Identity controls
Check whether critical business accounts, admin roles, and high-risk users are protected with MFA that can withstand common attack pressure.
Cyber insurance readiness
Prepare the security evidence insurers actually ask about.
A focused sprint for SMBs that need a clearer view of MFA, endpoint coverage, backups, awareness training, and incident response readiness before cyber insurance application or renewal pressure turns into a scramble.
Plain reality
This is readiness support, not an insurance promise.
Cyber insurance carriers may ask about controls like MFA, endpoint protection, backups, employee training, and incident response planning. This sprint helps you understand what is in place, what is missing, and what evidence you can reasonably prepare. It does not guarantee coverage, approval, or lower premiums.
Readiness areas
What the sprint reviews
Endpoint coverage
Review whether company devices are visible, protected, and monitored well enough to rely on during an incident.
Backup resilience
Look at whether critical data could be recovered if production systems or privileged accounts were compromised.
Incident readiness
Build a simple, usable response path so the business knows who decides what first when something goes wrong.
Evidence packet
Prepare business-readable notes, screenshots, and control context that can support renewal and underwriting conversations.
Remediation roadmap
Translate findings into a prioritized action plan instead of a long report that sits untouched.
Sprint options
Choose the depth that fits the moment.
Payment collection is intentionally handled after fit and scope are confirmed. Start with a request, and the right sprint depth can be confirmed before work begins.
Starter Sprint
$1,500
A focused review for smaller teams that need a clean baseline before an insurance application or renewal conversation.
- MFA and admin access review
- Endpoint protection and monitoring snapshot
- Backup and restore readiness check
- Plain-English findings summary
- Prioritized next-step list
Flagship
Standard Sprint
$2,500
The default sprint for SMBs that want a more complete evidence packet and remediation roadmap before renewal pressure hits.
- Everything in Starter
- Security awareness and phishing readiness review
- Incident response contact path review
- Cyber insurance evidence packet
- Executive-ready remediation roadmap
Expanded Sprint
$3,500
A deeper sprint for businesses with compliance pressure, multiple systems, or a recent scare that exposed gaps.
- Everything in Standard
- Deeper Microsoft 365 or Google Workspace review
- Policy and control evidence review
- Follow-up remediation working session
- Renewal-readiness summary for leadership
Process
How the sprint works
Fit check
Start with a short briefing to confirm timing, business size, insurance deadline, and whether the sprint is the right fit.
Intake
Collect the minimum useful context: identity provider, endpoint coverage, backup approach, security training, and current insurance questionnaire pressure.
Readiness review
Review the controls that usually matter most for SMB underwriting and renewal conversations.
Packet and roadmap
Deliver a clear evidence packet, top risks, and next-step roadmap. No scare tactics, no fake certainty.
Carrier ask → our answer
The 10 controls the 2026 carrier questionnaire actually scores
Most 2026 SMB cyber-insurance applications collapse to the same ten controls. Below is what carriers (Beazley, Coalition, Travelers, Chubb, and the Huntress × Acrisure program format) ask, the answer the Sprint produces from your Obsidian Ridge stack, and the gotcha that quietly disqualifies most applicants when nobody's minding the evidence side. This is the artifact the Sprint hands you.
| Control | What the carrier asks | Our answer (from your stack) | Evidence we attach | Common gotcha |
|---|---|---|---|---|
| 1. MFA everywhere | Is MFA enforced on email, remote access, admin, cloud, and backup consoles? Phishing-resistant on privileged accounts? | Microsoft 365 / Google Workspace Conditional Access enforces MFA on every user. FIDO2 / WebAuthn keys on admin and break-glass accounts. Managed ITDR, operated end-to-end by Obsidian Ridge, catches adversary-in-the-middle bypass attempts (EvilProxy, Tycoon) in real time. | Conditional Access policy export, FIDO2 key inventory, ITDR alert sample from the last 90 days, named admin-account roster. | SMS-based MFA still counts as “MFA” on most checkboxes but is increasingly flagged in the “phishing-resistant” sub-question. Switch admins to FIDO2 before applying. |
| 2. EDR / MDR on every endpoint | Endpoint detection on every laptop, desktop, AND server? 24/7 SOC behind it? Stated MTTR? | Managed EDR deployed on every workstation and server with a real 24/7 SOC reading every alert. Servers covered, not just laptops. | EDR agent inventory + server-coverage attestation, SOC escalation log from the last 90 days. | Server coverage gap. Practices cover laptops with consumer AV and leave the PMS/file server bare. Carriers ask specifically about servers in 2026 questionnaires. |
| 3. Immutable backups + tested restore | Are backups encrypted, air-gapped or immutable, and was the last restore actually tested? | Immutable backup target (Veeam, Cove, or equivalent) with a quarterly tested restore. Restore tests are logged with date, dataset, and outcome. | Backup-immutability attestation, last-4-quarters restore-test log with signatures. | “We back up nightly” ≠ “we restored last quarter.” Carriers want the restore test, not the backup job. Untested backups get scored as zero. |
| 4. Privileged access management | Separate admin accounts? Quarterly access reviews? Just-in-time elevation? | Entra ID PIM (or Google Cloud IAM equivalent) gates admin role activation. Quarterly access-review runbook produces a signed roster. | PIM activation log, last quarterly review with attestations, off-boarded-admin list. | One person doing daily work as Global Admin. Carriers flag this fast. Even single-operator practices need a daily-driver account and a separated admin account. |
| 5. Email security | SPF, DKIM, DMARC enforced? Advanced threat protection (Defender / equivalent) live? | SPF / DKIM / DMARC published and enforced at p=quarantine or stricter. Microsoft Defender for Office 365 (or Google ATP) sandbox-detonates attachments and rewrites URLs. Managed ITDR layers identity-based detection on top. | DNS export of SPF / DKIM / DMARC records, DMARC aggregate report sample, ATP policy export. | DMARC at p=none doesn't count as “enforced.” The questionnaire wants p=quarantine minimum. Most SMBs leave it at none indefinitely. |
| 6. Security Awareness Training | Annual training for all staff plus phishing simulations? Documented click-rate trend? | Managed security awareness training, operated end-to-end by Obsidian Ridge, runs continuous micro-lessons and quarterly phishing simulations. Click-rate trend exported per user, per department, per quarter. | Training completion roster (last 12 months), phishing-simulation click-rate dashboard export, repeat-clicker remediation log. | One-and-done annual training. Carriers in 2026 want a click-rate trend, not a completion checkbox. Static training without simulations gets a partial score at best. |
| 7. Incident response plan | Written IR plan tested in the last 12 months via tabletop or live exercise? | Per-client incident-response runbook aligned to NIST SP 800-61r2, refreshed annually, with a quarterly tabletop exercise (included on Complete tier; available on Protected as a one-off). | IR plan document (current version), last tabletop after-action report, named escalation contacts with phone numbers (not just email). | The plan exists but lists former employees as escalation contacts. Carriers ask to see the contact list. Stale contacts get flagged. |
| 8. Patch and vulnerability management | Documented patch SLA? Priority handling for KEV-listed CVEs? Vulnerability scan cadence? | Documented patch policy: nightly detection, weekly install window for non-critical, immediate window for CISA KEV listings. Monthly external vuln scan. Patch compliance reported per client per month. | Patch-policy document, last 30-day patch-compliance report by host, KEV-response log (CVE → patch deployed time). | “Auto-update is on” doesn't survive the audit question. Carriers want a written SLA with named exceptions and a KEV process. |
| 9. Network segmentation + no exposed services | Internal network segmented from guest, IoT, and OT? RDP / SMB exposed to the internet? Public-facing services inventoried? | Segmentation review during onboarding: guest Wi-Fi VLAN-isolated, no inbound RDP (require ZTNA / VPN), public-facing services inventoried via external attack-surface scan during the Sprint. | External attack-surface scan results, RDP/SMB exposure attestation, network-segmentation diagram. | RDP open to the internet on a non-standard port. Carriers run their own external scan during underwriting (Aon's 2026 report: ~3 in 4 carriers do this). Hiding the port doesn't work. |
| 10. Vendor / sub-processor management | List of critical vendors? SOC 2 review on each? Breach-notification clause in contracts? | Maintained sub-processor list with SOC 2 status, breach-notification language reviewed against each vendor's DPA, vendor-incident response coordinated through Obsidian Ridge. | Sub-processor inventory (with SOC 2 report dates), reviewed DPA samples, vendor-incident log if any in the last 12 months. | The practice management software vendor isn't on the list because “it's not IT.” If it touches client data, it's on the list. Missing vendors get scored as unmanaged risk. |
The threshold-killing trifecta — missing MFA on admins, missing EDR on servers, and untested backups — gets called out specifically by major reinsurers in their 2026 underwriting guidance as auto-decline signals. The Sprint closes those three before everything else.
Free worksheet
Score yourself before an underwriter does.
The 10 controls above, as a downloadable questionnaire — the real questions carriers ask in their own words, the quiet answers that get applications declined, and notes for 12 SMB verticals.
Related paths
If the readiness sprint isn't the right fit, one of these usually is.
Three pages on this site cover adjacent ground. Pick the one that matches what you actually need — we'd rather route you to the right page than have you book a sprint that doesn't fit.
Cyber Insurance Readiness Sprint
(you are here)
Consulting work that prepares your security evidence packet for whichever carrier you can apply to. Right answer when you have an application or renewal coming up and need a clean baseline first.
- Carrier-neutral — works for any insurer
- Right for under-50-employee SMBs and most professional practices
- Fixed-fee, time-boxed engagement
Huntress × Acrisure Cyber Insurance Program
An actual primary cyber insurance path with a $0 deductible described for eligible applicants in the public program materials, placed by Acrisure and underwritten at launch by Dual North America. Available to applicants with qualifying Huntress Managed EDR + ITDR, subject to underwriting review, state availability, and policy terms.
- $0 deductible on covered losses
- 50–2,500 employees, sub-$100M revenue (Huntress-published target)
- Qualifying Managed EDR + ITDR required; eligibility confirmed by Acrisure
- Statement-of-Fact application, not a 40-page questionnaire
Multi-Vendor Managed Security
We operate the security stack you already have — CrowdStrike, SentinelOne, Microsoft Defender, Zscaler, Wiz, Rapid7, Tenable, Abnormal, Proofpoint, and more. Right when you've already invested in a tool and want it run correctly.
- Vendor-neutral operator (CCFH on CrowdStrike, ZDTA on Zscaler)
- No rip-and-replace, no swap commission
- Per-environment scoping — one accountable practitioner
FAQ
Questions before you request a sprint
Does this guarantee a lower cyber insurance premium?
No. Obsidian Ridge does not guarantee insurance approval, premium reductions, or underwriting outcomes. The sprint helps identify, improve, and document security controls that are commonly reviewed during insurance conversations.
Who is this sprint for?
It is built for small and mid-sized businesses that need clearer security evidence before a cyber insurance application, renewal, customer questionnaire, or compliance review.
What if we already have an IT provider?
That is common. The sprint can work alongside an IT provider by clarifying security gaps, evidence needs, and practical remediation priorities.
Is this a full compliance audit?
No. It is a focused readiness sprint. If the work uncovers deeper SOC 2, HIPAA, PCI-DSS, or ISO 27001 needs, those should be scoped separately.
Can this lead into managed security?
Yes. If the sprint shows that ongoing monitoring, identity protection, awareness training, or SIEM coverage is needed, the next step is typically a managed security engagement — either the single-platform lane operated end-to-end by Obsidian Ridge (greenfield, eligible for the $0-deductible Huntress × Acrisure cyber insurance program at 50+ employees) or the multi-vendor lane (operating an existing stack like CrowdStrike, SentinelOne, Defender, Zscaler).
How does this differ from the Huntress × Acrisure cyber insurance program?
Different intent and different audience. The Huntress × Acrisure program is an actual primary cyber insurance policy with a $0 deductible, available only to organizations running Huntress Managed EDR + ITDR (mid-market: 50–2,500 employees). The Cyber Insurance Readiness Sprint is consulting work that prepares the evidence packet for whichever carrier you can apply to — including the Huntress × Acrisure program if you qualify, or any traditional carrier if you don't. Most under-50-employee buyers land here, not on the program page.
Not sure where you stand?
Start with the assessment, then request the sprint if the gaps are real.
The assessment gives you a fast posture snapshot. The sprint turns that snapshot into evidence, priorities, and a practical readiness plan.