What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Prepare for a Cyber Insurance Application

A practical checklist to prepare your organization for a cyber insurance application by implementing the security controls that underwriters now require.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

A completed cybersecurity risk assessment or Cyber Defense Score scan
An understanding of your organization revenue, industry, and data types handled
Access to your IT infrastructure documentation including network diagrams
Budget authority to implement required security controls before the application

Understand what cyber insurers evaluate

Cyber insurance underwriters have become significantly more rigorous in their requirements over the past few years due to rising claims from ransomware attacks. Before starting your application, understand the key areas they evaluate. Almost every insurer now requires multi-factor authentication on all remote access including VPN, email, and administrative portals. They require endpoint detection and response on all endpoints. They require regular data backups with offsite copies and tested restoration procedures. They look for employee security awareness training, an incident response plan, and privileged access management. Many require email authentication with DMARC enforcement. Some ask about network segmentation and vulnerability management programs. Knowing these requirements upfront allows you to address gaps before the application rather than being declined or quoted at a premium because of missing controls.

Implement mandatory security controls

Based on the common insurer requirements, implement the controls that are most frequently cited as mandatory. Start with multi-factor authentication on all systems, especially remote access, email, and any admin console. Deploy endpoint detection and response on every workstation and server. Verify your backup strategy follows the 3-2-1 rule with tested restorations documented. Configure email authentication with SPF, DKIM, and DMARC. Implement a password policy requiring unique passwords of at least twelve characters managed through an enterprise password manager. Enable encryption on all endpoints using BitLocker for Windows and FileVault for macOS. Patch critical vulnerabilities within thirty days of disclosure. Each of these controls directly addresses questions on the insurance application. Having them in place before applying leads to more favorable coverage terms and lower premiums.

Document your security posture

Insurers want evidence that your controls are actually implemented, not just planned. Gather documentation for each control including screenshots of MFA enforcement policies, EDR deployment reports showing agent coverage percentage, backup configuration summaries and most recent restoration test results, and your incident response plan document. Run a Cyber Defense Score scan and save the results as evidence of your email and web security configurations. Create a one-page security program summary that lists all implemented controls, responsible personnel, and review dates. If you have completed a risk assessment, include the executive summary. If you have a cybersecurity policy, include it. Having this documentation package ready before the application demonstrates maturity and preparedness to the underwriter and streamlines the process.

Select the right coverage and limits

Work with an insurance broker who specializes in cyber liability to determine appropriate coverage types and limits. First-party coverage pays for your own losses including incident response costs, forensic investigation, business interruption, data restoration, ransomware payments, and notification costs. Third-party coverage pays for claims from others including regulatory fines, lawsuits from affected individuals, and payment card industry fines. The coverage limit should be based on your risk assessment, considering the maximum plausible loss scenario. For SMBs, common first-party limits range from five hundred thousand to five million dollars. Consider your annual revenue, the volume of sensitive records you hold, and the cost of business interruption when selecting limits. Pay attention to sub-limits, waiting periods, and exclusions in the policy language. Common exclusions include unpatched known vulnerabilities, failure to maintain required security controls, and acts of war.

Complete the application accurately

Fill out the insurance application with complete honesty and accuracy. Misrepresenting your security posture on the application can void your coverage when you file a claim, which is the worst possible time to discover your policy is invalid. If a question asks whether you have MFA on all remote access and you have it on email but not VPN, the accurate answer accounts for the gap. If you cannot answer yes to a question, implement the control before submitting or disclose the gap and explain your timeline for remediation. Many insurers appreciate transparency and will work with you on a timeline. Have your IT team review the technical questions and your legal team review the policy terms. Ask your broker to explain any terms or exclusions you do not understand. Submit the application with your supporting documentation package to demonstrate your security program maturity.

Maintain compliance with policy requirements

After your policy is issued, maintaining the security controls is not optional. Most cyber insurance policies include a duty to maintain the security posture represented in your application. If you allow MFA to lapse, remove your EDR solution, or stop performing backups, and then file a claim, the insurer may deny coverage based on material misrepresentation or failure to maintain required controls. Set quarterly internal audits to verify all required controls remain in place and functional. Document these audits as evidence of ongoing compliance. Notify your insurer of any significant changes to your IT environment, business operations, or security posture. Before your annual renewal, update your documentation package and run a fresh Cyber Defense Score scan. Proactively demonstrating improvement in your security posture can lead to premium reductions at renewal time.

Common Mistakes to Avoid

Misrepresenting security controls on the application, which can void coverage when a claim is filed

Waiting until after a breach to purchase cyber insurance, which is like buying fire insurance while the house is burning

Choosing the cheapest policy without reviewing coverage limits, sub-limits, and exclusions

Not maintaining required security controls after the policy is issued, risking claim denial

Skipping the broker and trying to navigate complex policy language without professional guidance

How to Conduct a Cybersecurity Risk Assessment How to Enforce MFA in Microsoft 365 How to Implement a 3-2-1 Backup Strategy

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →