At-Bay is not a traditional cyber carrier. It is an InsurSec company, which means it combines underwriting with integrated security tooling, and it underwrites based on what it can observe about your environment, not just what you self-report on a questionnaire.
That distinction changes how you should prepare.
At-Bay protects nearly 40,000 businesses in the US, covering up to $800 billion in collective revenue.[1] The carrier grew 344.9% in direct written premium between 2020 and 2023, making it one of the fastest-growing cyber insurers in the market.[2] That growth is not accidental. At-Bay's underwriting model is built on technology-driven risk assessment that goes well beyond a paper application.
This guide covers both At-Bay application tiers, explains what the Stance platform sees before and after binding, and walks through the controls that matter most for getting a clean quote, not just a fast one.
Two applications, one underwriting philosophy
At-Bay splits its application into two tiers based on revenue.[3][4]
The Express Application (also called the Short Application) is for businesses with annual revenue under $100 million. It is shorter, more automated, and designed for rapid quoting. At-Bay's broker platform says brokers can quote in under two minutes while managing teams and renewals in one place.[3]
The Full Application is for businesses with revenue of $100 million or more. It asks substantially more detailed questions about the organization's security posture, incident history, and operational complexity.[4]
Both tiers feed into the same underwriting engine, and both are supplemented by At-Bay's external scanning and risk assessment tooling. The Express application is faster because the data inputs are supplemented with more automated external intelligence. The Full application requires more manual disclosure because larger organizations have more complex environments that external scans alone cannot fully assess.
There is also a Renewal Application path. At-Bay says eligible rapid-renewal policyholders receive 90 days' notice and renewal terms. Renewals can fall into rapid, manual, or non-renewing paths. Manual renewals are triggered by security-scan findings, claims history, or higher revenues, and may require uploading supporting materials such as ransomware applications.[9] That renewal distinction matters because an initial application that was clean does not guarantee a frictionless renewal if the Stance platform detects posture changes during the policy period.
The practical implication: even on the Express path, At-Bay is not flying blind. The carrier is running its own technical assessment in parallel with whatever you write on the form.
What At-Bay sees before you answer a single question
This is where At-Bay fundamentally differs from carriers that rely primarily on self-reported questionnaires.
At-Bay's Stance platform performs external vulnerability scanning and risk assessment as part of the underwriting process.[5] Before a quote is issued, At-Bay can already observe:
- externally exposed services and ports,
- email authentication posture (SPF, DKIM, DMARC),
- known vulnerabilities on internet-facing systems,
- dark web exposure related to the organization's domains,
- software and technology stack fingerprinting.
That means answering "Yes" to a security question while your external posture contradicts the answer creates immediate friction. At-Bay's underwriting team can see the gap between what you claim and what their scanners find.
This is also why running your own external scan before submitting the application is valuable. You want to know what At-Bay's tools will see before the underwriting process begins. A quick external readiness check shows you the same email authentication posture and exposed services that At-Bay's scanners will evaluate.
The Express Application: what it asks and what it means
The Express Application for businesses under $100 million in revenue covers several key areas.[3]
Business information and exposure context
At-Bay asks standard business profile questions: legal entity name, address, industry classification, annual revenue, and the primary website URL. The website URL matters more than it might seem because that is the starting point for At-Bay's external scan. If the domain you provide is not the primary operational domain, or if you have multiple business units with different domains, the risk assessment may not capture the full picture.
Prior incidents and claims history
At-Bay asks whether the applicant has experienced any cyber incidents, claims, or losses in the prior period. Like Coalition's known-facts question, this is a disclosure question, not a technical one. The instinctive mistake is reading the question too narrowly and only disclosing events that resulted in a paid claim. If there was a ransomware attempt, a BEC incident, a data breach notification, or a regulatory inquiry, disclose it with remediation context.
Security controls assessment
The Express Application asks a compact but revealing set of questions that map directly to the controls most likely to determine loss outcomes.[3]
Record volume threshold. At-Bay asks whether the applicant stores or processes more than 500,000 personal, health, or cardholder records.[3] This is a data exposure sizing question that shapes both pricing and coverage terms.
Multi-factor authentication. At-Bay splits MFA into two explicit questions: whether MFA is enforced on all email access, and whether MFA is enforced on all remote access including VPN or similar remote-network access.[3] At-Bay's 2025 InsurSec Report found that remote access tools, especially VPNs, were the initial entry point in four out of five ransomware attacks.[6] That is why At-Bay treats MFA coverage on remote access as one of the highest-weight underwriting factors. A "Yes" that only covers email but leaves VPN unprotected is exactly the gap that leads to both breaches and coverage disputes.
MSP identification. At-Bay does not just ask whether an MSP is used. It asks for the MSP's name.[3] That is a strong signal that At-Bay's underwriting model treats the MSP as a material part of the risk profile. If an MSP is named on the application but the submission lacks good evidence for MFA, EDR management, and backups, the paperwork and the operating reality feel disconnected.
