What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Set Up DMARC from Monitor to Enforce

A phased guide to deploying DMARC, starting with monitoring mode to collect data, then progressively tightening policy to quarantine and finally reject.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

SPF record configured and validated for your domain
DKIM signing enabled for your primary email platform
An email address or mailbox dedicated to receiving DMARC reports
Access to your DNS provider to create TXT records

Publish a DMARC record in monitor mode

Start with a permissive DMARC policy to collect data without affecting mail delivery. Create a TXT record at _dmarc.yourdomain.com with the value v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1. The p=none policy tells receiving servers to deliver all email regardless of authentication results but send reports. The rua tag specifies where aggregate reports are sent, and ruf specifies where forensic failure reports are sent. The fo=1 tag requests forensic reports for any authentication failure. Set the TTL to 3600 seconds. This monitoring phase should run for at least four to six weeks to capture a full picture of your email ecosystem.

Set up a DMARC report analyzer

Raw DMARC aggregate reports arrive as XML files attached to emails, and they are difficult to read manually. Sign up for a free or paid DMARC report analyzer such as dmarcian, Postmark DMARC, Valimail, or DMARC Analyzer. Configure the analyzer by adding its reporting address as an additional rua recipient in your DMARC record. The analyzer will parse incoming reports and display dashboards showing which IP addresses are sending email as your domain, whether those messages pass or fail SPF and DKIM, and whether they align with your From domain. This visibility is essential for identifying legitimate senders you have not yet authorized and for spotting spoofing attempts against your domain.

Fix SPF and DKIM alignment issues

DMARC requires alignment, meaning the domain in either the SPF check or the DKIM signature must match the From header domain. Review your DMARC reports for sources that fail alignment. Common causes include third-party services using their own domain in the envelope sender instead of yours, email forwarding services that break SPF, and services that sign with their own DKIM domain. Fix these by configuring custom envelope senders and DKIM signing on each third-party platform. For forwarding issues, rely on DKIM alignment since SPF will naturally break when mail is forwarded. Aim for one hundred percent of your legitimate email to pass DMARC before moving to the next phase.

Move to quarantine policy with a percentage ramp

Once your reports show high pass rates for legitimate mail, begin enforcement by moving to p=quarantine with a percentage tag. Update your DMARC record to v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc-reports@yourdomain.com. The pct=10 tells receivers to apply the quarantine policy to only ten percent of failing messages, sending the rest to the inbox as before. Monitor reports closely for two weeks. If no legitimate mail is being quarantined, increase to pct=25, then pct=50, then pct=100, pausing two weeks at each stage. This gradual ramp minimizes the risk of accidentally blocking real email while you tighten the policy.

Enforce reject policy

After running at p=quarantine; pct=100 for at least two weeks with clean reports, you are ready for full enforcement. Update your DMARC record to v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com. The p=reject policy instructs receiving servers to silently drop any email that fails both SPF and DKIM alignment. This is the strongest protection against domain spoofing. Continue monitoring reports after enforcement because new services may be added to your organization that send email on your behalf. If a new service appears in failure reports, authorize it in SPF and configure DKIM before it becomes a deliverability problem.

Apply DMARC to subdomains

Attackers often spoof subdomains that lack their own DMARC records. The sp tag in your organizational domain DMARC record sets the default policy for subdomains. Add sp=reject to your DMARC record so that subdomains without their own DMARC records inherit the reject policy. If specific subdomains send email legitimately, create individual DMARC records for those subdomains with appropriate policies. For subdomains that should never send email, publish a DMARC record with p=reject and an SPF record of v=spf1 -all to explicitly block all email from those subdomains. This defense-in-depth approach closes off subdomain spoofing attacks entirely.

Document and maintain your DMARC deployment

Create a runbook documenting your DMARC configuration, all authorized senders, their SPF and DKIM settings, and the escalation process for DMARC failures. Assign an owner who reviews DMARC reports at least monthly. Set calendar reminders for DKIM key rotations and SPF record audits. When new email-sending services are onboarded, the runbook should require SPF and DKIM configuration before the service goes live. Include a rollback procedure in case a configuration change causes delivery failures. Store the runbook in your security documentation alongside your incident response plan and review it during quarterly security reviews to keep it current.

Common Mistakes to Avoid

Jumping straight to p=reject without a monitoring phase, causing legitimate email to be silently dropped

Not setting up a DMARC report analyzer and ignoring the XML reports that arrive by email

Forgetting the sp tag for subdomains, leaving them open to spoofing even after the main domain is protected

Failing to configure DKIM alignment for third-party senders before enforcing DMARC

Not reviewing DMARC reports after enforcement when new email services are added to the organization

How to Set Up an SPF Record How to Configure DKIM for Email Authentication How to Create an Incident Response Plan

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →