METHODOLOGY
How the readiness check works
Our free scan checks publicly observable security controls against what cyber insurance carriers typically ask. Here's exactly what it does, what it doesn't, and how to interpret the results.
What We Scan
- SPF record presence and policy strength
- DKIM selector validation
- DMARC policy and reporting configuration
- MX record security
- TLS certificate validity and protocol versions
- Subdomain enumeration via public DNS
- Internet-facing service exposure
What We Do Not Scan
- Internal network controls (firewalls, segmentation)
- Endpoint protection deployment (EDR/AV)
- Backup configuration and testing
- Identity provider / MFA enrollment rates
- Physical security
- Employee training completion
These controls require direct evidence from your internal tools. See our evidence collection guides for step-by-step export instructions.
How Scoring Works
Each check maps to one or more carrier questionnaire topics. We flag findings as:
- Pass — Control verified and aligns with carrier expectations
- Warning — Control present but configuration may not meet strictest carrier requirements
- Fail — Control missing or misconfigured — likely underwriter blocker
- Not Applicable — Check does not apply to this domain configuration
Limitations
This is a passive external scan using only publicly available DNS, certificate, and service data. It does not prove the absence of a vulnerability, the completeness of a security program, or the accuracy of any application response. Results are informational and should be reviewed by a qualified professional before use in any insurance application.
Update Cadence
Scan logic is updated as carriers publish new application forms and as security standards evolve. The carrier mapping layer tracks form changes across Coalition, Travelers, Hartford, At-Bay, and Cowbell.
Ready to see how it works?
Run the free readiness check on your domain, or explore our evidence collection guides.