What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

Definitive Guide

Building a Patch Management Policy

Unpatched vulnerabilities are the #2 attack vector behind stolen credentials. A patch management policy with clear SLAs keeps you protected and compliant.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Get My Cyber Defense Score™ →Book a 30-min review

In this guide

1. Why patching matters more than ever
2. Patch management SLAs and prioritization
3. Automation and compliance requirements

Why patching matters more than ever

Unpatched software is one of the most exploited attack vectors. CISA's Known Exploited Vulnerabilities (KEV) catalog tracks vulnerabilities actively used by attackers — and many of them have patches available for months or years before organizations apply them. The cost of not patching is severe: - Ransomware groups specifically scan for unpatched systems (MOVEit, Log4j, Exchange vulnerabilities) - Cyber insurance carriers ask about patch management practices during underwriting - Compliance frameworks universally require timely patching (FTC Safeguards, NIST CSF, CIS Controls, HIPAA) - The average time from vulnerability disclosure to active exploitation has dropped to under 15 days A patch management policy formalizes your approach: what gets patched, how quickly, by whom, and how you verify it was done. Without a policy, patching happens inconsistently — and inconsistency creates the gaps attackers exploit.

Patch management SLAs and prioritization

Define Service Level Agreements (SLAs) based on vulnerability severity: Critical (CVSS 9.0-10.0) — Patch within 14 calendar days. These are actively exploited or easily exploitable vulnerabilities with severe impact. If a CISA KEV entry exists, prioritize even faster. High (CVSS 7.0-8.9) — Patch within 30 calendar days. Significant risk but may require more testing or have lower exploitability. Medium (CVSS 4.0-6.9) — Patch within 60 calendar days. Lower risk, but don't ignore these — they can be chained with other vulnerabilities. Low (CVSS 0.1-3.9) — Patch within 90 calendar days or during the next maintenance window. Prioritization factors beyond CVSS: - Is the vulnerability in CISA's KEV catalog? (Prioritize immediately) - Is the affected system internet-facing? (Higher priority) - Does the system handle sensitive data? (Higher priority) - Is there a known exploit in the wild? (Higher priority) Document exceptions: If a patch cannot be applied within the SLA (compatibility issues, system criticality), document the exception, the compensating control, and the planned remediation date.

Automation and compliance requirements

Automate patching wherever possible to ensure consistency and reduce the burden on IT staff: Operating system patches — Use Windows Update for Business, WSUS, or Intune for Windows. Use built-in update mechanisms for macOS and Linux. Enable automatic updates for workstations; use controlled rollout for servers. Third-party applications — Tools like Ninite, PDQ Deploy, or your RMM platform can automate patching for common applications (browsers, PDF readers, Java, etc.). Firmware updates — Network equipment, firewalls, and IoT devices need firmware patches too. These are often forgotten but critical — especially for edge devices. Compliance framework requirements: - FTC Safeguards Rule: Requires maintaining security of systems, including patching - NIST CSF: ID.RA (Risk Assessment) and PR.IP (Information Protection) include patching - CIS Controls: Control 7 (Continuous Vulnerability Management) requires patching - HIPAA: Requires addressing known security vulnerabilities - Cyber Insurance: Carriers ask about patch management practices and may require specific SLAs Verification is critical: After patching, verify the patch was applied. Run vulnerability scans, check system versions, and maintain an audit trail. Cyber Defense Agent's external scans can help verify that internet-facing systems are running current software.

Key Takeaways

TL;DR

Unpatched vulnerabilities are a top attack vector — formalize your patching approach.

Set SLAs by severity: critical within 14 days, high within 30, medium within 60.

Prioritize CISA KEV entries and internet-facing systems above CVSS score alone.

Automate patching for operating systems and common third-party applications.

Document exceptions with compensating controls when patches can't be applied on schedule.

Official Sources

CISA Known Exploited Vulnerabilities Catalog NIST SP 800-40 (Patch Management)

FAQ

Frequently asked questions

What is a reasonable SLA for critical patches?

14 calendar days is the industry standard for critical vulnerabilities (CVSS 9.0+). CISA's BOD 22-01 requires federal agencies to patch KEV entries within 14 days for internet-facing systems. Many cyber insurance carriers use this same benchmark during underwriting.

How do I handle patches that break applications?

Document the exception in your patch management policy. Include the affected system, the reason the patch can't be applied, compensating controls in place (network segmentation, enhanced monitoring), and the planned remediation date. Test patches in a staging environment before deploying to production when possible.

Does Cyber Defense Agent check for missing patches?

Cyber Defense Agent's external scan can detect outdated software versions on internet-facing systems (web servers, mail servers, CMS platforms). For internal patch compliance, you'll need an internal vulnerability scanner or RMM platform. CDA's framework mapping identifies where patch management fits in your compliance posture.

Related Guides

Continue reading

EDR for Small Businesses: Complete Guide Incident Response Plan Template for SMBs Network Segmentation for Small Businesses

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card. Real evidence.

Get My Cyber Defense Score™ →Book a 30-min review with Farhad