What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Create a Cybersecurity Policy

Create a cybersecurity policy that defines acceptable behavior, access controls, data handling requirements, and accountability for every employee in your organization.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Executive sponsorship and commitment to enforce the policy
An inventory of IT assets, data types, and business processes
Understanding of applicable regulatory requirements such as HIPAA, PCI DSS, or state privacy laws
Input from department heads about operational requirements and constraints

Define the scope and objectives of the policy

Begin by clearly stating what the policy covers and why it exists. The scope should define who the policy applies to, including full-time employees, contractors, vendors, and temporary workers. It should specify which systems are covered, including company-owned devices, personal devices used for work under BYOD policies, cloud services, and network infrastructure. State the objectives plainly. The policy exists to protect the organization information assets, maintain regulatory compliance, and reduce the risk of security incidents. Include a statement of executive support that demonstrates leadership commitment to cybersecurity. Reference the specific regulations your organization must comply with, as this provides the legal basis for the policy requirements. Keep the language clear and avoid excessive jargon so that non-technical employees can understand their obligations.

Write the acceptable use policy section

The acceptable use policy defines what employees can and cannot do with company IT resources. Cover email usage rules including prohibitions on opening suspicious attachments, forwarding sensitive data to personal accounts, and using company email for personal business. Define internet usage expectations including restrictions on visiting malicious or inappropriate websites and downloading unauthorized software. Address social media use and what company information may or may not be shared publicly. Define rules for personal device usage under BYOD including requirements for screen locks, encryption, and the company right to remotely wipe business data. Specify that all company data remains company property regardless of where it is stored. Include consequences for violations ranging from additional training for minor infractions to termination for serious or repeated violations. Make the consequences proportionate and clearly defined.

Define access control and authentication requirements

Document your access control policies based on the principle of least privilege, which means users should have only the minimum access needed to perform their job. Define the process for requesting, granting, modifying, and revoking access to systems and data. Require manager approval for all access requests and document the approval process. Set password requirements including minimum length of at least twelve characters, prohibition of password reuse across systems, and mandatory use of a company-approved password manager. Require multi-factor authentication for all systems that support it, especially email, VPN, and administrative access. Define the process for offboarding employees, which must include immediate revocation of all access on the date of departure. Specify requirements for privileged accounts including separate admin credentials, enhanced logging, and regular access reviews. Include a requirement for quarterly access reviews where managers verify that their team members access rights are still appropriate.

Write the data classification and handling section

Define how data should be classified and handled based on its sensitivity. Create three or four classification levels such as Public, Internal, Confidential, and Restricted. For each level, define what types of data fall into that category, who can access it, how it must be stored and transmitted, and how it should be disposed of. For example, Confidential data must be encrypted at rest and in transit, stored only on approved systems, shared only with authorized individuals via secure channels, and securely deleted when no longer needed. Restricted data such as protected health information or payment card data has additional regulatory handling requirements. Include specific examples for each classification level so employees can correctly categorize the data they work with. Address data retention requirements including how long different types of data must be kept and the process for secure disposal when retention periods expire.

Include incident reporting and response procedures

Every employee should know how to recognize and report a potential security incident. Define what constitutes a reportable security event including phishing emails, suspected malware, unauthorized access, lost or stolen devices, and accidental data exposure. Provide a clear reporting channel such as a dedicated email address, phone number, or ticketing system. Specify the expected response time for reporting, which should be immediate upon discovery with no exceptions. Emphasize that employees will not be punished for reporting incidents in good faith, even if they were involved in causing the incident, as fear of punishment leads to unreported incidents that grow worse over time. Reference your full incident response plan and identify the key contacts. Include basic immediate actions employees should take such as disconnecting a potentially infected device from the network and not clicking additional links in a suspected phishing email.

Establish policy review and enforcement procedures

A policy is only effective if it is enforced and kept current. Define the review cycle for the policy, which should be at least annual or whenever significant changes occur in the regulatory environment, technology stack, or threat landscape. Assign a policy owner responsible for maintaining the document and coordinating reviews. Require all employees to read and acknowledge the policy upon hiring and annually thereafter. Use an electronic signature system to track acknowledgments. Define the enforcement mechanism including who has authority to investigate violations, the escalation process, and the range of consequences. Include a provision for exceptions that defines how temporary exceptions to the policy can be requested, approved, documented, and reviewed. Exceptions should require senior management approval and should include compensating controls that mitigate the risk of the exception. Track all exceptions in a register and review them quarterly.

Common Mistakes to Avoid

Writing a policy that is too long and technical for non-IT employees to understand and follow

Not obtaining executive sponsorship, resulting in a policy that is ignored because it lacks enforcement authority

Failing to include a regular review cycle, leaving the policy outdated as technology and threats evolve

Creating the policy but not requiring employees to acknowledge it, making enforcement difficult

Not defining consequences for violations, leaving the policy without teeth

How to Train Employees on Cybersecurity How to Conduct a Cybersecurity Risk Assessment How to Create an Incident Response Plan

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →