The Insurance Market Has Changed
Cyber insurance premiums have increased by an average of 50% to 100% since 2022, according to data from Marsh McLennan and Coalition. Underwriters who once rubber-stamped applications are now conducting detailed technical assessments before issuing policies. DDoS protection, which was barely mentioned on applications five years ago, has become a specific line item that underwriters evaluate independently.
The shift started after a wave of DDoS-related claims in 2023 and 2024. Insurers paid out hundreds of millions of dollars for business interruption losses caused by DDoS attacks, and the claims data revealed a pattern: organizations without dedicated DDoS detection and mitigation had dramatically higher loss ratios. In response, underwriters added DDoS-specific questions to their applications and started requiring proof of protection as a condition of coverage.
This is not limited to large enterprise policies. Even small and mid-market cyber insurance applications from carriers like Coalition, Corvus, and At-Bay now include questions about DDoS detection, response capabilities, and historical incident data. If you cannot answer these questions satisfactorily, you face higher premiums, coverage exclusions, or outright denial.
What Underwriters Actually Ask
Cyber insurance applications vary by carrier, but the DDoS-related questions cluster around five areas. Here is what you will encounter on a typical 2026 application:
Detection Capabilities
- Do you have dedicated DDoS detection in place? (Yes/No is not enough; they want specifics)
- What type of detection do you use? (Agent-based, flow-based, inline, cloud-based)
- What is your mean time to detect (MTTD) a DDoS attack?
- Can your detection system identify attack type and vector?
- Is detection automated or does it require manual observation?
Response Time and Mitigation
- What is your mean time to respond (MTTR) to a DDoS attack?
- Do you have automated mitigation capabilities?
- Do you have a documented DDoS incident response plan?
- When was the plan last tested or exercised?
- Do you have upstream scrubbing or mitigation services under contract?
Logging and Forensics
- Do you retain logs of DDoS incidents? For how long?
- Can you provide packet-level evidence (PCAPs) of attacks?
- Do you generate automated incident reports?
- Is your logging tamper-evident with audit trails?
Historical Incident Data
- How many DDoS incidents have you experienced in the past 12 months?
- What was the duration and impact of each incident?
- What was your MTTR for each incident?
- Were any incidents associated with extortion or ransom demands?
Third-Party Dependencies
- Do you rely on your hosting provider or ISP for DDoS protection?
- If yes, what SLA do they provide for DDoS mitigation?
- Do you have a backup mitigation strategy if your primary provider fails?
Underwriters are not looking for perfection. They are looking for evidence of a deliberate, documented approach to DDoS defense. Organizations with measurable detection speed, automated response, and forensic capabilities get better rates than those with vague answers.
How DDoS Incidents Affect Premiums
The relationship between DDoS incidents and insurance costs is direct and measurable. Data from Coalition's 2025 Cyber Claims Report shows:
| DDoS Incident History | Premium Impact | Coverage Impact |
|---|---|---|
| No incidents, strong detection | Baseline rate | Full coverage, lower deductible options |
| No incidents, no dedicated detection | +15% to +30% | Higher deductible, possible sublimits |
| 1-2 incidents, documented response | +10% to +20% | Full coverage with incident review |
| 1-2 incidents, poor documentation | +30% to +50% | Sublimits on business interruption |
| 3+ incidents or unmitigated outage | +50% to +100% | DDoS exclusion or policy denial |
The key insight is that having incidents is not disqualifying if you can demonstrate that you detected them quickly, responded effectively, and documented everything. Underwriters expect that organizations with internet-facing infrastructure will experience DDoS attacks. What they penalize is lack of preparation and poor response.
Conversely, organizations that invest in dedicated detection and can show sub-minute MTTD, automated mitigation, and comprehensive incident reports are receiving preferential rates. Some carriers are offering explicit discounts of 10% to 15% for organizations that can demonstrate continuous DDoS monitoring with forensic capabilities.
The Documentation You Need
When renewal time comes or when you file a DDoS-related claim, the documentation you can produce determines whether the process goes smoothly or turns into an adversarial investigation. Here is what you should be collecting continuously:
Incident Logs with Timestamps
Every DDoS incident should have a log entry with the exact start time, detection time, mitigation activation time, and resolution time. These timestamps establish your MTTD and MTTR, which are the metrics underwriters care about most. Manual logs created after the fact are less credible than automated logs generated by your detection platform.
PCAP Evidence
Packet captures provide irrefutable evidence of attack traffic. They show the exact protocols used, source IP distributions, packet sizes, and payload characteristics. PCAPs are the gold standard for proving that an incident was a legitimate DDoS attack and not a misconfiguration or capacity issue. Underwriters and adjusters trust PCAPs because they cannot be fabricated or misinterpreted.
MTTR Metrics Over Time
A single incident report is useful. A trend line showing your MTTR decreasing over time is powerful. It demonstrates that your team is improving, your automation is working, and your investment in detection is paying off. Carriers like Coalition and At-Bay specifically ask for trending metrics, not just point-in-time snapshots.
Audit Trails
Tamper-evident audit trails that record every detection event, alert, and mitigation action satisfy underwriter requirements for accountability. The audit trail should show who was notified, what actions were taken, and when each step occurred. This is especially important for claims where the insurer needs to verify that the organization responded appropriately.
DDoS Incident Response Plan
A documented, up-to-date incident response plan specifically covering DDoS scenarios. The plan should include escalation procedures, contact lists, mitigation playbooks, and communication templates. Underwriters want to see that the plan exists, that it was reviewed within the past 12 months, and that it was tested through a tabletop exercise or real incident.
Why "Our Hosting Provider Handles It" Is Not Sufficient
This is the most common answer that gets flagged by underwriters, and it comes up constantly. Organizations assume that because they use AWS, Azure, GCP, or a managed hosting provider, DDoS protection is covered. It is not, at least not in the way underwriters expect.
Here is why this answer fails:
- No visibility. If your hosting provider handles DDoS mitigation, what detection data do you have? Can you produce MTTD metrics? PCAPs? Incident reports? In most cases, the answer is no. The hosting provider may null-route your IP or absorb the traffic, but they do not give you forensic evidence or incident documentation.
- No SLA for detection speed. AWS Shield Standard provides automatic protection against common volumetric attacks, but it does not provide detection alerts, incident reports, or any documentation you can show an underwriter. AWS Shield Advanced provides more visibility but costs $3,000/month and still does not give you packet-level forensics.
- No control over response. When your hosting provider makes mitigation decisions, you have no control over the response. They may null-route your IP, which stops the attack but also takes your service offline. From the underwriter's perspective, this is a business interruption event regardless of who caused it.
- Shared responsibility gap. Cloud providers operate on a shared responsibility model. Infrastructure-level DDoS protection (L3/L4) may be included, but application-layer protection (L7) is your responsibility. Underwriters understand this distinction and will probe whether you have application-layer protection in place.
The underwriter's question is not "does someone protect you from DDoS?" It is "can you prove that you detect, respond to, and document DDoS incidents with measurable speed and comprehensive evidence?" Relying on a hosting provider's default protection answers neither question.
How Automated Detection Satisfies Underwriter Requirements
Automated DDoS detection with comprehensive logging directly addresses every underwriter requirement:
- MTTD: Sub-second automated detection gives you a measurable, verifiable detection time that satisfies the most stringent underwriter questions. You can point to your platform dashboard and show P50 and P99 detection latency across every incident.
- MTTR: Automated webhook-based mitigation reduces response time from minutes to seconds. When detection triggers an automated BGP blackhole or scrubbing center diversion, the MTTR is measured in seconds, not the 15 to 30 minutes typical of manual response.
- Forensic evidence: Automated PCAP capture and incident report generation means you have complete documentation for every incident without relying on your team to manually capture and record data during a high-stress event.
- Audit trail: Every detection event, alert, and mitigation action is logged with timestamps, creating the tamper-evident audit trail that underwriters require.
- Historical data: Continuous monitoring produces a complete record of every incident over time, showing trends in attack frequency, severity, and response effectiveness.
What Happens When You File a Claim Without Documentation
Filing a DDoS-related business interruption claim without proper documentation is an exercise in frustration. Here is what typically happens:
- Initial claim submission. You report a business interruption caused by a DDoS attack and submit your estimated losses.
- Adjuster requests evidence. The claims adjuster asks for proof that the interruption was caused by a DDoS attack specifically, not a capacity issue, misconfiguration, or software bug. Without PCAPs or detailed traffic logs, you cannot definitively prove it was an attack.
- Timeline scrutiny. The adjuster asks for detection and response timestamps to calculate the window of business interruption. Without automated logging, your team reconstructs the timeline from memory and email timestamps, which is imprecise and contestable.
- Coverage dispute. The insurer's forensic team reviews available evidence and may dispute the characterization of the event, the duration of impact, or the causal relationship between the attack and the claimed losses. Without strong forensic evidence, you are in a weak negotiating position.
- Reduced payout or denial. Claims without adequate documentation are frequently settled for significantly less than the actual loss, or denied entirely. The policy may technically cover DDoS-related business interruption, but proving the claim requires evidence you do not have.
Organizations with automated detection and forensic capabilities avoid this entirely. The claim submission includes PCAP evidence, automated incident reports with timestamps, MTTD and MTTR metrics, and a complete audit trail. The adjuster has everything needed to process the claim quickly and accurately.
Building an Insurance-Ready DDoS Posture
Here is the practical checklist for ensuring your DDoS protection posture satisfies underwriter requirements and supports efficient claims processing:
- Deploy dedicated DDoS detection that operates independently of your hosting provider. Agent-based or flow-based monitoring that you control and that generates its own forensic data.
- Enable PCAP capture for all detected incidents. Store captures for at least 90 days, longer if your policy or compliance requirements dictate.
- Configure automated incident reports that include attack classification, timeline, peak metrics, source analysis, and mitigation actions.
- Document your MTTD and MTTR for every incident. Maintain a running average and trend line that you can present to underwriters at renewal.
- Maintain a DDoS incident response plan and review it at least annually. Conduct a tabletop exercise and document the results.
- Ensure audit trails are tamper-evident and cover the full chain from detection through mitigation to resolution.
- Keep your detection platform current. Underwriters may ask about the last time your detection rules or baselines were updated.
Flowtriq gives you everything underwriters ask for. Sub-second detection with measurable MTTD. PCAP forensics for every incident. Automated incident reports with full timelines. Tamper-evident audit trails. All at $9.99/node/month. When your insurer asks how you handle DDoS, you will have the documentation to prove it. Start your free 7-day trial.