The Cybantage Cyber Survivability Framework · Built From Practice, Confirmed by Research
The CCSF is not derived from industry frameworks, vendor certifications, or framework committee work. It was designed in direct response to what Cybantage observed in post-incident claim denial proceedings — the specific failure modes that cause insurers to dispute or deny claims, and the governance gaps that leave executives personally exposed when they do. The research confirmed those observations across 1,478 organizations. The framework is the applied implementation of both.
The Five Stages
While each stage can be performed as a standalone assessment, the framework is intended to be engaged in full to achieve the most meaningful outcomes.
The entry point for the entire CCSF. The Cyber Insurance Survivability Index scores your organization's claim defensibility across 34 questions in 10 domains — measuring both claimant-side security control gaps and insurer-side policy exclusion risk. The CISI is the only assessment in the market that measures both dimensions simultaneously. Every subsequent stage is calibrated against this baseline.
A dual-track assessment instrument administered to both executive leadership (ELT) and IT/Security leadership simultaneously — under attorney-client privilege. The gap between the two tracks is a primary analysis data point. The Cybantage Analysis Engine applies seven-dimension analysis to produce the LDI Report: a forensic-grade leadership profile available in no other advisory product in the market. The LDI exists because the single most damaging conversations in post-breach proceedings are not with regulators or insurers — they are with the organization's own board. Executives consistently hold beliefs about their security posture that diverge materially from what IT leadership actually knows. The LDI surfaces that gap before anyone asks.
The formal legal protection instrument of the CCSF. Where Stage 2A exposes governance gaps, Stage 2B documents the organization's response — creating a legally protected record of due diligence, producing the board-level survivability briefing, and formally reviewing Domain 10 policy exclusions with qualified insurance counsel. The Privileged Review Record exists because in post-breach proceedings, the absence of documented due diligence is itself evidence of governance failure. Executives who hold a current Privileged Review Record walk into a board inquiry, a regulatory examination, or a deposition in a fundamentally different posture than those who do not.
LDI-informed forensic verification of all 10 CISI domains against production systems. Applies the same standard a carrier's forensic investigator will use — testing whether controls actually protect, not whether they are documented. Findings are cross-referenced against Stage 2B Domain 10 Policy Review findings, LDI-identified governance gaps, and the CISI baseline score. The output is the authoritative gap record that scopes Stage 4.
CyberRes builds the program and keeps it built. The initial engagement addresses all Forensic Deep Dive findings across governance design, identity hardening, backup integrity, IR operationalization, policy alignment, and regulatory compliance mapping. The sustained program runs quarterly CISI re-scores, monthly advisory, annual LDI re-evaluation, and full insurance renewal support — creating a program that performs under real-world conditions and sustains through every policy renewal cycle.
In post-incident environments, findings that were not conducted under privilege become discoverable. They are used against the organization. We have observed this directly. The privilege wrapper is established before Stage 2A begins and maintained through the life of the engagement — not because it is required by the methodology, but because the alternative is a document trail that opposing counsel will seek to compel.
Request a Consultation →Industry Coverage
The compliance-to-survivability gap exists in every regulated industry. The CCSF applies the same forensic standard across all four verticals while mapping to each vertical's specific regulatory cascade.
31.3% of breached healthcare organizations ceased to exist independently. HIPAA attestation, HITRUST certification, and OCR compliance do not translate to forensic survivability. Nation-state exclusions, EHR clearinghouse dependencies, and systemic outage coverage gaps are primary Domain 10 risks.
FTC Safeguards Rule enforcement, DORA compliance requirements, and state-backed exclusions define the regulatory landscape. Third-party API and payment processor dependencies create supply chain coverage gaps standard policies frequently exclude.
Most attacks on cleared contractors are state-backed by definition. CMMC Level 2/3 certification does not address the nation-state exclusion paradox — the exclusion may void coverage for the most likely threat actor class in this sector.
OT ransomware surge, CrowdStrike-type systemic events, and IT/OT convergence create coverage gaps that ISO 27001 certification does not address. Business interruption policies frequently exclude non-malicious correlated outages — the scenario most likely to impact production environments.
Engagement Lifecycle
Every stage builds on the last.
The Primary Offer
Cyber insurance is not preparedness. It is a contract that will be tested after the incident.
The Cyber Insurance Readiness Review determines whether your organization can prove it is doing what its policy, insurance application, security questionnaires, audits, board materials, incident response plans, and control attestations say it is doing — before a claim process tests those representations.
The issue is not whether your organization has a cyber policy. The issue is whether it can prove it did what the policy, application, questionnaires, board materials, audits, and incident response plans said it would do.