What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Respond to a Data Breach

A step-by-step breach response playbook covering immediate containment, forensic investigation, regulatory notification, and recovery procedures.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

An incident response plan with assigned roles and contact information
Contact information for your cyber insurance carrier breach hotline
Pre-identified legal counsel with data breach experience
Access to system logs and security tool dashboards
A communication channel that does not rely on potentially compromised systems

Activate your incident response team and assess the situation

The moment a potential data breach is confirmed, activate your incident response plan. Notify the Incident Commander and assemble the response team. Establish a communication channel outside your normal systems, such as personal cell phones or a pre-configured out-of-band messaging platform, in case your email or chat systems are compromised. Conduct an initial assessment to determine what you know so far including how the breach was detected, what systems appear to be affected, what type of data may be exposed, and whether the attack is still active. Contact your cyber insurance carrier immediately through their breach hotline, as most policies require prompt notification and the insurer will assign a breach coach, typically an attorney, who will guide the response and coordinate vendors. Everything from this point should be conducted under attorney-client privilege through your breach counsel to protect communications from discovery in potential litigation.

Contain the breach to prevent further data loss

Take immediate action to stop the bleeding without destroying evidence. If the breach involves compromised credentials, reset the affected passwords and revoke all active sessions for those accounts. Check for persistence mechanisms like mail forwarding rules, OAuth application grants, or new admin accounts created by the attacker. If the breach involves malware on a system, isolate the system from the network by disabling the network adapter or unplugging the ethernet cable, but do not power it off as memory evidence will be lost. If the breach involves unauthorized access through a vulnerable application, take the application offline or block network access to it. If the breach involves a third-party vendor, contact them immediately to understand the scope on their end. Document every containment action taken with timestamps, who performed it, and the rationale. This documentation is critical for the forensic investigation and regulatory notifications that follow.

Preserve evidence and engage forensic investigation

Preserving evidence is essential for understanding the full scope of the breach and for potential law enforcement involvement. Do not reimage, rebuild, or modify affected systems until forensic evidence has been collected. Capture memory dumps from compromised systems using tools like FTK Imager or WinPmem. Collect and preserve relevant log files including security event logs, firewall logs, VPN access logs, email gateway logs, and cloud audit logs. Your cyber insurance carrier will typically arrange a digital forensics firm through your breach counsel. The forensic investigators will determine the attack vector, timeline of unauthorized access, extent of data accessed or exfiltrated, and whether the attacker still has access. Cooperate fully with the forensic team and provide them access to all requested systems and logs. The forensic report is a critical input for determining notification obligations and will be requested by regulators and potentially by courts.

Determine notification obligations

Work with your breach counsel to determine who must be notified and by when. In the United States, all fifty states have data breach notification laws with varying requirements for timing, content, and triggers. Some states require notification within thirty days while others allow up to sixty or ninety days after discovery. If you handle healthcare data, HIPAA requires notification to affected individuals within sixty days and to the Department of Health and Human Services. If payment card data is involved, PCI DSS requires notification to your acquiring bank and the card brands. If you have European customers, GDPR requires notification to the supervisory authority within seventy-two hours. Create a notification matrix listing each jurisdiction, the applicable law, the notification deadline, required content, and the regulatory contact. Prioritize notifications to meet the shortest deadlines first. Draft notification letters with your breach counsel and include the required information such as what happened, what data was involved, what you are doing about it, and what steps affected individuals should take.

Notify affected parties and regulators

Execute your notification plan according to the timelines and requirements identified. For individual notifications, use multiple channels including postal mail and email to ensure delivery. Include a clear description of the incident, the types of data involved, steps you are taking, and resources available to affected individuals such as credit monitoring services. For regulatory notifications, submit through the required channels, which may be online portals, written letters, or both. If more than five hundred individuals in a single state are affected, some states require media notification as well. Prepare a public statement or FAQ page on your website for customers who hear about the breach through other channels. Brief your customer-facing staff on how to answer questions from concerned customers. Set up a dedicated phone line or email address for breach-related inquiries. If you offer credit monitoring or identity theft protection, select a vendor and have enrollment information ready before notifications go out.

Eradicate the threat and recover operations

Once the forensic investigation has identified the full scope and all attacker access has been removed, begin the eradication and recovery process. Patch the vulnerability that was exploited as the initial attack vector. Remove all malware, backdoors, and persistence mechanisms identified by forensics. Reset all credentials organization-wide, not just those known to be compromised, as attackers often harvest credentials beyond what logs reveal. Rebuild compromised systems from clean images rather than trying to clean them, as rootkits and advanced malware can survive cleanup attempts. Restore data from clean backups that predate the breach, verifying the backups are not contaminated. Bring systems back online in priority order with enhanced monitoring. Implement additional detection rules in your security tools based on the tactics, techniques, and procedures used by the attacker. Monitor recovered systems closely for at least thirty days for any signs of re-compromise.

Conduct a post-breach review and improve defenses

After the immediate crisis is resolved, conduct a thorough post-breach review within two weeks while details are fresh. Document the complete timeline from initial compromise to full recovery. Identify what worked well in your response and what needs improvement. Analyze the root cause and determine what controls could have prevented the breach or detected it sooner. Update your incident response plan based on lessons learned. Implement the security improvements identified during the review, such as additional monitoring, network segmentation, enhanced access controls, or employee training. Share sanitized lessons learned with your industry peers through ISACs or industry groups to help others prevent similar breaches. Review your cyber insurance coverage in light of the breach experience and adjust limits or coverage if needed at the next renewal. Schedule follow-up assessments to verify that remediation actions are effective and sustainable.

Common Mistakes to Avoid

Not contacting your cyber insurance carrier immediately, missing the window for covered breach response services

Destroying evidence by reimaging systems before forensic evidence is collected

Communicating about the breach over potentially compromised email systems

Missing regulatory notification deadlines, which can result in additional fines and penalties

Only resetting credentials known to be compromised instead of performing an organization-wide reset

How to Create an Incident Response Plan How to Prepare for a Cyber Insurance Application How to Conduct a Cybersecurity Risk Assessment

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →