What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Enforce MFA in Microsoft 365

A complete guide to enforcing multi-factor authentication in Microsoft 365 using Security Defaults or Conditional Access policies for every user account.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Global Administrator or Security Administrator role in Microsoft 365
Microsoft 365 Business Premium or an Azure AD P1/P2 license for Conditional Access
A communication plan to notify users about the MFA rollout
Microsoft Authenticator app available for users to install

Audit current MFA status across all accounts

Before enforcing MFA, understand your current state. In the Microsoft 365 admin center, navigate to Users, then Active Users, then click Multi-factor authentication. This legacy page shows each user as Disabled, Enabled, or Enforced. For a more comprehensive view, use the Entra ID portal and navigate to Protection, then Authentication Methods, then User Registration Details. Export the report to see which users have registered for MFA and which authentication methods they use. Pay special attention to admin accounts, shared mailboxes, and service accounts. Admin accounts should be the first to have MFA enforced. Service accounts that cannot use interactive MFA will need app passwords or managed identity configurations.

Choose between Security Defaults and Conditional Access

Microsoft offers two main approaches to enforce MFA. Security Defaults is the simpler option available to all tenants at no extra cost. It requires all users to register for MFA within fourteen days and enforces MFA for admin roles and when Microsoft detects a risky sign-in. However, Security Defaults is all-or-nothing with no granular control. Conditional Access policies, available with Azure AD P1 or P2 licenses, provide granular control over when MFA is required based on user, application, location, device state, and risk level. For most SMBs with fewer than fifty users, Security Defaults is sufficient. For organizations needing exceptions or phased rollouts, Conditional Access is the better choice.

Enable Security Defaults or create Conditional Access policies

To enable Security Defaults, go to the Entra ID portal, navigate to Properties, and click Manage Security Defaults at the bottom. Toggle it to Enabled and save. For Conditional Access, go to Protection, then Conditional Access, and create a new policy. Name it descriptively, such as Require MFA for All Users. Under Assignments, include All Users and exclude your emergency access accounts. Under Cloud Apps, select All Cloud Apps. Under Grant, select Require multi-factor authentication. Set the policy to Report-only mode first to see its impact without blocking anyone. After reviewing the sign-in logs for a week, switch the policy to On. Create a separate policy requiring MFA for all admin roles with no exceptions except emergency access accounts.

Configure emergency access accounts

Create two break-glass accounts that bypass MFA in case your MFA service experiences an outage. These accounts should use extremely long and complex passwords stored in a physical safe. Name them something non-obvious like admin-emergency-01 and admin-emergency-02. Assign the Global Administrator role to these accounts. Exclude them from MFA Conditional Access policies but create a separate policy that alerts on their usage. Set up Azure Monitor or Entra ID sign-in log alerts to notify your security team whenever an emergency access account signs in. Test these accounts quarterly to ensure they work. Document the physical location of the passwords and the procedure for using them in your incident response plan.

Communicate the rollout to users and guide registration

Send an email to all users at least two weeks before enforcement explaining what MFA is, why it is being implemented, and what they need to do. Include step-by-step instructions for installing the Microsoft Authenticator app on their phone from the App Store or Google Play. Direct users to aka.ms/mysecurityinfo to register their MFA method. Encourage the use of the Authenticator app with push notifications as the primary method and a phone number as a backup. Host a short training session or create a screen recording walkthrough for less technical users. Provide a help desk contact for users who encounter issues during registration. Set a firm deadline for registration completion.

Enforce MFA and monitor adoption

Once the registration window closes, switch your Conditional Access policy from Report-only to On, or ensure Security Defaults is active. Monitor the Entra ID sign-in logs daily for the first two weeks. Filter for sign-in failures with the error code related to MFA requirements to identify users who have not registered and are now locked out. Check the Authentication Methods registration report to track the percentage of users who have completed registration. Follow up individually with any holdouts. Review the Risky Sign-ins report to see if MFA is successfully blocking credential-based attacks. Your goal should be one hundred percent MFA coverage excluding only the documented emergency access accounts.

Common Mistakes to Avoid

Not creating emergency access accounts before enforcing MFA, risking lockout during MFA service outages

Enforcing MFA without advance notice, causing user frustration and a spike in helpdesk tickets

Leaving service accounts and shared mailboxes without MFA or alternative protections

Using SMS as the only MFA method instead of the more secure Authenticator app with push notifications

Forgetting to exclude emergency access accounts from Conditional Access policies

How to Enforce MFA in Google Workspace How to Set Up an Organization-Wide Password Manager How to Create a Cybersecurity Policy

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →