They create options for steering inbound traffic, but those options work only when route policy, carrier acceptance and surviving bandwidth align. If 170.194.176.0/24 prefers Verizon while its covering /23 remains through GTT, losing one path may cause traffic to fall back to the other. That is useful only if the fallback is accepted, configured, monitored and large enough. The public table shows possible paths, not a successful failover test.

Usable capacity also depends on the systems behind the border. Firewalls, secure web gateways, remote-access concentrators, load balancers, domain-name services and identity controls can become narrower bottlenecks than the carrier circuit. The sources do not identify which of these functions AS42633 carries, so they should be treated as verification targets rather than facts. The general principle is unavoidable: internet reachability ends at a border unless the application and security layers behind it are also healthy.

The current dual-stack state is a positive sign. Both IPv4 and IPv6 aggregates were fully visible in the listed collectors, and all checked origins were authorized. Yet dual stack creates parallel failure modes. A service can work over IPv4 and fail over IPv6, or the reverse. DNS may return both address families while one path is degraded. Firewall and monitoring policy must be consistent across them. Two address families are useful redundancy only when application behavior and operations are designed for the difference.

A global route can coexist with a local outage

The regional-ISP framing assumes that the public AS is the service. For an enterprise network, the public AS is only one layer. A Deloitte office or delivery site may buy a local access circuit from a carrier, use customer-premises equipment at the building, connect through a managed wide-area service, and reach shared systems through AS42633 or through entirely different cloud and internet paths. The public route table does not map those access links.

That creates the first major failure path: an access cut with a healthy global AS. Construction can sever a building fibre. A local carrier can lose an aggregation node. A router, software-defined WAN appliance or optical handoff at one office can fail. Building power can disappear after batteries expire. AS42633's two IPv4 aggregates can remain visible to every RIPE collector while one location cannot reach them. Global BGP visibility is not a measure of local office availability.

The second path is an edge-site failure. If a border site loses power, cooling or its carrier entrance, the impact depends on whether routes withdraw and whether equivalent service exists elsewhere. Clean withdrawal can be safer than partial failure because remote networks stop sending traffic to a dead edge. A stuck advertisement can black-hole traffic. A stateful firewall cluster can keep a route alive while dropping sessions. Public BGP may show the route but not the service failure behind it.

The third path is upstream loss. The current route pattern gives AS42633 more than one observed option, but the options differ by prefix. Losing Verizon may affect the 176/4000 route pair differently from the 178/5000 pair, which appears much more dependent on GTT in the public view. Losing GTT could force substantial traffic toward a path that was designed mainly for backup or could remove the only widely observed immediate upstream for one pair. Without capacity and preference data, the size of degradation is unknown.

The fourth path is a configuration failure during change. The route portfolio changed recently. A mistaken route filter, expired authorization, bad maximum-prefix setting, uncoordinated firewall update or stale third-party allow-list can impair service without breaking every BGP session. The valid current RPKI state is reassuring, but origin validation protects only the authorization relationship between prefix and AS. It cannot detect a wrong next hop, a missing application rule or a dependent partner still permitting only the retired address space.

The fifth path is operational access. ARIN records show named network-operations and engineering roles, which is stronger evidence of an institutional support function than a generic abuse mailbox. They do not disclose headcount, on-call coverage, supplier escalation, spares, access rights or repair targets. If equipment sits in a third-party facility, the person diagnosing the problem may not be the person permitted to touch it. Recovery can wait on remote hands, carrier dispatch, security approval or a replacement optic even when the network team knows exactly what failed.

The sixth path is common control. Several legal and resource names appear in the registrations, while the Deloitte organization itself stresses legal separation. Shared infrastructure can produce efficiency and consistent security, but it can also make authorization slower when responsibility is unclear. A carrier may contract with one entity, a prefix may be registered to another, the AS may be held by a third name, and a local site may be operated by a member firm. Public data does not show that this is the case for a specific incident; it shows why the ownership boundary must be documented before an incident.

Who is actually exposed

The affected-user boundary must stay narrow because the application inventory is not public. Deloitte's 2025 people report gives a total headcount of 473,050 across the organization. Deloitte's governance report says the organization spans more than 150 countries and territories with governance at global, member-firm and local levels. These figures show the scale at which shared technology can matter. They do not show that every person, country or client session uses AS42633.

Direct exposure belongs only to workloads and access paths that depend on the current prefixes or upstreams. If an internet-facing service uses 170.194.176.0/23, its users are exposed to that route pair and its edge. If a remote-access gateway uses the 5000 IPv6 block, employees assigned to it are exposed. If an office reaches shared systems through a separate provider or cloud service, an AS42633 incident may have little effect. The route table cannot resolve those differences.

Indirect exposure can still be significant. Professional-services work depends on communication, identity, document access, research systems, secure client exchange and collaboration. A failure in a shared network service can delay teams even when the client is not directly connected to Deloitte's AS. The impact mechanism could be unavailable applications, failed authentication, interrupted remote sessions, delayed file transfer or degraded access between regions. Those are plausible mechanisms, not confirmed uses of the current routes.

Client impact also depends on separation. Deloitte's legal structure says member firms operate independently in their territories. Some may use globally shared resources, some local systems and some public cloud platforms reached through other networks. A single AS incident should not be described as an outage for the entire Deloitte organization unless measured evidence shows that breadth. Scale makes concentration important, but scale does not prove concentration.

This is another reason the regional-ISP category fails. There is no evidenced population of retail subscribers whose general internet access is supplied by Deloitte Touche Tohmatsu Services, LLC. The likely users are institutional, and their dependency may be partial. The article can identify the control surface and failure mechanism without inventing a customer base.

The economics are those of shared enterprise infrastructure

A regional ISP earns revenue by connecting customers and must balance access construction, subscriber density, transit, support and repair. AS42633 appears on the other side of that transaction. Its observable cost base is more likely institutional overhead: carrier circuits, internet transit, address and routing administration, edge equipment, facilities, security controls, monitoring, engineering, remote hands and local access bought from telecommunications providers.

The Deloitte organization says member firms benefit from shared investments and resources. Network infrastructure can be one such economy of scale, although no Deloitte source examined assigns AS42633 a particular budget or service charter. A shared edge can standardize security, simplify carrier buying and create reusable connections. It can also concentrate failures if too many services depend on the same sites, policies or teams.

Redundancy has an economic threshold. A second carrier is not valuable simply because its ASN appears in a route path. Value comes from a second failure domain: separate local loops, entrances, routers, power, contractual support and enough capacity to carry demand. A third logical neighbour may add little if it is rarely used or shares infrastructure. Conversely, one carrier ASN can deliver strong physical diversity through multiple sites. The route table shows procurement outcomes only indirectly.

Field repair has a different meaning here than for a local broadband provider. It may involve an authorized technician replacing an optic in a carrier facility, a local supplier repairing a building access loop, an enterprise engineer changing route policy, or a facility operator restoring power. The public registrations show network roles but no evidence of Deloitte-owned crews maintaining poles, towers or street fibre. The relevant labor question is coordination across enterprise staff and suppliers, not the size of a residential installer fleet.

The recent route transition adds migration cost. Old addresses may remain in partner allow-lists, security logs, certificates, monitoring rules, documentation and vendor portals after BGP changes. New IPv6 ranges require policy parity and operational familiarity. Running old and new edges in parallel for months can reduce cutover risk but increases temporary complexity. The history shows parallel visibility; it does not disclose whether the transition met its operational goals.

What would prove resilience rather than merely suggest it

The public record is strong enough to confirm an active AS and weak enough to leave the physical design open. A credible resilience claim would need a topology that distinguishes routing sessions from circuits, circuits from fibre routes, and route groups from service locations. It would identify where the 176/4000 and 178/5000 pairs originate, which routers carry them, and whether GTT, Verizon and the third adjacency arrive through independent entrances and facilities.

Power evidence would identify utility feeds, UPS runtime, generator coverage, fuel arrangements and the last successful load test at each edge location. Facility evidence would identify who provides remote hands, which parts are stocked, who can authorize emergency access and how long a line card, optic or firewall replacement should take. Carrier evidence would identify committed bandwidth, repair priority, escalation rights and the date of the last real failover exercise.

Service evidence would map workloads to prefixes without exposing sensitive architecture. It would state whether the edge supports office egress, remote access, public applications, shared services or another function, and which regions can continue when one route pair disappears. A dependency map would separate local office connectivity from the AS42633 internet edge so that a green BGP dashboard is never mistaken for end-to-end availability.

Change evidence would explain the 2025-2026 transition. The useful questions are whether the new routes replaced the old routes, whether applications were renumbered, whether DNS and external allow-lists were reconciled, whether IPv6 is production traffic, and whether the old sites or carriers were retired. The route history can show when visibility changed. Only operational records can show whether the change improved service.

Incident evidence would be even more persuasive. A record of actual failover, restoration time and surviving capacity demonstrates more than an architecture diagram. If the 176 route pair lost one upstream, did traffic move without application failure? If the 5000 IPv6 route lost GTT, was another path available? If a local site lost power, did the service move or merely withdraw? None of these answers is public.

For the regional-ISP claim, the missing evidence is more fundamental. Restoring that category would require customer internet products, serviceable geography, access technology, orderability, outside subscribers, installation processes and repair obligations. The current company, registry and route evidence does not provide them. An autonomous system and upstream carriers are necessary tools for many network operators; they are not proof of a retail access business.

Final assessment

Deloitte Touche Tohmatsu Services, LLC has a strong current network-evidence grade as the holder of an active enterprise AS. The LLC is active in a current state filing, RIPE links it directly to AS42633, the present routes are visible throughout the listed collectors, the checked origins are valid, and several upstream paths are observable. The route portfolio is also unusually informative: it records a shift from a larger older North American set toward two new IPv4 route groups and two Germany-registered IPv6 groups between October 2025 and April 2026.

The evidence grade for a regional ISP is negative. No public material establishes last-mile customers, coverage, fibre or wireless access plant, poles, towers, retail tariffs, subscriber equipment, installation teams or field-repair commitments. The title and category must follow that result. This is an institutional infrastructure story about a global professional-services network's public edge, not a local broadband bill.

The resilience verdict is medium. Logical diversity, dual-stack routing, full observed visibility and valid origin authorizations are real strengths. Physical diversity, edge-site geography, power, capacity under failover, workload mapping, operational staffing and repair authority remain undisclosed. GTT is visible across every current aggregate examined, Verizon adds a second path to one IPv4 and one IPv6 route group, and a third adjacency appears sparsely. That is enough to test redundancy, not enough to declare it.

The operational lesson is precise. AS42633 can remain healthy while a Deloitte location or application is unreachable; it can also withdraw cleanly while registered address space remains unchanged. The next useful evidence is not a larger address count. It is proof that route groups, carriers, facilities, power and people fail independently, and that the systems behind them recover as designed.