What Cyber Insurance Auditors Check
And How ComplianceLayer Proves It
See exactly which insurance questionnaire items our scan covers, with evidence you can attach to your application.
Insurance Questions Mapped to Scan Modules
| Insurance Question | What They Want to See | ComplianceLayer Module | Evidence Provided |
|---|---|---|---|
| “Do you enforce DMARC on your email domain?” | DMARC record with p=reject or p=quarantine | DNS & Email Auth | DMARC policy status, SPF alignment, DKIM validation |
| “Are any remote access ports (RDP, SSH) exposed to the internet?” | No exposed RDP (3389), SSH (22), Telnet (23) | Open Ports | Full port scan results, exposed service identification |
| “Is your SSL/TLS certificate valid and current?” | Valid cert, strong cipher suites, no expired certs | SSL/TLS | Certificate validity, expiry date, protocol versions, cipher analysis |
| “Do you have security headers configured?” | HSTS, CSP, X-Frame-Options, etc. | HTTP Headers | Header-by-header analysis with pass/fail |
| “Is your domain on any blacklists or reputation lists?” | Clean reputation across major blacklists | Blacklist Check | Results from 35+ blacklist databases |
| “Do you have a Web Application Firewall?” | WAF detected and active | WAF Detection | WAF vendor identification, configuration status |
| “Are there known vulnerabilities in your web stack?” | No known vulnerable libraries | JavaScript Audit | Vulnerable library detection, version analysis |
| “Is DNSSEC enabled for your domain?” | Signed DNS zone | DNSSEC | DNSSEC chain validation status |
| “Do your cookies use secure flags?” | HttpOnly, Secure, SameSite attributes | Cookie Security | Cookie-by-cookie security flag analysis |
| “Are you compliant with GDPR/CCPA data handling?” | Cookie consent, privacy controls | Compliance & Tracker Analysis | Third-party tracker identification, consent detection |
MSP Playbook for Insurance Renewals
Scan your clients before their insurance renewal. Fix what the underwriter would flag. Attach the evidence to the application.
Scan the client domain before renewal
Enter the domain into ComplianceLayer. The scan runs all 16 modules in under 60 seconds -- no credentials, no agent install, no client involvement required.
Review findings against the questionnaire
Use the mapping table above to match scan results to specific insurance questions. Every finding includes a pass/warn/fail status and the evidence the underwriter expects.
Remediate flagged issues
Each failing check includes step-by-step remediation guidance. Fix DMARC, close exposed ports, add missing headers -- most fixes take minutes, not days.
Re-scan and attach the report
Run a follow-up scan to confirm fixes. Export the PDF report and attach it to the insurance application as evidence of compliance.
Start scanning your clients
Free for your first domain. No credit card, no sales call, no agent install. See what the underwriter sees in under 60 seconds.
Start scanning your first
domain in 60 seconds.
No credit card. No sales call. No setup. Free tier is permanent.
All scans are passive and external — we never access your servers, install agents, or require credentials. View our security practices, live system status, or browse domain reports.