What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Enforce MFA in Google Workspace

Enable and enforce 2-Step Verification across your Google Workspace organization with a phased rollout, security key options, and exception handling.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Super Admin access to the Google Workspace Admin Console
Users with smartphones capable of running the Google Authenticator app or Google prompts
A communication plan for notifying users about the rollout

Review current 2-Step Verification enrollment status

Sign in to the Google Workspace Admin Console at admin.google.com. Navigate to Reporting, then User Reports, then Security. This report shows which users have 2-Step Verification enrolled and which methods they are using. Export the report to a spreadsheet and categorize users by enrollment status. Identify users who have never enrolled, users who are enrolled but using less secure methods like SMS, and users already using security keys or Google prompts. Also check the Admin Roles section to identify all super admin and delegated admin accounts, as these should be the first group to have MFA enforced. This baseline data will guide your phased rollout plan.

Allow 2-Step Verification enrollment organization-wide

Before you can enforce 2-Step Verification, you must first allow users to enroll. In the Admin Console, navigate to Security, then Authentication, then 2-Step Verification. Make sure the setting Allow users to turn on 2-Step Verification is enabled. If you have organizational units set up, ensure this setting is enabled at the top-level organization. Configure the allowed verification methods. For maximum security, enable Security Key Only as the required method for admin accounts. For general users, allow Any verification method initially, which includes Google prompts, Authenticator app, phone, and security keys. Set the enrollment period to give users time to register before enforcement begins.

Create a phased enforcement plan using organizational units

Google Workspace enforces 2-Step Verification at the organizational unit level, so plan your rollout in phases. Create or identify organizational units for your rollout groups. Phase one should include IT staff and administrators. Phase two should include managers and power users who handle sensitive data. Phase three covers all remaining users. For each phase, set the enforcement date at least two weeks after the communication goes out. In the Admin Console under Security, then Authentication, then 2-Step Verification, select the organizational unit for phase one and set Enforcement to On with a start date. Users who have not enrolled by the enforcement date will be locked out of their accounts until they complete enrollment.

Set a new user enrollment period and grace period

Configure how new users joining the organization are handled. In the 2-Step Verification settings, set the New user enrollment period to define how many days new hires have to enroll before enforcement kicks in. A common setting is seven days. Also configure the Frequency setting to determine how often users are prompted for their second factor. The default asks for MFA on every new device and periodically on trusted devices. For higher security environments, set it to require MFA on every sign-in. If your organization allows users to mark devices as trusted, set the trusted device policy to expire after a reasonable period such as thirty days rather than allowing indefinite trust, which weakens the security benefit of MFA.

Communicate to users and support enrollment

Send a company-wide email explaining that 2-Step Verification is being required and provide clear enrollment instructions. Direct users to myaccount.google.com/signinoptions/two-step-verification to begin setup. Recommend Google prompts as the easiest method since it requires only tapping a notification on their phone. Provide instructions for the Google Authenticator app as a backup method. Create a short FAQ document addressing common questions such as what happens if they lose their phone, how to use backup codes, and whether personal devices are required. Hold optional drop-in sessions where users can get hands-on help. Ensure your IT help desk is staffed to handle increased support requests during each enforcement phase.

Enforce and monitor the rollout

On each phase enforcement date, verify that enforcement is active for the correct organizational unit. Monitor the Security reports in the Admin Console for sign-in failures related to 2-Step Verification. Users who are locked out will need temporary exceptions or direct support to complete enrollment. In the Admin Console, you can generate backup codes for a locked-out user by navigating to their account, selecting Security, then 2-Step Verification, and clicking Get Backup Verification Codes. Use these to help the user sign in and complete their enrollment. After all phases are complete, review the organization-wide enrollment report to confirm one hundred percent coverage and document any approved exceptions with their justification and compensating controls.

Common Mistakes to Avoid

Enforcing 2-Step Verification before allowing an enrollment period, causing immediate lockouts

Not creating backup verification codes for users before enforcement, leaving no recovery path

Allowing SMS as the only second factor, which is vulnerable to SIM swapping attacks

Forgetting to enforce MFA on super admin accounts first, leaving the highest-privilege accounts unprotected

How to Enforce MFA in Microsoft 365 How to Set Up an Organization-Wide Password Manager How to Train Employees on Cybersecurity

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →