What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Set Up an SPF Record

A step-by-step guide to creating, publishing, and validating an SPF record in your DNS to stop unauthorized senders from spoofing your domain.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Access to your domain registrar or DNS hosting provider
A list of all services that send email on behalf of your domain
Basic understanding of DNS record types (TXT, MX)

Inventory all authorized email senders

Before writing a single line of DNS, you need to know every server and service that legitimately sends email using your domain. Start with your primary mail provider such as Microsoft 365 or Google Workspace. Then check for transactional email services like SendGrid, Mailgun, or Amazon SES. Do not forget marketing platforms such as Mailchimp or HubSpot, CRM systems that send on your behalf, helpdesk tools, and any on-premise mail servers. Interview department heads to uncover shadow IT email services. Document each sender with its IP address or include mechanism so nothing is missed when you build the record.

Construct your SPF record syntax

An SPF record is a DNS TXT record that starts with v=spf1 followed by mechanisms that define authorized senders. Use the include mechanism for cloud services, for example include:_spf.google.com for Google Workspace or include:spf.protection.outlook.com for Microsoft 365. Use ip4 and ip6 mechanisms for specific server addresses. Keep the record under ten DNS lookups total, as exceeding this limit causes a permanent error and SPF will fail. End the record with -all for a hard fail, ~all for a soft fail, or ?all for neutral. For initial deployment, start with ~all and move to -all once you have confirmed all senders are listed.

Publish the SPF record in DNS

Log in to your DNS hosting provider or domain registrar. Navigate to the DNS management section for your domain. Create a new TXT record with the host field set to @ or your bare domain name. Paste your SPF string into the value field. Set the TTL to 3600 seconds or one hour initially so changes propagate quickly during testing. Make sure you have only one SPF record for the domain because multiple SPF records cause authentication failures. If an existing SPF record is present, merge the mechanisms into a single record rather than creating a second one. Save the record and wait for DNS propagation.

Validate the SPF record

After publishing, verify the record is correct and reachable. Use a command-line tool like dig or nslookup to query your domain for TXT records and confirm the SPF entry appears. Then use an online SPF validator such as MXToolbox or dmarcian to check for syntax errors, duplicate records, and lookup count. The validator will flag common issues like exceeding the ten-lookup limit, using deprecated ptr mechanisms, or having multiple SPF records. Fix any errors before proceeding. Send a test email from each authorized service and check the email headers for spf=pass in the Authentication-Results header.

Flatten the record if you exceed the lookup limit

Each include, a, mx, and redirect mechanism triggers a DNS lookup, and SPF allows a maximum of ten. If your record exceeds this limit, you need to flatten it by replacing include mechanisms with the actual IP addresses they resolve to. Tools like SPF Flattener or autospf can automate this process. Be aware that flattened records must be updated whenever a provider changes their IP ranges, so set a calendar reminder to review monthly or use a dynamic flattening service. An alternative approach is to delegate a subdomain for specific services and create separate SPF records for each subdomain, keeping each under the limit.

Monitor SPF results with DMARC reports

Once SPF is live, set up a DMARC record in monitor mode with p=none and a rua reporting address. DMARC aggregate reports will show you which senders are passing and failing SPF checks. Review these reports weekly for the first month to catch any legitimate senders you missed. Look for spf=fail entries from IP addresses you do not recognize and investigate whether they are legitimate services or spoofing attempts. Use a DMARC report analyzer tool to parse the XML reports into readable dashboards. This monitoring phase is critical before tightening your SPF policy to hard fail.

Common Mistakes to Avoid

Creating multiple SPF records for the same domain instead of merging them into one

Exceeding the ten DNS lookup limit, which causes SPF to return a permanent error

Forgetting to include third-party services like CRM or helpdesk tools that send email on your behalf

Starting with -all (hard fail) before confirming all legitimate senders are listed

How to Configure DKIM for Email Authentication How to Set Up DMARC from Monitor to Enforce How to Configure SSL/TLS for Your Web Server

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →