What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Implement a 3-2-1 Backup Strategy

Implement the industry-standard 3-2-1 backup strategy to protect your business data against hardware failure, ransomware, and natural disasters.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

An inventory of critical data and systems that require backup
Defined recovery time objectives and recovery point objectives for each system
Budget allocated for backup storage including cloud storage subscriptions
Administrative access to servers and workstations to configure backup agents

Identify and classify data for backup

Start by cataloging all data your organization creates and stores. Categorize it into tiers based on criticality. Tier one includes data that is essential for daily operations and would halt the business if lost, such as financial records, customer databases, email, and line-of-business application data. Tier two includes data that is important but could be recreated with effort, such as project files, documentation, and marketing materials. Tier three includes data that is useful but not essential, such as archived records and historical logs. For each tier, define the recovery point objective, which is the maximum acceptable amount of data loss measured in time. Tier one data might have an RPO of one hour, meaning you need backups at least hourly. Tier two might have a daily RPO, and tier three might accept weekly backups. This classification drives your backup schedule and storage requirements.

Configure the first copy on primary storage

The first copy in a 3-2-1 strategy is your production data itself on your primary storage. Ensure your primary storage is reliable by using RAID configurations on physical servers, which protect against individual disk failures. For cloud-hosted data in platforms like Microsoft 365 or Google Workspace, understand that the cloud provider protects against infrastructure failures but does not protect against accidental deletion, malicious insiders, or ransomware that syncs encrypted files. Configure local snapshots or versioning on your primary storage. On Windows servers, enable Volume Shadow Copy Service with snapshots at least every four hours. On NAS devices, enable scheduled snapshots. In cloud platforms, verify that file versioning is enabled so users can recover previous versions of files without restoring from a full backup.

Set up the second copy on a different media type

The second copy should be on a different storage medium than your primary. If your primary is spinning disk, the second copy could be on a separate NAS, a dedicated backup appliance, or external drives. Use a backup solution like Veeam, Acronis, Datto, or the built-in Windows Server Backup to create scheduled backups. Configure the backup schedule to match your RPO requirements. For tier one data, run incremental backups every hour with a full backup weekly. For tier two data, run daily incrementals with weekly full backups. Ensure the backup storage is on a separate physical device and ideally a separate network segment from production. This separation protects against ransomware that spreads across the network and encrypts everything on connected storage. Use backup solutions that support immutable backups, which cannot be modified or deleted for a specified retention period.

Configure the offsite or cloud copy

The third copy must be stored offsite to protect against physical disasters like fire, flood, or theft that could destroy both your primary data and local backup. Cloud storage is the most practical offsite option for SMBs. Configure your backup solution to replicate backups to a cloud target such as AWS S3, Azure Blob Storage, Backblaze B2, or the cloud storage included with your backup vendor subscription. Enable encryption for data in transit and at rest using AES-256. For Microsoft 365 and Google Workspace data, use a dedicated SaaS backup solution like Backupify, Spanning, or Veeam Backup for Microsoft 365 since these platforms have limited native backup capabilities. Verify that your cloud backup retention meets your compliance requirements, as some regulations require data retention for specific periods.

Test backup restoration regularly

A backup that cannot be restored is worthless. Schedule restoration tests at least quarterly for critical data and annually for all data. Test the complete restoration process, not just the file-level restore. Restore a full server or VM to a test environment and verify the applications and data function correctly. Document the time each restoration takes and compare it to your recovery time objectives. If restoration takes longer than your RTO allows, you may need to invest in faster backup solutions or replicas that can be activated quickly. Test individual file restores monthly so your team stays practiced in the process. Keep a log of all restoration tests including the date, what was tested, the result, and any issues encountered. Use test failures as opportunities to improve your backup configuration and documentation.

Implement ransomware protection for backups

Modern ransomware specifically targets backup systems to prevent recovery. Protect your backups with multiple layers. First, use immutable backups that cannot be altered or deleted during the retention period, available in solutions like Veeam with hardened repositories or cloud storage with object lock. Second, isolate backup infrastructure using separate credentials that are not part of your main Active Directory domain so that a compromised admin account cannot access backups. Third, implement air-gapped backups by periodically copying critical data to offline media like external drives that are disconnected and stored securely. Fourth, enable multi-factor authentication on your backup management console and cloud storage accounts. Fifth, monitor for unusual backup activity such as a sudden spike in data change rates, which could indicate ransomware encryption in progress. Configure alerts for these anomalies.

Common Mistakes to Avoid

Never testing backup restorations and discovering the backups are corrupted or incomplete during an actual disaster

Storing all backup copies on the same network segment, allowing ransomware to encrypt backups along with production data

Using the same administrative credentials for production systems and backup infrastructure

Not accounting for SaaS application data like Microsoft 365 email and SharePoint in the backup strategy

Setting retention periods too short to meet regulatory compliance requirements

How to Create an Incident Response Plan How to Respond to a Data Breach How to Prepare for a Cyber Insurance Application

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →