Penetration testing for cyber insurance: what insurers now require — and how to evidence it
After years of heavy claims, cyber insurers have tightened underwriting. Penetration testing, regular vulnerability scanning, MFA, and EDR are now common conditions for binding a new policy or renewing an existing one — and a missing or stale pentest can mean a higher premium, reduced coverage, or a declined application. Matproof Sentinel produces the audit-ready penetration test report insurers ask for, from €149, with a free scan to start.
Why your cyber insurer wants a penetration test
Cyber-insurance loss ratios spiked through the ransomware years, and underwriters responded by turning the application questionnaire into a real security assessment. Where a policy once asked a few yes/no questions, brokers now require evidence of specific controls before they will quote — and penetration testing is increasingly one of them, alongside multi-factor authentication on all remote access and email, endpoint detection and response, tested backups, and a vulnerability management programme. The logic is simple: an insurer pricing your risk wants proof that an attacker cannot trivially reach your crown-jewel systems. A current penetration test report — showing what was tested, what was found, and that exploitable issues were remediated — is the cleanest way to evidence that. Just as important: if you suffer a claim and it emerges that you misrepresented your security posture on the application, the insurer can dispute or deny the claim. An honest, documented pentest protects both your premium and your payout.
- Binding & renewal condition: many insurers now require a recent penetration test (often annual) before they will quote or renew.
- Premium impact: documented testing and remediation can lower your premium; a missing or stale test raises it — or gets the application declined.
- Claims protection: misrepresenting controls on the application can void a payout — a documented pentest keeps your statements defensible.
- Beyond the test: insurers also expect MFA everywhere, EDR, tested backups, and ongoing vulnerability scanning — which continuous testing evidences year-round.
What an insurance-grade penetration test should cover
- External attack surface: every internet-facing service, exposed admin interface, and remote-access endpoint (VPN, RDP, web portals) — the paths ransomware actors actually use.
- Web application & API security: OWASP Top 10 and OWASP API Security Top 10 — broken access control, injection, authentication failures, and SSRF.
- Authentication & MFA: verifying that MFA is genuinely enforced (not bypassable) on remote access, email, and privileged accounts — a control insurers explicitly ask about.
- Known-CVE exposure: confirming internet-facing systems are patched against the high-impact, actively-exploited CVEs that drive ransomware entry.
- Privilege escalation & lateral movement: how far an attacker who gains an initial foothold can reach — the difference between an incident and a catastrophic claim.
- A clear, audit-ready report: scope, methodology, findings with CVSS ratings, proof-of-exploit, and remediation status — formatted to drop straight into an insurance application.
Sample finding
Exposed remote-access portal without enforced MFA — a textbook ransomware entry point
An internet-facing remote-access portal accepted username-and-password authentication with MFA enforced only at the application layer, not at the gateway — meaning the underlying service could be reached directly and brute-forced. This is precisely the configuration that underwriters screen for, because compromised remote access is the leading initial-access vector for ransomware. On the insurance application the organisation had answered 'yes' to 'MFA enforced on all remote access' — a misrepresentation that could have jeopardised a future claim.
Fix: Enforce MFA at the gateway for every remote-access path, not only at the application. Disable direct exposure of the underlying service, place the portal behind an identity-aware proxy, and rate-limit/lock out repeated failed logins. Re-test to confirm MFA cannot be bypassed, then update the insurance application to reflect the corrected, evidenced control.
Reference: OWASP A07:2021 Identification and Authentication Failures · CWE-287 Improper Authentication · CIS Control 6 (Access Control Management)
Penetration testing options for cyber insurance
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Matproof Sentinel for cyber-insurance readiness
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about penetration testing for cyber insurance
Do cyber insurers actually require a penetration test?
Increasingly, yes — especially for mid-market and larger policies, and at renewal after claims-driven tightening. Even where a full pentest is not strictly mandatory, the application questionnaire asks detailed control questions (MFA, EDR, vulnerability scanning, backups), and a current penetration test is the most credible way to evidence that those controls actually work. A documented test can also reduce your premium.
What security controls do cyber insurers ask about?
The common set: multi-factor authentication on all remote access, email, and privileged accounts; endpoint detection and response (EDR); regular vulnerability scanning and patching; tested, segregated backups; email filtering and security-awareness training; and — increasingly — evidence of penetration testing. Penetration testing is valuable because it verifies that the other controls hold up under attack rather than just existing on paper.
How often do I need to pentest for insurance?
Annually is the typical expectation, and after significant infrastructure or application changes. Because your environment changes continuously, many organisations run continuous (PTaaS) testing year-round and produce the annual report from it — which also means you always have current evidence on hand for a renewal or a mid-term insurer request.
Can a vulnerability scan satisfy the insurance requirement instead of a pentest?
Sometimes for smaller policies, but they are not equivalent. A vulnerability scan identifies known issues by signature; a penetration test actively exploits and chains weaknesses to demonstrate real impact (e.g. reaching sensitive data, escalating privileges). Insurers increasingly distinguish the two, and the higher-value policies ask specifically for penetration testing. Matproof Sentinel provides both continuous scanning and exploit-validated penetration testing in one report.
Will a penetration test lower my cyber-insurance premium?
It can. Underwriters price on demonstrable risk, and a clean (or remediated) penetration test report plus evidence of the controls insurers care about gives them grounds to quote more favourably. Conversely, an inability to evidence testing — or findings left unremediated — pushes the premium up or narrows coverage. The report's documented remediation status is what matters most.
Does Matproof Sentinel produce a report I can submit with an insurance application?
Yes. Sentinel's report includes scope, methodology, findings with CVSS ratings, proof-of-exploit evidence, and remediation tracking — the exact elements a broker or underwriter looks for — and it maps findings to recognised frameworks (OWASP, CIS, ISO 27001). You can run a free scan to evaluate it and obtain a full audit-ready report from €149.
Go deeper — related blog articles
Get insurance-ready with a documented penetration test
Satisfy your cyber insurer's requirements and protect your premium and your payout. Matproof Sentinel delivers an audit-ready penetration test report — external surface, MFA verification, OWASP coverage, and remediation tracking — from €149, with a free scan to start.
Run a free pentest scan