What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Configure SSL/TLS for Your Web Server

A comprehensive guide to configuring TLS on your web server with the right protocol versions, cipher suites, certificate chain, and security headers.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Administrative access to your web server (Apache, Nginx, IIS, or cloud platform)
A domain name with DNS control for certificate validation
Basic understanding of web server configuration files
SSH or remote desktop access to the server

Obtain a TLS certificate from a trusted certificate authority

Every HTTPS connection requires a valid TLS certificate issued by a trusted certificate authority. For most SMBs, Let us Encrypt provides free certificates that are trusted by all major browsers and can be automated with tools like Certbot. For organizations requiring extended validation or wildcard certificates, commercial CAs like DigiCert, Sectigo, or GlobalSign offer paid options. To obtain a certificate, generate a certificate signing request on your server that includes your domain name. For Let us Encrypt with Certbot, run certbot certonly with the webroot or standalone plugin and specify your domain. Certbot handles the CSR generation, domain validation, and certificate installation automatically. For commercial CAs, submit the CSR through their web portal, complete domain validation via DNS or email, and download the issued certificate files including the intermediate certificate chain.

Install the certificate and configure the certificate chain

Install the certificate on your web server along with the complete certificate chain. The chain includes your server certificate, any intermediate certificates, and the root certificate. Missing intermediates are one of the most common TLS configuration errors and cause trust failures on some clients. For Nginx, set the ssl_certificate directive to a file containing your server certificate followed by the intermediate certificates concatenated in order. Set ssl_certificate_key to your private key file. For Apache, use SSLCertificateFile for the server certificate, SSLCertificateKeyFile for the private key, and SSLCertificateChainFile for the intermediate certificates. For IIS, import the PFX file through the Server Certificates feature in IIS Manager and bind it to your HTTPS site. Verify the chain is complete using an online tool like the SSL Labs server test.

Configure supported protocol versions

Disable outdated protocol versions and enable only TLS 1.2 and TLS 1.3. TLS 1.0 and 1.1 have known vulnerabilities and are deprecated by all major browsers. SSL 2.0 and 3.0 must never be enabled. For Nginx, set ssl_protocols to TLSv1.2 TLSv1.3 in your server block. For Apache, set SSLProtocol to all minus SSLv2 minus SSLv3 minus TLSv1 minus TLSv1.1. For IIS, disable older protocols through the Windows Registry under HKLM SYSTEM CurrentControlSet Control SecurityProviders SCHANNEL Protocols by creating DisabledByDefault and Enabled DWORD values. After changing protocol settings, restart the web server and test with SSL Labs to confirm only TLS 1.2 and 1.3 are offered. If you have legacy clients that require TLS 1.0, document the business justification and set a migration timeline rather than leaving weak protocols enabled indefinitely.

Select strong cipher suites

Cipher suites determine the encryption algorithms used for each TLS connection. Prioritize cipher suites that provide forward secrecy using ECDHE key exchange, authenticated encryption using AES-GCM or ChaCha20-Poly1305, and SHA-256 or SHA-384 for hashing. Disable cipher suites using RC4, DES, 3DES, MD5, or static RSA key exchange. For Nginx, set ssl_ciphers to a curated list and enable ssl_prefer_server_ciphers to enforce your preferred order. A recommended configuration is ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384. For TLS 1.3, cipher suites are fixed in the protocol and do not need manual configuration. Use the Mozilla SSL Configuration Generator at ssl-config.mozilla.org to generate recommended configurations for your specific server software and version.

Enable HSTS and configure security headers

HTTP Strict Transport Security tells browsers to always use HTTPS for your domain, preventing protocol downgrade attacks and cookie hijacking. Add the Strict-Transport-Security header with a max-age of at least thirty-one million five hundred thirty-six thousand seconds, which is one year. Include the includeSubDomains directive to cover all subdomains. Only add the preload directive after thorough testing, as it submits your domain to browser preload lists and is difficult to undo. For Nginx, add the header in your server block with add_header Strict-Transport-Security followed by the value. Also configure a permanent redirect from HTTP to HTTPS by creating a separate server block on port 80 that returns a 301 redirect to the HTTPS URL. Test the redirect to ensure all HTTP traffic is properly redirected before enabling HSTS.

Set up automatic certificate renewal

TLS certificates expire, and an expired certificate causes browser security warnings that block visitors. Let us Encrypt certificates are valid for ninety days and must be renewed regularly. Certbot installs a systemd timer or cron job that automatically renews certificates before expiration. Verify the renewal process works by running certbot renew with the dry-run flag. For commercial certificates with longer validity periods, set calendar reminders thirty days before expiration. Monitor certificate expiration dates using a service like Uptime Robot, Pingdom, or your Cyber Defense Score scan. Configure your web server to reload its configuration after renewal so the new certificate is served immediately. For high-availability environments, automate the certificate deployment across all servers in your cluster to prevent serving a mix of old and new certificates.

Validate your configuration with external testing tools

After completing your TLS configuration, validate it using the Qualys SSL Labs Server Test at ssllabs.com/ssltest. Enter your domain and review the detailed results. Aim for an A or A-plus rating. The test checks your certificate chain, protocol support, cipher suite configuration, and vulnerability to known attacks like BEAST, POODLE, Heartbleed, and ROBOT. Fix any issues flagged by the test. Common issues include incomplete certificate chains, weak Diffie-Hellman parameters, and missing HSTS headers. Run the test again after each fix to confirm the issue is resolved. Also test from multiple geographic locations since some CDNs and load balancers may serve different configurations from different regions. Save the test results as a baseline and re-test monthly or after any server configuration changes.

Common Mistakes to Avoid

Leaving TLS 1.0 and 1.1 enabled, which exposes the server to known protocol vulnerabilities

Missing intermediate certificates in the chain, causing trust failures on mobile devices and some browsers

Not setting up automatic certificate renewal, leading to expired certificates and site outages

Enabling HSTS preload before thoroughly testing HTTPS on all subdomains, which is difficult to reverse

Using weak cipher suites like RC4 or 3DES that provide inadequate encryption strength

How to Run a Cyber Defense Score Scan How to Set Up an SPF Record How to Create a Cybersecurity Policy

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →