The CCSF is not derived from industry frameworks, vendor certifications, or framework committee work. It was designed in direct response to what Cybantage observed in post-incident claim denial proceedings — the specific failure modes that cause insurers to dispute or deny claims, and the governance gaps that leave executives personally exposed when they do. The research confirmed those observations across 1,478 organizations. The framework is the applied implementation of both.
While each stage can be performed as a standalone assessment, the framework is intended to be engaged in full to achieve the most meaningful outcomes.
The entry point for the entire CCSF. The Cyber Insurance Survivability Index scores your organization's claim defensibility across 34 questions in 10 domains — measuring both claimant-side security control gaps and insurer-side policy exclusion risk. The CISI is the only assessment in the market that measures both dimensions simultaneously. Every subsequent stage is calibrated against this baseline.
A dual-track assessment instrument administered to both executive leadership (ELT) and IT/Security leadership simultaneously — under attorney-client privilege. The gap between the two tracks is a primary analysis data point. The Cybantage Analysis Engine applies seven-dimension analysis to produce the LDI Report: a forensic-grade leadership profile available in no other advisory product in the market. The LDI exists because the single most damaging conversations in post-breach proceedings are not with regulators or insurers — they are with the organization's own board. Executives consistently hold beliefs about their security posture that diverge materially from what IT leadership actually knows. The LDI surfaces that gap before anyone asks.
The formal legal protection instrument of the CCSF. Where Stage 2A exposes governance gaps, Stage 2B documents the organization's response — creating a legally protected record of due diligence, producing the board-level survivability briefing, and formally reviewing Domain 10 policy exclusions with qualified insurance counsel. The Privileged Review Record exists because in post-breach proceedings, the absence of documented due diligence is itself evidence of governance failure. Executives who hold a current Privileged Review Record walk into a board inquiry, a regulatory examination, or a deposition in a fundamentally different posture than those who do not.
LDI-informed forensic verification of all 10 CISI domains against production systems. Applies the same standard a carrier's forensic investigator will use — testing whether controls actually protect, not whether they are documented. Findings are cross-referenced against Stage 2B Domain 10 Policy Review findings, LDI-identified governance gaps, and the CISI baseline score. The output is the authoritative gap record that scopes Stage 4.
CyberRes builds the program and keeps it built. The initial engagement addresses all Forensic Deep Dive findings across governance design, identity hardening, backup integrity, IR operationalization, policy alignment, and regulatory compliance mapping. The sustained program runs quarterly CISI re-scores, monthly advisory, annual LDI re-evaluation, and full insurance renewal support — creating a program that performs under real-world conditions and sustains through every policy renewal cycle.
In post-incident environments, findings that were not conducted under privilege become discoverable. They are used against the organization. We have observed this directly. The privilege wrapper is established before Stage 2A begins and maintained through the life of the engagement.
Request a Consultation →The compliance-to-survivability gap exists in every regulated industry. The CCSF applies the same forensic standard across all four verticals while mapping to each vertical's specific regulatory cascade.
31.3% of breached healthcare organizations ceased to exist independently. HIPAA attestation, HITRUST certification, and OCR compliance do not translate to forensic survivability. Nation-state exclusions, EHR clearinghouse dependencies, and systemic outage coverage gaps are primary Domain 10 risks.
FTC Safeguards Rule enforcement, DORA compliance requirements, and state-backed exclusions define the regulatory landscape. Third-party API and payment processor dependencies create supply chain coverage gaps standard policies frequently exclude.
Most attacks on cleared contractors are state-backed by definition. CMMC Level 2/3 certification does not address the nation-state exclusion paradox — the exclusion may void coverage for the most likely threat actor class in this sector.
OT ransomware surge, CrowdStrike-type systemic events, and IT/OT convergence create coverage gaps that ISO 27001 certification does not address. Business interruption policies frequently exclude non-malicious correlated outages — the scenario most likely to impact production environments.
Free assessment. Optional analysis debrief. Every completed assessment generates a full domain score profile, Domain 10 flag analysis, outcome band placement, and financial exposure estimate.