Endpoint detection and response. At-Bay asks two things: which EDR product is deployed, and how the EDR platform is managed.[3] The management question is critical. At-Bay's answer choices distinguish between 24/7 monitoring, business-hours-only monitoring, and deployed-but-not-actively-monitored. That is not a checkbox; it is a graduated risk signal. Saying "we have EDR" while the platform is unmonitored is a weaker answer than most applicants realize. At-Bay offers its own MDR service through Stance, including 24/7 monitoring using CrowdStrike EDR technology, but this is not a prerequisite for coverage.[7]
Backup and recovery. At-Bay drills into backup architecture with unusual specificity. The short application asks whether the company keeps offline backups or uses a cloud provider, how backup copies are stored, and whether critical backup copies are immutable.[3] The carrier's claims data shows that organizations without robust backup strategies are 2.38 times more likely to pay a ransom, and backup-aware strategies reduce median claim costs by 72%.[8] Answering "immutable" when your backups are actually domain-joined and reachable from compromised admin credentials is the kind of misstatement that surfaces during claims investigation.
Secure email gateway. At-Bay asks which secure email gateway product is in use.[3] This is not a yes/no question. The carrier wants to know the specific product, which tells you At-Bay is evaluating the quality of email security implementation, not just its existence.
Email security. At-Bay's external scanning will assess SPF, DKIM, and DMARC records independently (for a deeper look at how these records work and what carriers expect, see DMARC, SPF, and DKIM for Cyber Insurance), but the application also asks about email security practices. At-Bay's claims data shows that 43% of all claims involve email-based attacks, and 83% of financial fraud claims begin with a malicious email.[6] Email authentication is not a nice-to-have from At-Bay's perspective. It is a core underwriting input.
Patch management. At-Bay asks about the organization's approach to identifying and remediating vulnerabilities. The carrier's external scans can detect known vulnerabilities on internet-facing systems, so claiming a mature patch process while running unpatched services is a contradiction the underwriting team will notice.
Funds transfer and social engineering controls
At-Bay asks about verification procedures for payment requests and changes to banking details. Financial fraud is the single most common incident type in At-Bay's claims data, and the carrier's report documents that the average ransom demand was negotiated from $957,000 down to $317,000 among At-Bay policyholders who did pay.[6] The controls around payment verification directly affect both the likelihood and the severity of fraud losses.
The Full Application: what changes above $100 million
The Full Application for businesses with revenue of $100 million or more asks everything the Express Application covers, plus additional depth in several areas.[4]
Organizational complexity. Larger organizations are asked about subsidiaries, acquisitions, international operations, and the complexity of their IT environment. At-Bay needs this because a $500 million organization with five acquisitions in the last three years has a fundamentally different risk profile than a single-entity firm of the same size.
Named security contact. The Full Application asks for a primary security contact authorized to receive security notifications and engage with At-Bay's Managed Security team. The form allows a full-time employee, managed IT provider, managed security provider, or internal inbox.[4] This is not just a contact-information field. At-Bay's model expects a living security relationship, not a completed PDF. The named contact will receive Stance vulnerability alerts and At-Bay security communications during the policy period.
Security governance. The Full Application asks about security leadership, whether a CISO or equivalent role exists, reporting structure, and board-level oversight of cybersecurity risk. This is not a checkbox question. At-Bay is trying to understand whether security has organizational authority or whether it is buried under IT operations with no executive visibility.
Third-party risk management. Larger organizations typically depend on more vendors, service providers, and technology partners. The Full Application asks about vendor assessment processes, contractual security requirements, and supply chain risk management practices.
Detailed incident response. Beyond asking whether an IR plan exists, the Full Application probes whether it has been tested, how recently, and whether external incident response retainers are in place.
Technology infrastructure detail. The Full Application asks more specific questions about network segmentation, identity management, cloud security posture, and operational technology if applicable.
The Stance platform: what happens after binding
At-Bay's Stance platform is not just a pre-quote scanning tool. It is an ongoing risk management platform that policyholders get access to after binding.[5]
Stance includes:
- Continuous vulnerability scanning of the organization's external attack surface,
- Dark web monitoring for compromised credentials and data exposure,
- AI-powered email fraud alerts that flag suspicious payment-related emails,
- vCISO advisory services for security guidance and remediation planning,
- Employee security training to reduce phishing susceptibility.
At-Bay values the embedded risk prevention tools in Stance at up to $72,000 per policy.[5] Certain InsurSec packages can also unlock premium credits and insurance enhancements, creating a direct economic incentive to engage with the security platform beyond the coverage itself. That is not a marketing number. It reflects the actual cost of the MDR, scanning, and advisory services bundled into the coverage.
At-Bay also offers Stance MDR as a standalone service:
- Stance MDR for Endpoint: 24/7 threat monitoring and full remediation using CrowdStrike EDR technology,
- Stance MDR for Email: expert teams combined with AI-powered email security,
- Stance MXDR: comprehensive threat detection across endpoints, email, cloud, and identity.[7]
The practical implication for application preparation is that At-Bay treats security posture as a continuous underwriting input, not a one-time disclosure. If your controls degrade during the policy period, At-Bay's platform may detect it. That is different from carriers who rely entirely on annual questionnaires and may not know about drift until a claim is filed.
Where At-Bay applications go wrong
Based on At-Bay's own claims data and the structure of the application, there are several common failure patterns.
Overstating MFA coverage on remote access. At-Bay's 2025 report is explicit: VPNs are the top ransomware entry point.[6] Saying MFA is enforced on email while leaving VPN or administrative consoles unprotected is the most dangerous gap you can create on this application. If your environment is Microsoft 365-centric, see The M365 MFA Reporting Gap for Cyber Insurance for why there is no single report that proves enforcement across all access paths.
Ignoring what external scans will find. Because At-Bay runs external scanning as part of underwriting, discrepancies between your answers and your external posture create immediate credibility problems. Run your own scan first. Fix the obvious issues before submitting.
Treating backup as a vendor question instead of an architecture question. At-Bay does not care which backup vendor you use. The carrier cares whether the backup architecture survives a ransomware event where the attacker has domain admin credentials. If your backups are domain-joined, reachable from compromised admin accounts, or not tested for recoverability, the backup question is weaker than you think. (For a detailed walkthrough of what "immutable" actually means in practice, see How to Prove Backup Immutability for Cyber Insurance Renewals.)
Missing domains in the full application. The full At-Bay application asks for all websites and domains owned and operated by the named insured and subsidiaries.[4] If the insured only provides the marketing site and forgets legacy, business-unit, or acquired-entity domains, the outside-in scan and the formal submission drift apart immediately. At-Bay's scan starts with whatever domains you provide, so missing domains means missing coverage of the actual attack surface.
Ignoring the rescission language. At-Bay's full application says the written application and other submitted materials are incorporated into the underwriting process and that misrepresentation or omission can be grounds for rescission.[4] "Close enough" is not a safe workflow for this carrier.
Underestimating email exposure. With 43% of claims involving email-based attacks, At-Bay treats email security as a primary underwriting factor.[6] Incomplete SPF records, DMARC at p=none, or missing DKIM are all signals that the email layer is not properly hardened.
An At-Bay application prep checklist
Before submitting to At-Bay, whether Express or Full:
-
Run an external scan of your primary domain Check SPF, DKIM, DMARC, exposed ports, and known vulnerabilities. You want to see what At-Bay's tools will see. The free readiness check covers the email authentication posture At-Bay evaluates.
-
Map MFA enforcement by access path Confirm MFA on email, VPN, RDP, administrative consoles, and any other remote access path. Document exceptions honestly.
-
Verify EDR deployment coverage Know the denominator. How many endpoints exist, and how many are covered by EDR with active monitoring?
-
Confirm backup isolation and recoverability Verify that backups are not reachable from the same credentials that an attacker with domain admin access would hold. Confirm a recent restore test.
-
Review funds transfer verification procedures Confirm that callback verification exists for payment requests and banking detail changes, especially at lower dollar thresholds.
-
If Full Application: prepare security governance documentation Have CISO reporting structure, board oversight, vendor assessment process, and IR plan testing evidence ready.
If you have a carrier questionnaire to work through, upload it to the Carrier Decoder to identify gaps before submission.
The right way to think about At-Bay
At-Bay is not trying to catch you with trick questions. The carrier is trying to align insurance pricing with actual security posture, and it has built the technology to do that assessment independently.
That is both good news and bad news for applicants.
Good news: if your security posture is strong, At-Bay's model will recognize it, often resulting in better pricing and broader coverage than traditional carriers that cannot differentiate well-secured organizations from poorly secured ones.
Bad news: if your posture is weaker than your answers suggest, At-Bay's scanning and monitoring tools will likely find the gap, either during underwriting or during the policy period.
The safest approach is to treat the application as a transparency exercise rather than a sales pitch. Verify your controls, document the evidence, fix the gaps you can fix before submission, and disclose the ones you cannot.
BindLedger is built for that exact workflow. The external readiness check shows you the email authentication and exposure signals that At-Bay's Stance platform evaluates. The evidence workflows help you build defensible answers for MFA, endpoint protection, and backup controls before anyone signs the application. If you are evaluating multiple carriers, see The Complete Guide to Cyber Insurance Evidence in 2026 for a cross-carrier evidence framework, or compare At-Bay's controls with other carriers in 8 Controls, 3 Carriers: Cyber Insurance Checklist. For other carrier-specific guides, see BindLedger's walkthroughs for Cowbell, Hartford CyberChoice, Corvus Smart Cyber, and Travelers CyberRisk.
Check your controls now. Run the free readiness check →
Have a carrier questionnaire? Upload it to see what you're missing →