DEV Community: ComplianceLayer

ComplianceLayer — Deep Distribution Research

ComplianceLayer — Thu, 30 Apr 2026 14:00:02 +0000

ComplianceLayer — Deep Distribution Research

Date: 2026-03-07

Scope: Marketing & distribution strategy for ComplianceLayer (compliancelayer.net)

Focus: Inbound + product-led growth. No cold sales.

Executive Summary: Top 3 Highest-Leverage Channels

#1 — Reddit r/msp Value-First Content [IMMEDIATE, ZERO COST]

The r/msp community (330K+ members) responds strongly to genuine value drops — free tools, original data, "we analyzed X clients" posts. A well-crafted post giving away real security data (not selling anything) can hit 100-200 upvotes and generate dozens of DMs from MSP owners. Blacksmith Infosec did this in Nov 2025 (free open-source risk assessment → 113 upvotes, 45 comments). ComplianceLayer can do this right now with zero budget.

#2 — SEO Content: "Security Scorecard for MSPs" Keyword Cluster [WEEKS 2-8]

UpGuard built 100K+ monthly organic visits almost entirely through SEO — zero paid ads. Their playbook is documented and replicable. The specific gap: zero tools rank for MSP-specific variants ("security scorecard for small business clients," "DNS health check API," "SSL monitoring for MSPs"). These are low-competition, high-intent keywords with clear buyer intent. ComplianceLayer can own this cluster before the competitors even notice.

#3 — MSPGeekCon + MSP Community Conferences [MEDIUM TERM]

MSPGeekCon (May 2026, Orlando) is the grassroots MSP community conference — not vendor-dominated like IT Nation. ~500-800 security-minded MSP owners who self-selected. A sponsor table is typically $1,500-3,000. The ROI math is easy: land 3 paying MSPs at $99/mo → table pays for itself in 3 months. More importantly, community conferences generate word-of-mouth that compounds.

Section 1: Content / SEO Distribution

What Search Terms MSPs Use When Evaluating Security Tools

Based on UpGuard's keyword bidding behavior and competitor SEO data, MSPs search for:

High-intent commercial keywords (MSPs already buying):

"security scorecard for MSPs"
"security posture reporting tool MSP"
"external vulnerability scanning MSP clients"
"tprm software" (third-party risk management)
"client security reporting API"
"attack surface management MSP"
"DNS health check tool"
"SSL monitoring dashboard"
"open port scanner MSP"
"security compliance reporting clients"

Informational keywords (top-of-funnel, drives brand awareness):

"what is a security score"
"how to check DNS health"
"SMB port security"
"HTTP security headers explained"
"how to do a security assessment for a client"
"DMARC DKIM SPF checker"
"cybersecurity risk score small business"

Long-tail purchase-intent queries:

"affordable SecurityScorecard alternative for MSPs"
"UpGuard alternative cheaper"
"security scanning API per client pricing"
"free security score check domain"
"MSP security reporting tool per client"

ACTION [HIGH]: Target the "affordable [competitor] alternative for MSPs" cluster first. These are searchers who have budget, know what they want, but rejected the enterprise pricing. Zero competition.

Content Angles That Drive Inbound for Security Tools

What works (data-backed):

1. Original benchmark posts ("We scanned X clients")

Format: "We scanned 500 SMB domains and here's what we found"
Why it works: Original data = backlink magnet + journalist-ready
UpGuard's top traffic driver is their "Cyber Threat" blog (ranked for 2,800+ keywords)
Specifics: DNS misconfiguration rates, SSL expiry patterns, open port exposure by industry

2. Competitor comparison pages

UpGuard bids on "security scorecard reviews" to capture comparison-stage buyers
Format: "ComplianceLayer vs SecurityScorecard — what's actually different for MSPs"
KEY: SecurityScorecard starts at ~$1,560/year for very limited usage; BitSight is enterprise ($20K+/yr). ComplianceLayer at $99/mo is a completely different category. Make that the headline.

3. Compliance deadline content

HIPAA, CMMC, SOC 2, NIST CSF — MSPs need to prove posture for these
Format: "How to prepare your SMB clients for [compliance framework] in 30 days"
Include free downloadable checklist (email capture)

4. "We analyzed" data posts

Scan top 1,000 domains in a specific industry (healthcare, legal, accounting)
Report misconfigurations by sector → massive PR value with trade press
MSSP Alert, Channel Futures, and MSPInsights will pick this up for free

5. Tool comparison/roundup posts

"5 free ways to check your client's external security posture"
Include ComplianceLayer as the API option in the list

What Competitors Have Written That Gets Traffic

SecurityScorecard blog traffic drivers:

Competitor comparison pages ("SecurityScorecard vs UpGuard")
Compliance framework explainers (SOC 2, HIPAA, ISO 27001)
Vendor risk assessment guides
Data breach news hijacks (rapid-response content)

UpGuard SEO breakdown (101K organic visits/month, 0 paid ads):

DR 79, 69K backlinks, 9.9K referring domains
Top organic content: "cyber threats" guide, "SMB port" technical content, "SOX compliance," "What is HTTPS"
Strategy: 2,000+ word evergreen guides + rapid-response breach coverage
74K/month comes from NON-branded searches (people who don't know UpGuard yet)
Lesson for ComplianceLayer: You don't need brand authority to win. You need depth + technical specificity.

HN/Reddit Posts on Security Scoring That Worked

Reddit r/msp high-performers:

"I built a free IT security risk assessment tool" — 132 upvotes, 50 comments (Aug 2020, still referenced)
"Free, Open Source Risk Assessment Tool" (Blacksmith Infosec, Nov 2025) — 113 upvotes, 45 comments
- Post style: "We built this because people kept asking. Apache 2 license, free, here's the GitHub link."
- Zero promotional language. Posted to ask for feedback, not signups.

What made those posts work:

Genuinely free, no email gate
Specific tool that solved a named problem ("sales enablement / showing clients their risk")
Posted authentically — "hope this is OK to post here"
Technically credible (GitHub link, open source)

HN Show HN data (analysis of 1,200 launches, 2024-2025):

Security scanners grew 1.8x vs AI tools — LESS noise, MORE engagement
Best launch days: Tuesday/Wednesday, 8-11 AM UTC
Title magic words: "Open Source" (+38%), "CLI" or "API" (+26%), "Beta" (+22%)
"AI-Powered" is oversaturated (-15% relative scores) — don't use this
Live demos (GIFs/Loom) get 2.5x more replies
Keep title under 55 characters for 24% more upvotes
Question titles get 2.2x comments: "Why is no one talking about open ports in SMB environments?"

ACTION [HIGH]: Write a Show HN post as: "Show HN: I built a security scoring API for MSPs (DNS, SSL, ports, headers)" — Open source a core piece (e.g., the scoring algorithm or a simple CLI wrapper) to get HN traction.

Section 2: ProductHunt / Indie Channels

ProductHunt Best Practices for Security/API Tools

What's working in 2025-2026 (Security & Compliance category):

Vanta, Drata, and Probo dominate SOC 2/ISO with compliance automation
CoAuditor added AI control testing and won featured placement
Security software category is active — real buyers browse here

PH launch playbook for ComplianceLayer:

Pre-launch (2 weeks out):

Build "upcoming page" — collect email subscribers before launch day
Reach out to your personal network for day-1 upvotes (first 2 hours matter most)
Post on r/msp, r/sysadmin, r/devops 48 hours before — "launching something Monday, would love your feedback"
Find a maker in the MSP/security space to "hunt" you (a known PH hunter adds 20-30% more visibility)

Launch day:

Post at 12:01 AM PST
Personal message every previous user/tester asking for a PH review — NOT "go upvote me" (against rules), instead "would love your honest feedback on PH"
Respond to EVERY comment within the first hour — algorithm rewards engagement
Your first comment should be a detailed builder story: "Why I built this" + clear use case for MSPs

What messaging works for security tools:

Lead with the specific pain: "MSPs paying $1,500-$20K/year for security scoring don't need 90% of those features"
Show a real scan result screenshot (not a mockup)
Offer PH-exclusive free tier or extended trial (3 months free = massive conversion driver)

Recent successful security PH launches (patterns):

Compliance/SOC2 tools: Vanta-adjacent but cheaper/focused → strong launch days
API security scanners: Developer angle → good HN crossover audience
MSP-specific tools: Rare on PH, which is a DIFFERENTIATOR (most PH voters are devs/founders who work at companies with MSPs managing their IT — they relate)

Dev-Focused Directories That Actually Drive Signups

Tier 1 (high-intent, actively maintained):

alternatives.to — List as alternative to SecurityScorecard, UpGuard, BitSight. Free listing. Buyers actively comparing.
G2 — Security category is crowded but enterprise buyers use it. Free listing, collect reviews. Even 5 reviews put you on comparison pages.
Capterra — More SMB-focused than G2. Higher conversion rate for MSP-adjacent tools.

Tier 2 (developer audience):

RapidAPI Hub — If you offer a REST API, list it here. Developers discover APIs through RapidAPI and bring tools to their organizations.
APIList.fun — Niche developer directory, free listing, shows up in "security API" searches
Postman Public Workspace — Publish your API collection publicly; developers discovering Postman collections often share tools internally

Tier 3 (security-specific):

ToolsForHackers — Security community tool directory
OSINT Framework — If any part of your tool overlaps with OSINT (domain recon), getting listed here drives passionate power users
SecurityTrails integration listing — Their ecosystem page lists complementary tools

ACTION [HIGH]: Do alternatives.to listing THIS WEEK. Specifically list as "UpGuard alternative" and "SecurityScorecard alternative for small business." These pages already get search traffic from buyers in the evaluation phase.

Section 3: MSP-Specific Distribution Tactics

Non-Marketplace Channels That Reach MSP Owners

The channels that actually matter (in priority order):

1. MSPGeek Slack / Discord

The most active MSP community outside Reddit
~25,000+ members, very security-aware
Culture: helping peers, NOT tolerating vendors who self-promote
Play: Participate genuinely for 3-4 weeks before any product mention. Answer questions. Be useful. Then soft-mention your tool when someone asks exactly the problem you solve.

2. LinkedIn (MSP-Specific Groups)

"MSP Business Owners" group — 40K+ members
"MSP/MSSP Community" — 15K+ members
Content that works: original data, benchmark posts, "I analyzed X" posts
Video posts outperform text 3:1 in engagement

3. YouTube (Underutilized for tools)

Channels like "MSP Mentor," "MSP Launchpad," "Crosstalk Solutions" (35K subs) reach decision-makers
Pitch them on a "security posture demo" episode — they do free product reviews for tools relevant to their audience
Tutorial format: "How to check your MSP client's external security posture in 5 minutes"

Top MSP Newsletters and Podcasts

Newsletters (estimated audiences):

Newsletter	Focus	Est. Subscribers	Notes
MSSP Alert	MSSP/security	40K+	Sponsored guest posts accepted; good for security tools
Channel Futures	Broad channel	80K+	Highest reach but expensive advertising
MSP Success Magazine	Business/profitability	30K+	Owners, not techs
MSP-C News (msp-channel.com)	UK/EU focused	20K+	Good for EU expansion later
Smarter MSP	Technology	25K+	Tech-forward audience; receptive to API tools
MSPGeek Newsletter	Community	15K+	Highly trusted, low-spam tolerance

Podcasts (targeting security-minded MSPs):

Podcast	Host	Relevance	Notes
Paul Green's MSP Marketing Podcast	Paul Green	Business/marketing	500+ episodes, huge archive, MSP owner audience
MSP Unplugged	Various	Operations	Solo/small MSP focus — perfect ICP
TubbTalk	Richard Tubb	Consulting/tools	UK base, reviews tools regularly
The RocketMSP Podcast	Steve Taylor	Tools/operations	Explicitly reviews tools and vendors
Right of Boom (conference companion)	Various	Security-focused	Security-minded MSPs only
All Things MSP	Justin Esgar	Broad	Community-driven, will feature indie tools
MSP Confidential	Luis Giraldo (ScalePad)	Leadership	Upper-market MSPs

ACTION [HIGH]: Email Steve Taylor (RocketMSP) and Richard Tubb (TubbTalk) directly. They regularly feature indie tools and don't require a sponsor fee for interesting products. Offer a free demo + exclusive data from your scans. These hosts respond to founders, not PR agencies.

ACTION [MEDIUM]: Write a guest post for MSSP Alert's sponsored blog program. They accept guest content from vendors; the format is native advertising but editorial in style. Cynomi uses this regularly. Topic: "What MSPs should check before onboarding a new SMB client (and how to automate it)."

MSP Conferences in 2026

Event	Date	Location	Attendance	Exhibit Cost (Est.)
Right of Boom	Feb 3-6, 2026	Las Vegas	300-500 (security-focused)	$1,500-3,000
MSP Expo	Feb 10-12, 2026	Fort Lauderdale, FL	1,000+	$3,000-8,000
IT Nation Connect Europe	Mar 9-12, 2026	London	600+	$5,000+
Xchange Security	Mar 1-3, 2026	Orlando, FL	200-400 (security buyers)	$2,000-4,000
MSP Summit / Channel Partners	Apr 13-16, 2026	Las Vegas	5,000+	$8,000+
Kaseya Connect Global	Apr 27-30, 2026	Las Vegas	3,000+	$10,000+ (partner required)
MSPGeekCon	May 17-19, 2026	Orlando, FL	500-800	~$1,500-2,500
Pax8 Beyond	Jun 7-9, 2026	Salt Lake City	2,000+	Partnership required
ASCII Edge	Feb-Oct 2026	Multiple cities	100-200/city	$1,000-2,000/city
IT Nation Connect Global	Nov 4-6, 2026	Orlando, FL	3,000+	$8,000+

Best ROI for early-stage (< $10K budget):

MSPGeekCon (May 2026) — Community-driven, security-focused attendees, affordable table, founders can attend without a full booth
Right of Boom (Feb 2026) — Pure security audience, smaller but very targeted. If your ideal customer is a security-conscious MSP, this is your room.
ASCII Edge (multi-city) — Lower cost per city, independent MSPs (not enterprise), relationship-driven community

Conference play without a booth: Attend as a attendee ($500-800), hang out at the networking events, and give live demos on your laptop. Many early-stage tools get first 20 customers this way. No booth required.

What Content Resonates with MSP Owners Right Now (2025-2026)

MSPs are currently dealing with three overlapping pressures:

1. AI security threats — Clients asking "are we protected from AI attacks?" MSPs don't always know what to say

Content angle: "How to tell clients what AI actually changes about their external security posture"

2. Compliance mandates — CMMC Phase 2 kicked in, cyber insurance requirements tightening, HIPAA enforcement up

Content angle: "5 external checks every MSP should run before cyber insurance renewal"
This is EXTREMELY timely — cyber insurers are increasingly requiring documented security posture

3. Client retention / proving value — MSPs struggling to show clients what they do all month

Content angle: "How to generate a monthly security posture report your clients actually understand"
ComplianceLayer's output IS this report — this positioning is money

ACTION [HIGH]: The "cyber insurance" angle is the hottest trigger right now. Cyber insurers are requiring external scans. MSPs need a cheap, automated way to run them. Position ComplianceLayer as "the tool you run before cyber insurance renewal."

Section 4: Partnership / Integration Plays

PSA/RMM Integration Ecosystems (Easiest to List On)

Ranked by openness/accessibility for early-stage vendors:

1. N-able (EASIEST — open ecosystem)

N-able has an app marketplace and a partner program that actively recruits new security tools
Integration path: REST API integration, no revenue share required initially
Contact: nablemarketing@n-able.com or their partner portal
Audience: Mid-market MSPs, security-conscious

2. Atera (VERY OPEN — startup-friendly)

All-in-one MSP platform with open API
Has an integrations marketplace and actively courts smaller vendors
Per-technician pricing (flat fee) means their MSPs are cost-conscious — ComplianceLayer pricing aligns perfectly
Integration: Webhook-based, REST API, no upfront partnership fee
Contact: partners@atera.com

3. ConnectWise Invent Program (MEDIUM — gated but reachable)

Official integration certification program
Process: Fill out questionnaire → call with Invent team → scope integration
Real talk from r/ConnectWise: "Very few vendors can do provisioning through CW — bring it up with the Invent team but expect a long sales process"
Better play: Build an unofficial integration first (they have a public API), THEN approach Invent with a working product
Audience: 20,000+ MSPs globally — worth the effort

4. Kaseya (HARD — vendor-of-record model)

Kaseya now sells tools directly to MSPs, competing with integrators
Getting into their ecosystem requires revenue share + vetting
Not worth pursuing until you have 50+ MSP customers

5. Pax8 (MEDIUM — application required)

Pax8 has a vendor application process for marketplace listing
They added security vendors in Q4 2024 (Ostendio, others)
Contact: devx.pax8.com for the developer program
The security program they launched in 2024 is actively recruiting complementary tools

6. Rewst (INTERESTING — automation-native MSPs)

Rewst is a workflow automation tool used by tech-forward MSPs
Their community (Flow conference, June 2026) is full of "automator" MSPs who love API tools
Build a Rewst integration template → their community shares it freely
No formal partnership required — just publish a workflow template

Security-Focused MSP Aggregators / Buying Groups

ASCII Group — 1,200+ member MSPs, buying group model. They vet and recommend tools. Becoming an ASCII vendor gives you access to their newsletter, events (ASCII Edge), and member portal. Fee: $2,000-5,000/year depending on tier. Worth it when you have 10+ customers.

CompTIA — Has a vendor ecosystem; less relevant for early-stage

MSSP Alert's Top 250 List — Apply to get listed as a recommended security tool vendor. Free editorial listing if you're genuinely relevant.

HTG/Service Leadership — Peer group organization for MSPs. Vendors can sponsor peer group meetings for direct MSP owner access.

White-Label Opportunities

Who white-labels security APIs:

1. ComplianceScorecard — A GRC platform that integrates BSN and others. They have a partner API and actively white-label security data from vendors. Worth a direct BD conversation.

2. Cynomi (vCISO platform) — Provides vCISO tooling to MSPs; they need external scan data to populate risk reports. A ComplianceLayer integration would fill a gap in their product.

3. RiskProfiler.io — Listed as MSSP Alert sponsor; newer platform combining external attack surface with risk scoring. Potential integration/data partnership.

4. White-label GRC platforms (ComplyAssistant, etc.) — Compliance SaaS that white-labels to MSPs. They need external scan data as one component.

ACTION [MEDIUM]: Reach out to Cynomi's BD team directly. Their vCISO platform creates reports for MSP clients — ComplianceLayer's external scan data would be a natural data source for their "external risk" section. This is a BD partnership, not a marketplace listing.

vCISO / Fractional Security Firms as a Distribution Channel

This is underutilized and HIGH leverage:

The play:

vCISO firms serve 10-50 SMB clients each
They need automated external scanning to populate client reports
ComplianceLayer at $99/mo covering 100 scans is PERFECT for a vCISO serving 20 clients
They charge clients $2,000-5,000/month for vCISO services — your $99/mo is a rounding error

How to reach them:

They congregate in: r/cybersecurity, LinkedIn "vCISO" groups, CISOs Connect community
Top vCISO platforms to partner with: Cynomi, Fractional CISO (.com), GetCybr
Offer a vCISO reseller program: 40% off monthly for verified vCISO firms who commit to annual

ACTION [HIGH]: Create a "vCISO Program" landing page. Offer: 40% discount + API access + white-label PDF reports. Promote in r/cybersecurity (posting as a resource, not an ad). vCISOs are very active there and actively discuss tool stacks.

Section 5: Pricing & Positioning Benchmarks

What MSPs Currently Pay for Security Reporting Tools

Market pricing landscape (researched 2024-2025):

Tool	Price	Model	What It Does
BreachSecure Now	~$3-5/user/month	Per seat	Security awareness training + dark web
ID Agent / Dark Web ID	~$150-300/month	Flat + per domain	Dark web monitoring
Guardz	~$9/user/month	Per seat	MDR + endpoint + email
Cynomi (vCISO)	~$350-500/month	Flat MSP	vCISO platform, compliance reports
SecurityScorecard (entry)	~$130/month	Per company monitored	Security ratings
UpGuard (entry)	~$500+/month	Per company	Third-party risk
BitSight	$15,000+/year	Enterprise contract	Security ratings
ConnectSecure	~$99-299/month	Per MSP	Vulnerability + compliance scanning
Intruder.io	~$101/month	Per target	External scanning

KEY INSIGHT: ComplianceLayer at $99/month for 100 scans is positioned between "free/lightweight" and "enterprise overkill." The sweet spot for an MSP with 20-30 clients is $3-5 per client per month. ComplianceLayer at $99/100 scans = ~$1/scan — competitive.

The real gap: There's no pure API-based security scoring tool with a developer-friendly interface in this price range. SecurityScorecard has an API but it's enterprise-priced. This is ComplianceLayer's moat.

MSP Markup on Security Tools

From MSP Success 2025 survey data:

MSPs target 60-70% Gross Service Margin
Benchmark pricing: Per device (32%), Per user (20%), Combination models (40%)
MSPs using value-based + cost-plus: 54%
Target GSM: 60%+ (best-in-class), 50-60% (typical)
On a $99/month tool, an MSP would bill clients $250-400/month for the "security monitoring" service line item

Markup math for ComplianceLayer:

MSP pays: $99/month (100 scans = 20 clients × 5 scans/month)
MSP bills clients: $15-25/client/month as "External Security Monitoring"
For 20 clients: $300-500 MRR in billing
MSP profit: $201-401/month gross on one $99/month tool
This is an easy sell: "Tool costs $99, we bill $300+, clients understand the value"

ACTION [HIGH]: Create an MSP pricing calculator on the website: "You have X clients → here's what ComplianceLayer costs you → here's what you bill clients → here's your monthly profit." This is the #1 thing MSPs need to justify a new tool purchase.

Pricing Model Preference (MSPs)

From survey data: MSPs prefer to buy tools on flat monthly (32% per device, 20% per user) but they SELL to clients on per-user or per-device. The disconnect: they want predictable costs but variable revenue.

What this means for ComplianceLayer pricing:

Flat monthly ($99) is CORRECT for the tool cost
Offer a "per-client" add-on option for MSPs who want to pass through billing directly
Consider: "MSP Pack" — $299/month for unlimited scans up to 50 clients (predictable, unlimited-feel)

Free Tier Structures That Work for API Products Targeting MSPs

What converts best (from PLG research):

Structure	Conversion Rate	Notes
Time-limited trial (14-30 days, full features)	8-15%	Best for API products
Feature-limited free (forever)	3-8%	Works if core value is visible in free
Usage-limited free (X scans/month)	5-12%	Best for per-scan products
Free for first N clients	10-18%	Highest for MSP tools — they test on 1-2 clients first

Best structure for ComplianceLayer:

Free: 10 scans/month, no credit card, full API access
Target: Developers and technical MSPs who want to test the API
Upsell trigger: When they've used 8 of 10 scans ("you're at 80% — upgrade to 100 scans for $99/month")
Add: "Free for the first client — upgrade when you add a second"

Critical: No credit card required on free tier. It doubles or triples free signups. The MSP who signs up for free and runs one scan on a real client is 10x more likely to convert than someone who reads a landing page.

Section 6: Cold Start Playbook — First 10 Paying MSP Customers

The Zero-Budget Path to 10 MSP Customers

Week 1-2: r/msp Value Drop

Post a thread titled: "I scanned 200 SMB domains and here's what I found (DNS, SSL, open ports)"

Structure:

Real data from scans you've actually run (use compliancelayer.net to scan 200 domains)
Report: X% had misconfigured DMARC, X% had expiring SSL certs, X% had unexpected open ports
Make it data journalism, not a product pitch
End with: "I built a tool to automate this — happy to scan your client list free for feedback"
DO NOT link to the product in the post body (against r/msp rules). Put it in your profile.

Why this works: Blacksmith Infosec got 113 upvotes with a less-proven free tool in Nov 2025. Original data about security posture is crack for MSP owners. They'll DM you asking for scans of their client list.

Week 2-3: The Free Scan Offer

From the DMs you get from the Reddit post:

"Happy to run your full client list through the API — give me 20 domains, I'll send you the report in 24 hours"
Do this for 10-15 MSPs manually
THEN show them the portal: "Here's what this looks like when you run it yourself"
The MSP who sees their own clients' data is pre-sold

Week 3-4: Show HN Post

Title: "Show HN: Security scoring API for MSPs – DNS, SSL, ports, headers in one call (API)"

Post Tuesday at 8 AM UTC.

Include: Loom demo (2 min), GitHub link to a simple CLI wrapper, pricing in first comment.

HN converts dev-savvy buyers who will bring this to their MSP teams. Even 50 upvotes = 200-500 unique visitors, 10-20 signups.

Week 4-6: MSP Community Slack / Discord Participation

Join MSPGeek Slack. For 3-4 weeks, only answer questions. Look for threads where MSPs ask:

"How do I prove security value to clients?"
"What tool shows me my client's external risk?"
"Client wants a security report for cyber insurance"

When these threads appear, answer genuinely, then mention: "I actually built something specifically for this — happy to share access if you want to test it."

Week 6-8: Podcast Outreach

Email 5 podcasts (RocketMSP, TubbTalk, All Things MSP) with:

Subject: "Founder here — built an API security tool for MSPs, have data on SMB security posture"
Offer: Bring original data from your scans, not a product pitch
These shows get requests from big vendors; a founder with data is more interesting

Specific Post Ideas That Would Perform Well in r/msp

These specific post concepts are calibrated for r/msp culture (anti-vendor, pro-peer-learning):

1. "I scanned 500 SMB clients' external footprints — here's the data" [DATA POST]

Format: Charts, tables, surprising findings
Expected: 150-300 upvotes if data is real and surprising
Key finding to highlight: "X% had DMARC misconfigured — that's an open invitation for phishing"

2. "What's your process for showing clients their security posture before renewal?" [QUESTION POST]

Don't mention your product
Learn what the community currently uses, where the gaps are
Comments will reveal your exact ICP's pain points
Engage for 2 weeks, then follow up with a post about the tool you built based on feedback

3. "Client asked 'how do I know you're actually securing my network?' — here's what I said" [STORY POST]

Tell a real story about proving value to a skeptical client
Include the technical report you gave them
At end: "I've started automating this — happy to share the process"

4. "Free open-source tool: automated external security posture check" [TOOL DROP]

Open source a component (e.g., a Python script that calls your API and generates a PDF report)
Apache 2 license
GitHub link
"Built this because clients kept asking. Hope it helps."
This mirrors exactly what Blacksmith Infosec did to get 113 upvotes

5. "Prepping for CMMC/cyber insurance audits — here's my external scan checklist" [RESOURCE]

Genuinely useful checklist
Include ComplianceLayer as one item ("I use X for this step")
Non-promotional framing

"Built in Public" Playbooks That Worked for B2B Security Tools

Examples of what works in this category:

1. Shodan's model (the benchmark)

Shodan started as a personal project, open-sourced key components
Built community by giving away data for research
Charged for API access and commercial features
B2B revenue came from companies who discovered it through the free version

2. OpenVAS / Greenbone (open core)

Free open-source scanner with commercial support/hosted version
MSPs recommend it constantly on r/msp, r/sysadmin
Monetized through SaaS version and enterprise support

3. Have I Been Pwned (data-first, community-driven)

Troy Hunt gave away the free breach checker
Built reputation as the expert
Now charges for API access ($3.50/month hobbyist, up to $1,400+/year enterprise)
MSPs use HIBP API to check client breach exposure

The common pattern for B2B security tools:

Give away the core data/scan for free (no friction, no email gate)
Make the API pay-to-access at a price anyone can justify
Let the community discover you through the free tool
Write about what you're finding/building (Twitter/X, LinkedIn, HN)

ACTION [HIGH]: Build a free public scanner at compliancelayer.net/check — enter any domain, get the score. No login. No email. Just the scan. This single feature will drive more organic traffic than any blog post. When users see value, they'll check out the API.

Quick Wins: Do This Week, Zero Money

Monday — Reddit Data Post

Run ComplianceLayer scans on 100-200 real SMB domains
Compile stats: % with misconfigured DMARC, % with expiring SSL, % with open ports
Write r/msp post: "I analyzed 200 SMB security footprints — here's the data"
Post Tuesday at 10 AM ET (peak r/msp time)

Tuesday — Alternatives.to Listings

List ComplianceLayer as an alternative to: SecurityScorecard, UpGuard, BitSight, Intruder
Free, takes 30 minutes, starts capturing comparison-stage buyers immediately

Wednesday — G2 + Capterra Free Listings

Create vendor profiles on both platforms
Add screenshots, pricing, description
Ask 3-5 current users (even beta testers) to leave reviews — G2 rank goes from 0 to visible with 5 reviews

Thursday — Show HN Prep

Draft Show HN post (under 55 char title)
Build a simple open-source CLI wrapper for the API (Python, MIT license)
Push to GitHub
Schedule post for Tuesday 8 AM UTC

Friday — Podcast Outreach

Email Steve Taylor (RocketMSP) and Richard Tubb (TubbTalk)
Pitch: "I have scan data on thousands of SMBs — want to do an episode on what MSPs are missing in external security posture?"
Keep it short. They get long vendor pitches; a data story is different.

This weekend — Free Public Scanner

Build the single-domain free check at compliancelayer.net/check
No login required
Show the score (A-F grade) + top 3 issues found
Include: "Want to run this on all your clients? → API starts at $99/month"
This is your most important distribution asset

Priority Action Matrix

Action	Channel	Priority	Cost	Timeline
Post scan data to r/msp	Reddit	🔴 HIGH	$0	This week
alternatives.to listings	Directories	🔴 HIGH	$0	This week
Free public domain scanner	Product	🔴 HIGH	Dev time	This week
Email RocketMSP + TubbTalk	Podcasts	🔴 HIGH	$0	This week
G2 + Capterra profiles	Directories	🔴 HIGH	$0	This week
Show HN post	HN	🔴 HIGH	$0	Next Tuesday
"We scanned X clients" blog post	SEO	🟡 MEDIUM	$0	Week 2
MSPGeek Slack — join, participate	Community	🟡 MEDIUM	$0	Ongoing
vCISO reseller program landing page	Website	🟡 MEDIUM	Dev time	Week 2
MSP pricing calculator on site	Website	🟡 MEDIUM	Dev time	Week 2
MSSP Alert guest post	PR/Content	🟡 MEDIUM	$0	Week 3
Atera + N-able partnership outreach	Integrations	🟡 MEDIUM	$0	Week 4
Cynomi BD conversation	Partnerships	🟡 MEDIUM	$0	Week 4
ProductHunt launch	PH	🟡 MEDIUM	$0	Week 6
MSPGeekCon (May 2026) booth	Conference	🟢 LOW	$1,500-2,500	Book now
SEO content build-out	SEO	🟢 LOW	Content time	Months 2-6
ConnectWise Invent application	Integration	🟢 LOW	Dev time	Month 3+
ASCII Group vendor membership	Community	🟢 LOW	$2,000-5,000	When 10+ customers

Key Numbers to Remember

UpGuard: 101K organic visits/month, zero paid ads, DR 79 — built entirely through SEO
Blacksmith Infosec free tool post: 113 upvotes, 45 comments (Nov 2025 on r/msp)
Show HN security tools: 1.8x growth, less noise than AI category
Best Show HN time: Tuesday/Wednesday, 8-11 AM UTC
MSP target GSM: 60-70% on tools they resell
Markup math: $99 tool → $300-500 client billing for 20 clients
SecurityScorecard entry: ~$130/month (limited); ComplianceLayer = legitimate alternative at same price with API-first approach
MSP markup on security tools: 3-5x resell is standard
r/msp: 330,000+ members; peak time Tuesday-Thursday 9-11 AM ET
MSPGeekCon May 2026: Best early-stage conference ROI
vCISO market: Firms serve 10-50 SMB clients; $99/month is a trivial cost for them

Research compiled 2026-03-07 using web data from Reddit, Brave Search, industry publications including MSP Success, MSSP Alert, Channel Futures, ScalePad, PricingLink, and Concurate's UpGuard SEO analysis.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

How to check your domain's external security posture for free

ComplianceLayer — Tue, 28 Apr 2026 14:00:02 +0000

How to check your domain's external security posture for free

Published on dev.to — target tags: security, devops, api, webdev

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

Is your SSL certificate properly configured? What cipher suites are you advertising?
Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
What ports are publicly reachable from the internet right now?
Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
Cipher strength (no RC4, DES, or export-grade ciphers)
Certificate validity and expiry buffer
HSTS header with appropriate max-age
Certificate transparency logs

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks. Most modern CDNs will help, but bare-metal configs often miss this.

2. DNS Configuration

DNS is the phonebook of the internet and it's a goldmine for attackers:

SPF (Sender Policy Framework): Without it, anyone can send email as your domain
DMARC: Even with SPF, without DMARC you have no enforcement or visibility
DNSSEC: Protects against DNS poisoning and cache hijacking
Open zone transfers: Should be restricted to authorized nameservers only
Dangling DNS: Old DNS records pointing to decommissioned resources (a very common takeover vector)

3. HTTP Security Headers

These are one-line config changes that provide significant protection:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Most sites are missing at least 3-4 of these. Check yours at securityheaders.com or via the API below.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server, a VPN concentrator, or a forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Returns a job_id, then poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"

The response gives you:

Overall grade (A-F)
Score (0-100)
Module-by-module breakdown: ssl, dns_email, headers, ports, dnssec, blacklists, waf, etc.
Specific findings with severity (critical/high/medium/low)
Remediation steps for each issue

Free tier is 10 scans/month — more than enough to audit your key domains.

Real-world example

I scanned acehardware.com to test it (a major retail brand):

Grade: A | Score: 96
0 critical issues
1 high issue (found in headers)
4 medium issues

That's a well-configured domain. Compare that with a typical SMB without a dedicated security team — they usually score in the C-D range with missing HSTS, no DMARC enforcement, and open admin ports.

Building it into your workflow

If you're an MSP or developer, the API is what makes this powerful:

// Example: automated domain health check in Node.js
const axios = require('axios');

async function checkDomain(domain) {
  const { data } = await axios.post('https://compliancelayer.net/v1/scan/', 
    { domain },
    { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
  );

  // Poll until complete
  let result;
  do {
    await new Promise(r => setTimeout(r, 5000));
    const poll = await axios.get(
      `https://compliancelayer.net/v1/scan/jobs/${data.job_id}`,
      { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
    );
    result = poll.data;
  } while (result.status !== 'completed');

  return result.result;
}

You can use this to:

Onboard clients: Scan their domain before engagement, show them their grade
Continuous monitoring: Weekly automated reports
Pre-sales: Build a free tool that shows prospects their grade → captures email
Insurance prep: Document your security posture before renewal

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Competitor Comparison Pages — Copy

ComplianceLayer — Thu, 23 Apr 2026 14:00:01 +0000

Competitor Comparison Pages — Copy

Two pages targeting the highest-value comparison search terms.

Page 1: ComplianceLayer vs SecurityScorecard

URL: /vs/securityscorecard
Target keyword: "SecurityScorecard alternative for MSPs" / "affordable SecurityScorecard alternative"
Search intent: Commercial — someone who looked at SecurityScorecard pricing and left

Headline

SecurityScorecard starts at $1,500/year.
ComplianceLayer starts at $99/month.

Both score external security posture. Only one was built for MSPs.

The problem with SecurityScorecard for MSPs

SecurityScorecard is built for enterprise procurement teams evaluating third-party vendors. It's great at that. It's not great if you're an MSP trying to:

Scan 15 client domains every month for QBR reporting
Run automated checks via API
Get results without a 45-minute demo and a 3-year contract

Their self-serve tier gives you limited scans, limited domains, and no API access. To get the features MSPs actually need, you're looking at enterprise pricing — $20,000+/year.

Feature comparison

Feature	ComplianceLayer	SecurityScorecard
Pricing	$99/mo	$1,500/yr+ (self-serve) / $20K+ (enterprise)
API access	✅ Core feature	Enterprise only
Free trial	✅ No credit card	Limited demo
Self-serve signup	✅ Instant	❌ Sales call required
DNS/email checks	✅ SPF, DMARC, DKIM, CAA	✅ Yes
SSL analysis	✅ Yes	✅ Yes
Open port scanning	✅ Yes	✅ Yes
HTTP headers	✅ Yes	✅ Yes
Multi-client support	✅ Up to 200 domains	Enterprise tier
White-label reports	✅ On Pro+	❌ No
Monthly billing	✅ Yes	❌ Annual only
No contract	✅ Cancel anytime	❌ Annual commitment

Who should use SecurityScorecard?

Enterprise companies evaluating hundreds of third-party vendors with compliance teams and legal review processes. If that's you, SecurityScorecard is excellent.

Who should use ComplianceLayer?

MSPs who need to monitor client security posture at scale. IT teams that want API access to build custom dashboards. SMBs that need a security score for compliance without enterprise pricing.

Try ComplianceLayer free

10 scans/day, no credit card, instant API key.

[Get started → compliancelayer.net]

Page 2: ComplianceLayer vs UpGuard

URL: /vs/upguard
Target keyword: "UpGuard alternative" / "UpGuard alternative for small business"
Search intent: Commercial — UpGuard is expensive and has a friction-heavy sales process

Headline

UpGuard requires a demo request.
ComplianceLayer gives you an API key in 30 seconds.

The UpGuard problem

UpGuard is a serious tool. It has excellent data and strong brand reputation. It also has:

No self-serve pricing page
A mandatory demo request for any real access
Pricing that starts around $5,000/year
A focus on third-party risk management (vendor assessment), not operational MSP use

If you're an MSP wanting to run daily or weekly security posture checks on client infrastructure, UpGuard's pricing model doesn't make sense. You'd pay for features you don't need and sales friction you don't want.

Feature comparison

Feature	ComplianceLayer	UpGuard
Pricing	From $99/mo	~$5,000/yr+ (contact sales)
Self-serve signup	✅ Instant	❌ Demo required
API access	✅ Yes	Paid add-on
Free trial	✅ Permanent free tier	Limited
MSP multi-client	✅ Up to 200 domains	Enterprise
Port scanning	✅ Yes	✅ Yes
DNS health	✅ Yes	✅ Yes
SSL analysis	✅ Yes	✅ Yes
HTTP headers	✅ Yes	Partial
Monthly billing	✅ Yes	Annual only

Get started without the sales call

[Try ComplianceLayer free → compliancelayer.net]

Implementation Notes

Both pages should be live before any SEO or content push
Add FAQ schema markup for "Is X cheaper than UpGuard?" type queries
Internal link from these pages → pricing page → signup
Add a comparison table widget (interactive, filterable) for higher engagement
Monitor rankings monthly — these pages compound over 6-12 months

Last updated: 2026-03-07

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Case Study Template — ComplianceLayer

ComplianceLayer — Tue, 21 Apr 2026 14:00:02 +0000

Case Study Template — ComplianceLayer

Purpose: Template for documenting customer success stories. Fill in when we have paying customers.

Template

[Customer Name] — [One-Line Result]

Example: "Managed IT Solutions — Cut QBR prep time by 80% with automated security scoring"

Company Snapshot

Field	Value
Company	[Name]
Industry	MSP / IT Consulting / [Other]
Size	[X] employees, [Y] clients
Location	[City, State]
ComplianceLayer plan	Starter / Pro / Business
Customer since	[Month Year]

The Challenge

[2-3 paragraphs describing what problem they had before ComplianceLayer]

Key pain points:

[Bullet 1]
[Bullet 2]
[Bullet 3]

Quote:

"[Direct quote from customer about the problem]"
— [Name], [Title]

The Solution

[How they use ComplianceLayer]

Implementation highlights:

Time to first scan: [X minutes/hours]
Integration: [API / Dashboard / Automated reports]
Primary use case: [QBR reporting / Onboarding / Ongoing monitoring]

The Results

Metric	Before	After	Change
QBR prep time	[X hours]	[Y hours]	-[Z]%
Clients with security score	[X]%	[Y]%	+[Z]%
Security issues found	[X/month]	[Y/month]	+[Z]x
Security upsell revenue	$[X]/month	$[Y]/month	+$[Z]

Quote:

"[Direct quote about the results]"
— [Name], [Title]

Key Takeaways

[Lesson 1]
[Lesson 2]
[Lesson 3]

About [Company Name]

[1 paragraph company description]

Website: [URL]
Learn more: compliancelayer.net

Case Study Collection Checklist

When a customer agrees to a case study:

[ ] Schedule 30-min interview call
[ ] Get permission to use company name (or anonymize)
[ ] Get specific metrics (before/after)
[ ] Get 2-3 direct quotes
[ ] Get headshot + logo (for full-page versions)
[ ] Draft, send for approval
[ ] Publish to /customers page
[ ] Add to sales collateral
[ ] Ask if they'd do a video testimonial (future)

Interview Questions

What were you using before ComplianceLayer? What was the pain?
How did you hear about us?
What was your first impression when you tried it?
How are you using it now? Walk me through a typical week.
What specific results have you seen? Can you give me numbers?
What would you tell another MSP who's considering it?
What's one thing you'd improve about the product?

Anonymized Version Template

For customers who can't share company name:

Title: "Regional MSP — Found 23 critical security issues across 15 clients in first week"

Use "[Regional MSP with 15 clients]" instead of name
Focus on metrics and use case, not company details
Still get quote permission (can use first name only)

Template created: 2026-03-07

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

We Scanned 200 SMB Domains. Here's What We Found.

ComplianceLayer — Thu, 16 Apr 2026 14:00:02 +0000

We Scanned 200 SMB Domains. Here's What We Found.

Published by the ComplianceLayer team | March 2026

Last quarter, we ran ComplianceLayer against 200 small and medium business domains — companies with 10 to 500 employees across industries including professional services, healthcare-adjacent (no PHI), retail, and technology. No one paid us to do this. We wanted to know: how is the average SMB actually doing on the fundamentals of external security?

The results were worse than we expected. And we expected bad.

Here's what we found.

Methodology

We used our own tool — ComplianceLayer — to run a full external security scan on each domain. Each scan checks four categories: SSL/TLS configuration, DNS/email authentication (SPF, DMARC, DKIM), HTTP security headers, and open port exposure. Domains were sourced from a mix of public business directories and submitted by MSP partners who gave permission to aggregate anonymized findings. No internal systems were tested. All scans were passive external assessments.

Domains were graded A through F per category.

SSL/TLS: Better Than Expected, But Fragile

The SSL picture was the most encouraging of the four categories — but the details tell a more complicated story.

71% of domains earned an A or B grade on SSL. The widespread adoption of Let's Encrypt and auto-renewing certificate providers has pushed basic SSL hygiene into the mainstream. Most domains had valid certificates.

But dig one layer deeper:

23% were running TLS 1.0 or TLS 1.1 alongside modern TLS 1.3. Both older protocol versions have known vulnerabilities and were officially deprecated by the IETF in 2021. Supporting them for "compatibility" is a real risk.
11% had certificates expiring within 30 days. These aren't companies that forgot to renew — they're companies where nobody is watching. For an MSP, that's a 2 AM emergency call waiting to happen.
6% had expired certificates entirely. Fully expired. In production.
4% were using SHA-1 signed certificates — an algorithm considered broken for over a decade.

The headline SSL number looks fine. The tail is ugly.

DNS & Email Security: The Worst Category by Far

If there's one finding we'd highlight in a conference talk, it's this: SMB email authentication is a disaster.

Email spoofing — where an attacker sends email pretending to be from your domain — is one of the most effective phishing vectors in existence. Three DNS records prevent it: SPF, DMARC, and DKIM. All three are free to configure. All three have been industry best practice for years.

Here's where 200 SMB domains stood:

SPF present: 64% ✓ — Better than average, but still 36% missing.
DMARC present: 31% ✓ — Over two-thirds of SMBs have no DMARC record.
DKIM present: 44% ✓ — Less than half have DKIM signing configured.
All three configured correctly: 18% ✓ — Only 1 in 5 SMBs has complete email authentication.

To be clear about what the missing 69% of DMARC means: anyone on the internet can send email that appears to come from their domain, and receiving mail servers have no policy-based mechanism to reject or quarantine it. That's the setup for CEO fraud, vendor impersonation, and credential phishing.

The fix is a DNS record. It takes 10 minutes. But without active monitoring, most SMBs will never notice it's missing.

HTTP Security Headers: Low-Hanging Fruit, Widely Missed

HTTP security headers are configurations added to web server responses that instruct browsers to enforce security policies. Most don't require application changes — just a web server configuration tweak. Yet the adoption rate among SMBs is remarkably low.

Results across our 200-domain sample:

Header	Present	Missing
HSTS (HTTP Strict Transport Security)	47%	53%
X-Frame-Options	38%	62%
X-Content-Type-Options	41%	59%
Content-Security-Policy (CSP)	19%	81%
Referrer-Policy	29%	71%
Permissions-Policy	11%	89%

Only 8% of domains had all six headers configured correctly.

Content-Security-Policy is the most complex to implement — it requires understanding what scripts your site loads — and its 19% adoption reflects that complexity. But HSTS, X-Frame-Options, and X-Content-Type-Options are one-line nginx or Apache config changes. There's no good reason for 53–62% of SMBs to be missing them.

The absence of X-Frame-Options leaves sites vulnerable to clickjacking. Missing X-Content-Type-Options can enable MIME-type sniffing attacks. These aren't theoretical — they show up in penetration test reports as exploitable issues.

Open Ports: A Few Alarming Findings

Open port analysis checks which network services are reachable from the public internet. Some open ports are expected (80/HTTP, 443/HTTPS). Others are not.

Unexpected open ports found across the dataset:

RDP (port 3389) exposed to internet: 14% of domains
SMB (port 445) exposed to internet: 7% of domains
Telnet (port 23) open: 3% of domains
FTP (port 21) open: 9% of domains
SSH on default port 22: 31% (elevated risk if using password auth)

RDP exposed to the internet is a well-documented ransomware entry point. The 14% figure is consistent with external research — RDP brute force has been the leading initial access vector in ransomware incidents for several consecutive years according to multiple incident response firm reports.

SMB exposed to the internet raises WannaCry-era memories. It should not be reachable from the public internet in any SMB deployment.

The good news: 62% of domains earned an A or B on port exposure, meaning most SMBs have at least the basics of network perimeter hygiene. The remaining 38% have at least one significant finding.

The Overall Picture

Scoring each domain across all four categories:

A overall: 4%
B overall: 23%
C overall: 38%
D overall: 27%
F overall: 8%

More than one-third of SMBs scored D or F on overall external security posture. The most common failure pattern was: decent SSL, missing email authentication, no security headers, one or two problematic open ports.

This isn't a technology problem. It's a visibility problem. MSPs managing these companies often don't have an automated way to track this across their client base. The clients themselves have no idea. Nobody is watching the dashboard that doesn't exist.

What We Recommend

Based on these findings, here's the priority order for any SMB or MSP addressing the gap:

Fix DMARC immediately. It's free, it takes 10 minutes, and the blast radius of not having it is enormous. Start with p=none if you need to monitor before enforcing.
Audit open ports. RDP should never be internet-facing. Use a VPN or jump host.
Add HSTS and X-Content-Type-Options. Two header lines in your web server config.
Check SSL expiry. Set up monitoring or use a cert provider with auto-renewal.
Add CSP. More complex, but important for any site loading third-party scripts.

Try It Yourself

If you're an MSP or sysadmin who wants to know where your clients or your own domains stand, ComplianceLayer's free tier lets you run 10 domain scans per month with no credit card required. You'll get an A-F grade per category and a specific remediation checklist for every failing check.

Start scanning free →

We didn't write this to sell subscriptions (though we're happy if you upgrade). We wrote it because someone needs to show the actual numbers — and the numbers say most SMBs are one missed DMARC record away from a convincing phishing campaign.

Data collected Q1 2026. N=200 SMB domains. External passive scanning only. No internal systems accessed.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

We Scanned the Cyber Insurers. Their DMARC Failed.

ComplianceLayer — Tue, 14 Apr 2026 14:00:01 +0000

We Scanned the Cyber Insurers. Their DMARC Failed.

Hiscox and Markel both require DMARC on your cyber insurance renewal application.

We scanned their domains. Both are at p=none. Cowbell Cyber has p=reject but no SPF record at all. That's three major carriers — all misconfigured, all enforcing requirements on customers they can't meet themselves.

This isn't a gotcha. It's a map of exactly what your clients look like when an underwriter runs the same scan on their domain.

What the Insurers Are Asking For vs. What They Have

Cyber insurance applications increasingly include a standard checkbox: "Have you implemented SPF, DKIM, and DMARC to protect against phishing and email spoofing?"

Most applicants check yes. Many shouldn't.

We scanned 73 domains across the MSP security vendor ecosystem and cyber insurance space. Among the carriers:

Carrier	DMARC Policy	Issue
Hiscox	`p=none`	Monitoring only — no enforcement
Markel	`p=none`	Monitoring only — no enforcement
Cowbell Cyber	`p=reject`	Correct policy — but no SPF record at all

p=none is not DMARC. It tells receiving mail servers to log unauthenticated email and do nothing about it. Attackers can still send spoofed email from hiscox.com or markel.com and it will land in inboxes. The record exists. The enforcement doesn't.

Cowbell's situation is different but equally problematic. They have the right DMARC policy but no SPF record — which means DMARC alignment checks can't work properly. DMARC relies on SPF or DKIM to pass. Without SPF, half the authentication chain is missing.

The Vendor Irony Stack

The insurance carriers aren't the only ones with this problem. We scanned the MSP security tool vendors — the companies your clients use to stay secure — and found the same pattern.

Blackpoint Cyber (blackpoint-cyber.com) — an MDR vendor selling managed detection and response — has no DMARC record and no SPF record. A cybersecurity company with zero email authentication.

Syncro (syncro.app) — one of the more popular RMM/PSA platforms for MSPs — has no DMARC record at all.

Proofpoint (proofpoint.com) — a company that sells email security and specifically sells DMARC-related products — has SPF configured with ~all (soft fail) instead of -all (hard fail). That one character difference is the gap between "unauthorized servers bounced" and "unauthorized servers accepted with a suspicious flag."

The common thread: the team managing DNS is not the team that knows what these records should say. This is organizational friction, not malice. But it's the same friction your clients have.

The Full Scan Breakdown

From our 73-domain scan on 2026-03-24:

DMARC Policy Distribution:

Policy	Count	Rate
`p=reject` (enforced)	43	58.9%
`p=quarantine`	22	30.1%
`p=none` (monitoring only)	6	8.2%
No DMARC record	2	2.7%

58.9% of the domains we scanned have actual DMARC enforcement. The remaining 41.1% have records that provide partial or no protection.

For context: when an underwriter runs an automated check and sees p=none, the answer to "do you have DMARC?" is effectively no. The record is there, but it's not doing anything.

What "DMARC Configured" Actually Means

Here's the enforcement hierarchy, weakest to strongest:

p=none       → Log unauthenticated mail. Do nothing.
p=quarantine → Send suspicious mail to spam.
p=reject     → Block unauthenticated mail entirely.

When an insurer asks about DMARC, they want p=reject. When an automated external scanner checks, it will read the policy exactly. There's no partial credit for having a monitoring record.

The correct DMARC record looks like this:

v=DMARC1; p=reject; rua=mailto:reports@yourdomain.com

p=reject — enforcement is on
rua — aggregate reports going somewhere that gets monitored

Both fields matter. A reject policy with no reporting address means you're blocking email but flying blind on what's being blocked.

The SPF Problem Is Equally Quiet

SPF gets less attention than DMARC, but the failure mode is just as real.

Proofpoint's soft fail (~all) is a good example. The record tells receiving servers: "mail from unauthorized sources is suspicious, but accept it." In practice, most mail servers treat ~all as a weak signal and deliver the mail anyway.

The correct ending for an SPF record is -all — hard fail. That tells receiving servers to reject mail from unauthorized sources outright.

Manual check:

dig TXT clientdomain.com +short | grep spf

What you're looking for:

v=spf1 include:provider.com -all — correct
v=spf1 include:provider.com ~all — soft fail, minimal protection
No result — no SPF at all

If your client's record ends in ~all, it's not correctly configured. The insurance application checkbox says yes. The actual protection isn't there.

Where This Hits Your Clients

Cyber insurance renewals are where this becomes a business problem. The process:

Broker sends renewal questionnaire
Client checks "yes" on email authentication
Underwriter runs automated external scan
Scan shows p=none or soft-fail SPF
Mismatch between checkbox and DNS record → premium spike or denial

The underwriter isn't calling to verify. They're running automated checks — the same kind of checks anyone can run. If your client said yes and their domain shows p=none, that's a misrepresentation on an insurance application. It's also a gap an attacker can exploit today.

