What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Train Employees on Cybersecurity

Design and implement a security awareness training program that measurably reduces human risk through phishing simulations, role-based education, and continuous reinforcement.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Executive sponsorship for the training program with dedicated budget
A security awareness training platform selected such as KnowBe4, Proofpoint, or Cofense
A baseline understanding of your organization current phishing click rates
An employee roster with department and role information for targeted training

Establish a baseline with an initial phishing simulation

Before launching formal training, measure your current human risk by running a baseline phishing simulation. Configure a realistic phishing email in your training platform using a template that mimics a common attack your organization might face, such as a fake password reset, invoice, or package delivery notification. Send it to all employees without advance warning. Track the key metrics including the open rate, click rate, credential submission rate, and report rate for employees who correctly identified and reported the phish. The industry average click rate for untrained employees is typically between twenty and thirty percent. Your baseline results will quantify the risk, justify the training investment to leadership, and provide a benchmark to measure improvement over time. After the simulation completes, send a debrief email explaining that it was a test, what the red flags were, and that training is coming.

Design the core training curriculum

Create a training program that covers the essential topics every employee needs to understand. Core modules should include recognizing phishing and social engineering attacks, creating and managing strong passwords, safe web browsing and email practices, mobile device security, physical security including clean desk policy and visitor management, social media safety and protecting company information, data handling and classification, and how to report a security incident. Keep individual training modules under fifteen minutes to maintain attention. Use a mix of video content, interactive exercises, and short quizzes to accommodate different learning styles. Schedule the core curriculum to be completed over four to six weeks rather than all at once, spacing modules to prevent training fatigue. Make the content relevant to your employees daily work by using real-world examples from your industry. Avoid overly technical jargon that will alienate non-technical staff.

Implement role-based training modules

Beyond the core curriculum, different roles face different risks and require targeted training. Executives and finance staff should receive additional training on business email compromise, wire fraud, and CEO impersonation attacks since these are high-value targets for attackers. IT staff and system administrators need training on privilege escalation, supply chain attacks, and secure configuration management. Customer-facing staff need training on pretexting and social engineering tactics used to extract customer information over the phone or chat. Developers need secure coding training covering OWASP Top Ten vulnerabilities. HR staff need training on protecting employee personal information and recognizing recruitment fraud. Create these role-based modules and assign them to the appropriate employee groups in your training platform. Schedule role-based training to follow the core curriculum so employees have the foundational knowledge first.

Run ongoing phishing simulations

Phishing simulations should be a continuous program, not a one-time event. Schedule simulations at least monthly, varying the difficulty, topic, and sending time. Start with easier-to-identify phishing emails and gradually increase sophistication. Include different attack types such as credential harvesting, malicious attachment, impersonation of a known sender, and SMS phishing if your platform supports it. When an employee clicks a phishing simulation, immediately redirect them to a brief educational landing page that explains what happened and what they should have noticed. This just-in-time training is highly effective because it occurs in the moment of the mistake. Track individual employee performance over time. Employees who consistently click on simulations should receive additional targeted training and one-on-one coaching. Recognize and reward employees who consistently report simulations correctly to reinforce positive behavior.

Reinforce learning through continuous communication

Training modules and simulations are important but not sufficient on their own. Build a culture of security through continuous reinforcement. Send a monthly security newsletter or tips email covering current threats, recent scams targeting your industry, and practical security advice for both work and personal use. Post security reminders in common areas and on your company intranet. Share anonymized results from phishing simulations to create healthy awareness without shaming individuals. Celebrate Cybersecurity Awareness Month in October with themed activities, guest speakers, or security challenges with prizes. Create a simple reporting mechanism like a phishing report button in the email client that makes it easy for employees to report suspicious emails. Publicly recognize employees or departments that demonstrate strong security practices. The goal is to make security a normal part of daily work rather than an annual compliance checkbox.

Measure results and report to leadership

Track key metrics over time to demonstrate the return on investment of your training program. The primary metrics to report include phishing click rate trend over time, which should decrease. Track the reporting rate, which is the percentage of employees who correctly identify and report simulated phishing emails, which should increase. Monitor training completion rates by department to identify groups that are falling behind. Track the time to report, measuring how quickly employees flag suspicious emails. Compare your metrics against industry benchmarks provided by your training platform vendor. Create a quarterly report for leadership that shows the trend in these metrics, highlights areas of improvement, and identifies departments or roles that need additional attention. Correlate training investment with real-world outcomes by tracking the number of actual phishing emails reported by employees and any real security incidents prevented by trained employees. This data justifies continued investment in the program.

Common Mistakes to Avoid

Running a single annual training session instead of a continuous program with monthly simulations

Using generic training content that is not relevant to your industry or employee roles

Publicly shaming employees who fail phishing simulations, which creates fear and discourages reporting

Not tracking metrics over time, making it impossible to demonstrate program effectiveness

Treating training as an IT initiative rather than a company-wide program with executive sponsorship

How to Create a Cybersecurity Policy How to Set Up an Organization-Wide Password Manager How to Secure Remote Work for Your Team

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →