Client
New Client
TechGuard Security

Cybersecurity Maturity Advisor

Cyberinsurance Underwriting Alignment Model

Instructions Scroll down and start at the cards on Level 1 and then move up through the Levels ·  Selecting each card will open it and display the controls for that card topic  ·  Check boxes for the controls you have implemented  ·  Click OOS button if the control is out of scope and explain why you feel it is out of scope  ·  Upload evidence at the bottom of each card.  ·  The Insurance Impact tags indicate how strongly each control influences underwriting outcomes. ·  Gate items affect eligibility & exclusions  ·  High items drive premium, limits & retention  ·  Moderate items are frequently requested but rarely standalone gates  ·  Supplemental items are maturity differentiators that improve insurer confidence and pricing when evidenced.

Cybersecurity Maturity — All Levels
0%L1 Foundational
0%L2 Fundamental
0%L3 Structured
0%L4 Tested
0%L5 Secure & Mature
Overall Maturity Score
0
%
Insurance Inputs
Premium = Revenue × Rate × Maturity Multiplier × Limit Factor × (1 − Retention Credit). Limit and retention factors are editable — tune them to match your carrier's actual pricing.
Projected Premium Impact
Insurance-Weighted Score
0%
Risk Tier
Premium Multiplier
Coverage Limit
$5,000,000
Retention / Deductible
$50,000
Estimated Annual Premium
$0
Premium at 85%+ Maturity
$0
Potential Annual Savings
$0
Critical-Control Penalty
0.00
Directional estimate only; actual underwriting varies by industry, claims history, controls verification, and carrier appetite.

Click any service card below to see full assessment sub-items & checklist

LEVEL 5
Secure & Mature
Strategic governance, continuous improvement, competitive trust
Security Governance & Program Ownership
fCISO / DPO
vCISO / Fractional CISO Leadership
Security Roadmap and Charter
Policy Library Stewardship
Budget-to-Risk Alignment
Board-Level Oversight
Strategic Risk Governance
Quarterly Cyber Briefings
Risk Tolerance Definition
Executive Reporting Cadence
Fiduciary Acknowledgement
Security Metrics & KPI Dashboard
Reporting
MTTR/MTTD Tracking
Patch & Vuln-Aging Metrics
Phishing-Trend Analytics
Risk Score rending
Third-Party Security Audits
External Audits
SOC 2 / ISO Audit Coordination
External Assessment Scheduling
Remediation Tracking
Certification Management
Continuous Risk Management Framework
RMF
Risk Register Maintenance
Residual-Risk Acceptance
Control-Effectiveness Audits
Regulatory-Change Monitoring
Level Score
0
%
0 / 0 checked
LEVEL 4
Tested
Controls are actively exercised, validated, and proven under pressure
Tabletop Exercises & Testing
TTX / AAR
Scenario-Based Drills
Cross-Team Coordination
After-Action Summary
Prioritized Remediation Plans
Red / Purple Team Exercises
Simulation
Adversary Simulation
Social Engineering Testing
Physical Intrusion Checks
Executive Debrief
Threat Hunting
Detection
Hypothesis-Driven Hunts
MITRE ATT&CK Mapping
IOC/IOA Analysis
Dwell-time Reduction Reporting
Operationalized Threat Intelligence
Active Intel
Intel-driven Hunts
Real-Time Playbook Updates
Campaign Monitoring
Executive TI Briefings
Vendor Risk — Ongoing Enforcement
Continuous
Continuous Vendor Monitoring
Annual Questionnaire Reviews
Certification Validation
Risk-Based Escalation
Level Score
0
%
0 / 0 checked
LEVEL 3
Structured
Programs formally designed, assessed, and deployed — build before you test
Zero Trust Architecture
Level 3 — Structured
Device posture validation enforced
Conditional access policies active
Least privilege network segmentation
Identity-aware access controls
Continuous access evaluation
Disaster Recovery Plan (DRP)
Recovery
RTO/RPO Mapping
Failover Architecture
Annual DR Testing
Recovery Runbooks
Business Continuity Plan (BCP)
Resilience
Business Impact Analysis
Alternate Workflows
Communication Plans
Vendor Dependency Mapping
Security Framework Assessments
PCI DSS / NIST
NIST/ISO/PCI Mapping
Evidence Review
Remediation Roadmap
Certification Support
Penetration Testing
Manual Testing
Network/App/API Testing
Phishing & Social Engineering
Physical Security Testing
Retesting & Validation
Vendor & Supply Chain Risk
Third-Party
Critical Vendor Identification
Tiering and Scoring
Questionnaire Enforcement
SBOM & Dependency Checks
Secure SDLC
Level 3 — Structured
SAST integrated into CI/CD
DAST before production release
Dependency & container scanning
SBOM maintained for key software
IaC security scanning enforced
Threat Intelligence
Deployed → Operationalized
Industry-specific threat feeds integrated
IOC feeds into SIEM & EDR
EPSS-based vulnerability prioritization
Weekly intelligence digest
→ L4: Intel drives hunts & playbooks
Managed Detection & Response (MDR)
SOC Alternative
24×7 SOC Monitoring
Threat Containment
Incident Investigation
Continous Threat Reporting
Deception Technology
Honeypots
Honeypots & Honeytokens
Credential Decoys
Early lateral movement detection
Detection Refinement
External Attack Surface Mgmt (ASM)
ASM
External Asset Discovery
Domain/Cert Monitoring
Exposed Service Detection
Shadow IT Identification
SaaS Security Posture Mgmt (SSPM)
SSPM-Lite
M365 / Google Workspace posture
OAuth app permissions audit
Misconfiguration detection
SaaS data exposure alerts
AI Governance Program — Managed Capability
AI Program
Formal AI governance framework (NIST AI RMF / ISO 42001)
AI model lifecycle management defined
AI monitoring and logging implemented
AI output validation controls implemented
AI governance integrated with enterprise risk mgmt
AI Security & Adversarial Testing
AI / AppSec
AI apps included in security testing
Prompt injection risks evaluated
Model abuse scenarios tested
AI system logging enabled
Access controls applied to AI systems
AI output safeguards implemented
AI security responsibilities assigned
Level Score
0
%
0 / 0 checked
LEVEL 2
Fundamental
Detection, response capability & core data protection
IT Asset Discovery & Inventory
Asset Mgmt
Network-based discovery scan
Hardware & software inventory
Cloud asset visibility (CSPM)
EOL / EOS identification
Shadow IT detection
Secure Web & DNS Filtering
Level 2 — Fundamental
DNS filtering blocks malicious domains
Web content filtering enforced
Outbound threat protection enabled
Malicious domain sinkholing active
Integrated with detection workflows
Security Logging & Monitoring (SIEM)
SIEM
Centralized Log Aggregation
Alert Tuning and Noise Reduction
Retention Policies
Investigation Support
Incident Response Plan (IRP)
Response
IR Classification Matrix
Role and Escalation Mapping
Scenario-Based Playbooks
Post-Incident Review Workflows
Privileged Access Management (PAM)
Admin Control
Privileged account inventory
Just-in-time (JIT) access
Session recording & audit
Break-glass controls
Privileged password rotation
Continuous Vulnerability Management
Vuln Mgmt
Continuous Scanning
Severity-Based Workflows
Exception Tracking
SLA Reporting
Advanced Email Security
Gateway
Email threat protection gateway
SPF / DKIM / DMARC enforcement
Domain anti-impersonation
URL & attachment sandboxing
BEC / executive spoof protection
BEC / Funds Transfer Controls
Finance Controls
Dual approval for payment changes
Out-of-band verification
Finance mailbox rule controls
BEC incident playbook
Web Application Firewall (WAF)
Web Protection
OWASP Top 10 rule sets
Bot management
DDoS protection layer
SSL termination & inspection
Custom rule tuning
Data Loss Prevention (DLP)
DLP
Sensitive data classification
Egress monitoring & blocking
Cloud DLP (M365 / Google)
Endpoint DLP policies
Dark Web Monitoring
Identity Risk
Credential Leak Detection
Domain/Brand Alerts
Executive Exposure Monitoring
Remediation Guidance
Vulnerability Scanning (Internal & External)
Attack Surface
Authenticated Scanning
Continuous external scan
Cloud infrastructure scanning
Risk-ranked findings report
Findings ownership assignment
AI Risk Management — Controlled Adoption
AI Risk Mgmt
AI risk assessment before adoption
AI included in vendor risk management
AI data handling standards defined
AI use cases documented
Human oversight defined for AI outputs
AI risk register maintained
Shadow AI & AI Data Leakage Detection
AI / DLP
Shadow AI usage monitoring (CASB / SSE / DNS)
AI tool access controlled technically
Sensitive data detection in AI prompts
Approved AI platforms enforced technically
AI usage activity logged
AI data leakage incidents investigated
Level Score
0
%
0 / 0 checked
LEVEL 1
Foundational
Prevents 90% of common attacks — core controls every org must have
Identity & Access Control (IAM)
Foundation
User Lifecycle & RBAC
Quarterly access reviews
Admin & Service Account Cleanup
MFA Pre-requisites and CA Foundations
Multi-Factor Authentication (MFA)
Access
MFA For All Users
Admin MFA Enforcement
Phishing-resistant MFA (FIDO2)
MFA Coverage Reporting
Endpoint Management
Level 1 — Foundational
MDM deployed
Device compliance enforced
Patch & config centrally managed
Asset inventory synchronized
Unauthorized devices blocked
Endpoint Protection & Response (EDR)
Endpoint
EDR agent deployment coverage
Protection baseline policy
Endpoint coverage & health reporting
Automated threat containment
Mobile device management (MDM)
Secure Configuration Standards
Hardening
CIS Benchmark baselines
Secure build / image standards
Application allowlisting
Configuration drift detection
Core security policy baseline
Vulnerability & Patch Management
Updates
Routine Patch Cycles
Critical-Patch SLA's
Third-Party App Updates
Emergency Patching Workflows
Data Encryption (Rest & Transit)
Rest & Transit
Full-disk encryption (BitLocker / FileVault)
Database encryption at rest
TLS 1.2+ enforced everywhere
Key hygiene & rotation policy
Certificate inventory & expiry monitoring
Remote Access Security (ZTNA/VPN)
Network
Secure Remote Access Enforcement
Geo/IP Policy Controls
Device Posture Check
Privileged Remote Access Governance
Network Segmentation & Firewall Hygiene
Containment
VLAN / zone segmentation design
Firewall rule review & cleanup
Perimeter exposure reduction
Micro-segmentation for critical assets
Web & DNS threat filtering
Security Awareness & Phishing Simulation
Human Firewall
Monthly Phishing Tests
Periodic Training Modules
Social Engineering Awareness
Role-based Training
Password Management
Credential Vault
Enterprise password vault deployment
Password policy enforcement
Secrets & service account vault
Shared credential elimination
Breach password monitoring
Backup & Recovery
Ransomware Survival
3-2-1 backup architecture
Immutable / air-gapped backups
Recovery test & evidence
Ransomware-resilient architecture
RTO / RPO validation
Underwriting Evidence & Renewal Readiness
Insurance
Underwriter evidence pack
Control attestation documentation
Coverage gap analysis
Annual renewal prep
AI Governance — Foundational Awareness
AI Governance
AI usage policy established
Sensitive data prohibited in public AI tools
Approved AI tool list defined
AI governance ownership assigned
AI included in security awareness training
AI usage inventory created
AI incidents in incident response
Level Score
0
%
0 / 0 checked

Click any service card above to see full assessment sub-items & checklist