What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

Guide

Network Segmentation for Small Businesses

A flat network lets attackers move freely once they gain access. Network segmentation limits lateral movement, contains breaches, and is increasingly required by cyber insurers.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Get My Cyber Defense Score™ →Book a 30-min review

In this guide

1. Why flat networks are dangerous
2. VLANs and practical segmentation
3. Micro-segmentation and zero trust principles

Why flat networks are dangerous

A flat network is one where all devices — workstations, servers, printers, IoT devices, guest WiFi — share the same network segment with unrestricted communication between them. In a flat network, an attacker who compromises any single device can immediately see and attack every other device. This is how ransomware spreads so quickly: once inside, it scans the local network for other vulnerable systems and spreads laterally, encrypting everything it can reach. In a flat network, that's everything. Real-world consequences: - A compromised IoT device (security camera, smart thermostat) becomes a pivot point to attack servers - A phished employee's workstation gives direct access to file servers and databases - Guest WiFi users can access internal resources - A single ransomware infection can encrypt your entire network in minutes Network segmentation breaks your network into isolated zones, limiting what an attacker can reach from any single compromised device. Compliance frameworks (NIST CSF, CIS Controls, PCI DSS) and cyber insurance carriers increasingly require segmentation as a baseline security control.

VLANs and practical segmentation

VLANs (Virtual Local Area Networks) are the most practical way for small businesses to implement network segmentation using existing network equipment: Recommended segments for SMBs: 1. Corporate workstations — Employee computers and laptops 2. Servers — File servers, application servers, domain controllers 3. Guest/BYOD — Guest WiFi and personal devices 4. IoT/OT — Printers, cameras, smart devices, HVAC systems 5. VoIP — Phone systems (if applicable) 6. Management — Network equipment management interfaces Implementation steps: 1. Audit your network — Inventory all devices and classify them by function and sensitivity. 2. Plan your VLAN scheme — Assign each category to a VLAN with its own IP subnet. 3. Configure your switch — Create VLANs on managed switches and assign ports. Unmanaged switches cannot do VLANs — this is a reason to upgrade. 4. Set up a firewall between VLANs — Use your firewall or router to control traffic between VLANs. Default deny, then explicitly allow only required communication. 5. Configure WiFi SSIDs — Map separate WiFi networks to different VLANs (corporate vs. guest). Cost: Most managed switches support VLANs. If you're already using a business-grade firewall (SonicWall, Fortinet, Meraki), you likely have the capability today.

Micro-segmentation and zero trust principles

Beyond VLANs, advanced segmentation approaches provide even stronger protection: Micro-segmentation applies firewall rules at the individual workload or application level, rather than just the network level. Instead of segmenting by VLAN, micro-segmentation controls which specific applications and services can communicate with each other. Zero trust network principles: 1. Never trust, always verify — No device or user is trusted by default, even inside the network 2. Least privilege access — Users and devices only get access to the specific resources they need 3. Assume breach — Design your network as if an attacker is already inside 4. Continuous verification — Authentication and authorization happen continuously, not just at login Practical zero trust steps for SMBs: - Implement identity-aware access (conditional access policies in M365/Google Workspace) - Use MFA for all access, especially remote and privileged - Deploy endpoint compliance checks (device health, patching status) before granting access - Segment your network so compromise of one zone doesn't affect others - Monitor east-west (internal) traffic for anomalies, not just north-south (perimeter) Zero trust is a journey, not a product. Start with network segmentation (VLANs), add identity-aware access (MFA + conditional access), and progressively tighten controls.

Key Takeaways

TL;DR

Flat networks allow ransomware and attackers to spread freely — segmentation is essential.

VLANs are the most practical starting point for SMB network segmentation.

Segment at minimum: corporate, servers, guest WiFi, IoT, and management networks.

Zero trust is a journey: start with segmentation, add identity controls, then micro-segment.

Official Sources

NIST SP 800-125B (Secure Virtual Network Configuration)CISA Zero Trust Maturity Model

FAQ

Frequently asked questions

Do I need new equipment for network segmentation?

Not necessarily. Most business-grade managed switches already support VLANs. If you're using consumer-grade unmanaged switches, you'll need to upgrade to managed switches ($100-$500 each depending on size). Your firewall needs to support inter-VLAN routing and filtering, which most business firewalls (SonicWall, Fortinet, Meraki, pfSense) already do.

What is the minimum segmentation a small business should have?

At minimum, separate guest WiFi from your corporate network, isolate IoT devices (printers, cameras) from servers and workstations, and put servers on their own segment. These three separations provide the most impact for the least complexity.

How does network segmentation help with ransomware?

Ransomware spreads by scanning the local network for other vulnerable systems. In a segmented network, a compromised workstation can only see other devices in its VLAN. Firewall rules between VLANs prevent the ransomware from reaching servers, backups, or other segments — containing the blast radius.

Related Guides

Continue reading

MFA Enforcement: The Complete Guide Privileged Access Management for SMBs EDR for Small Businesses: Complete Guide

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card. Real evidence.

Get My Cyber Defense Score™ →Book a 30-min review with Farhad