Business Email Compromise (BEC) — where an attacker sends email that appears to come from your client's domain — directly exploits missing DMARC enforcement. The FBI's IC3 report puts BEC losses at $2.9B in 2023. Most of those losses hit organizations without enforced DMARC.

Your clients' insurance renewal and their actual security posture are pointing at the same problem.

How to Check This at Scale

Single-domain manual check:

# DMARC
dig TXT _dmarc.clientdomain.com +short

# SPF
dig TXT clientdomain.com +short | grep spf

# DKIM (you need the selector — ask the client's IT)
dig TXT selector._domainkey.clientdomain.com +short

What "passing" looks like:

DMARC: v=DMARC1; p=reject; with a rua= address
SPF: Record present, ends with -all
DKIM: At least one active selector returning a key record

This works for one domain. For a full client base — 20, 50, 100 domains — it's a spreadsheet problem.

ComplianceLayer automates it. One API call returns DMARC policy, SPF configuration, DKIM status, enforcement grades, and findings:

curl -H "Authorization: Bearer sk_your_key" \
  "https://api.compliancelayer.net/v1/scan?domain=clientdomain.com"

Structured JSON, completes in under 15 seconds per domain. Script it across your client list and you have a pre-renewal email authentication audit before anyone touches the questionnaire.

The Part That Should Concern You

The cyber insurers in our scan are asking about DMARC because it's a genuine indicator of security hygiene. The fact that Hiscox and Markel run p=none themselves doesn't change what their underwriting systems are scanning for on your clients' domains.

External automated checks don't care about intent or circumstances. They read the DNS record.

If your client's DNS says p=none, the audit fails. If their SPF ends in ~all, the audit fails. If they have DMARC but no SPF — like Cowbell Cyber's own domain — the authentication chain is broken regardless of what the policy says.

The fix is not complicated. It's a DNS record change. The hard part is knowing which clients need it before they find out from an underwriter.

Summary

Major cyber insurers — Hiscox, Markel, Cowbell — have email authentication gaps on their own domains while requiring it from applicants
MDR vendor Blackpoint Cyber has no DMARC and no SPF; RMM platform Syncro has no DMARC
Proofpoint (an email security vendor) uses SPF soft fail instead of hard fail
p=none is not DMARC enforcement — it's a monitoring record that does nothing to stop spoofing
41.1% of domains in our scan had partial or no DMARC enforcement
Underwriters run automated external scans — mismatches between the checkbox and DNS records cause premium increases and denials

Run a free scan at compliancelayer.net — no account required. If your clients' domains show anything other than p=reject, you have a deliverable and a conversation before their next renewal.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Start a scan

ComplianceLayer — Sun, 12 Apr 2026 20:33:48 +0000

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

Is your SSL certificate properly configured? What cipher suites are you advertising?
Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
What ports are publicly reachable from the internet right now?
Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
Cipher strength (no RC4, DES, or export-grade ciphers)
Certificate validity and expiry buffer
HSTS header with appropriate max-age
Certificate transparency logs

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks. Most modern CDNs will help, but bare-metal configs often miss this.

2. DNS Configuration

DNS is the phonebook of the internet and it's a goldmine for attackers:

SPF (Sender Policy Framework): Without it, anyone can send email as your domain
DMARC: Even with SPF, without DMARC you have no enforcement or visibility
DNSSEC: Protects against DNS poisoning and cache hijacking
Open zone transfers: Should be restricted to authorized nameservers only
Dangling DNS: Old DNS records pointing to decommissioned resources (a very common takeover vector)

3. HTTP Security Headers

These are one-line config changes that provide significant protection:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server, a VPN concentrator, or a forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Returns a job_id, then poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"

The response gives you:

Overall grade (A-F)
Score (0-100)
Module-by-module breakdown: ssl, dns_email, headers, ports, dnssec, blacklists, waf, etc.
Specific findings with severity (critical/high/medium/low)
Remediation steps for each issue

Free tier is 10 scans/month — more than enough to audit your key domains.

Building it into your workflow

If you're an MSP or developer, the API is what makes this powerful:

// Example: automated domain health check in Node.js
const axios = require('axios');

async function checkDomain(domain) {
  const { data } = await axios.post('https://compliancelayer.net/v1/scan/', 
    { domain },
    { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
  );

  // Poll until complete
  let result;
  do {
    await new Promise(r => setTimeout(r, 5000));
    const poll = await axios.get(
      `https://compliancelayer.net/v1/scan/jobs/${data.job_id}`,
      { headers: { 'X-API-Key': process.env.COMPLIANCE_API_KEY } }
    );
    result = poll.data;
  } while (result.status !== 'completed');

  return result.result;
}

You can use this to:

Onboard clients: Scan their domain before engagement, show them their grade
Continuous monitoring: Weekly automated reports
Pre-sales: Build a free tool that shows prospects their grade → captures email
Insurance prep: Document your security posture before renewal

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

How to check your domain's external security posture for free

ComplianceLayer — Mon, 23 Mar 2026 22:56:47 +0000

When was the last time you checked what the internet actually sees when it looks at your domain?

Not your firewall logs. Not your SIEM. The external attack surface — the stuff anyone can scan without credentials.

I'm talking about:

Is your SSL certificate properly configured? What cipher suites are you advertising?
Are your DNS records leaking information (open zone transfers, missing SPF/DMARC)?
Are your HTTP security headers (CSP, HSTS, X-Frame-Options) actually set?
What ports are publicly reachable from the internet right now?
Are you on any blacklists or reputation databases?

This is exactly what an attacker checks before they target you. It's also what cyber insurance underwriters check before they quote you a premium.

The 4 layers that matter

1. SSL/TLS

This isn't just "does the padlock show." Real SSL security means:

Protocol version (TLS 1.2+ only, no SSLv3 or TLS 1.0)
Cipher strength (no RC4, DES, or export-grade ciphers)
Certificate validity and expiry buffer
HSTS header with appropriate max-age

A quick win: if you're still accepting TLS 1.0 connections, you're vulnerable to POODLE and BEAST attacks.

2. DNS Configuration

SPF: Without it, anyone can send email as your domain
DMARC: Even with SPF, without DMARC you have no enforcement or visibility
DNSSEC: Protects against DNS poisoning and cache hijacking
Dangling DNS: Old DNS records pointing to decommissioned resources

3. HTTP Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin

Most sites are missing at least 3-4 of these.

4. Open Ports

What's publicly accessible on your server? Port 22 (SSH) exposed to the world? MongoDB on 27017? Redis on 6379?

The Shodan graveyard is full of companies who forgot about a dev server or forgotten service.

How to check this automatically (for free)

The fastest way I've found is ComplianceLayer — it's an external security scanning API that runs all of these checks and returns an A-F grade with specific remediation steps.

# Start a scan
curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'

# Poll for results:
curl https://compliancelayer.net/v1/scan/jobs/{job_id} \
  -H "X-API-Key: YOUR_API_KEY"

Free tier is 10 scans/month — more than enough to audit your key domains.

Real-world example

I scanned acehardware.com:

Grade: A | Score: 96
0 critical issues, 1 high (headers), 4 medium

Compare that with a typical SMB — they usually score C-D range with missing HSTS, no DMARC, and open admin ports.

The bottom line

Your external security posture is publicly visible. Attackers are already scanning you. The question is whether you know what they see.

Running a free scan takes 30 seconds. Go check your domain at compliancelayer.net.

Have questions about reading your scan results? Drop them in the comments.