Defensibility as a Service · for evidence-sensitive SMEs

If your IT was breached tomorrow,
could you prove your cyber insurer should pay?

Most policies are a fiction until you can evidence them. We pressure-test yours line-by-line - using the exact attack vectors a loss adjuster uses - before the day your claim depends on it.

Pressure-test my policySee a real report

12-minute diagnostic · Free · No credit card · Output is yours to keep

Claim Defensibility ReportLive · sample
28 Apr 2026 · draft assessment

Hartley & Sons Engineering Ltd

18%Vulnerable
Vulnerable0–25%
Unproven25–60%
Defensible60%+
Right now, your insurer has obvious room to push back.
Fixable - but far easier to fix before a claim lands than during one.
Insurer can't touch
3
Protected - backed by proof
Exposed
4
Claimed but not backed up
Claim killers
5
The insurer can deny today
Three sentences in your policy

Three sentences that have killed
more cyber claims than any breach.

Every cyber policy contains promises you've made. Can you evidence every one of them? Below, three of the most common - and what your insurer actually checks when a claim opens.

Your policy says

“MFA enforced
for every user account.”

but the insurer asks
Prove it - at the moment of breach

94% of users covered. Six senior accounts are on a six-month grace period - including your finance director and your CEO's PA.

MFA01Loss adjuster line of attack - critical
Your policy says

“Backups are
tested regularly.”

but the insurer asks
Prove it - with timestamped restore logs

A full restore was last attempted 14 months ago. Your insurer's policy schedule asks for evidence within the last 90 days.

BAK02Loss adjuster line of attack - critical
Your policy says

“Documented
incident response plan.”

but the insurer asks
Prove it - show me when it was last exercised

A Word document downloaded from a template site in April 2019. Nobody has opened it in 18 months. It names a CISO who left the business in 2022.

IRP01Loss adjuster line of attack - critical

These aren't security failures. They are evidence failures.They're the difference between a policy that pays and one that doesn't.

01 / 04
On the day a claim opens

The call comes at 8am.
By 9am they want evidence
you may not have.

Seven stages. Most companies survive the first three. Stage 4 is where 89% of contested claims start to collapse.

Hartley & Sons · claim simulation · 28 Apr 2026collapse: stage 4
1Incident confirmed
2Response begins
3Insurer notified
4Controls verified
5Evidence reviewed
6Declarations checked
7Claim decided
Likely collapse — stage 4: controls verified

The gap between what you declared and what you can prove becomes the insurer's primary argument.

02 / 04
5 lines of attack

Five open lines of attack.
None yet proven.

Taken from real adjuster reports. All five are currently open against Hartley & Sons Engineering.

IssueFindingRisk
MFA for everyoneMFA01Not provableCritical
Backup restore testBAK02Never testedCritical
Incident response planIRP01Assumed, not foundCritical
Declared turnoverSOF01Doesn't match recordModerate
IT contract / patchingMSA01Responsibility not definedModerate
03 / 04
Who actually owns each gap

Your IT provider isn't refusing.
Their contract just
never required it.

In more than 95% of IT contracts, every one of these defaults to you — not because your provider is bad, but because no one ever contracted otherwise.

ActionYou nowYour ITAxulu Titanium
Write MFA policyMFA01On youWe own it
Backup restore testsBAK02On youAssumedWe own it
Maintain incident planIRP01On youWe own it
Patch managementMSA01On youAssumedWe own it
04 / 04
Insurer interrogation

Could you prove it before
the insurer decides
you can't?

  • Show me proof MFA was enforced on every account.
  • Show me a successful backup restore test.
  • Show me your incident response plan.
  • Show me your IT provider's contract.
  • Show me your renewal declaration.
  • Show me your unsupported software list.
Policy conditionEvidence stateRisk
Multi-factor authMFA01No report. MSP verbal only.Critical
Backup restoreBAK02Last test undocumented.Critical
Incident planIRP01Not exercised 18 months.High
End-of-life softwareEOL013 EOL systems active.High
Material changeNTF01Revenue +34%. Unreported.High
What you actually buy

From “we think we're covered”
to “we can prove it.”

Senior-human-led. Evidence-first. Each move ends with something:

  • signed,
  • shareable, and
  • stress-tested.

Yours to keep, even if you walk away.

Before Axulu

“We think we're
covered.”

After Axulu

“We can
prove it.”

01 / What you get

A signed claim-defensibility report

In 12 working days. Layered like the loss adjuster's own thinking. Yours to keep.

02 / What you get

An owned-gap map

Every gap named, severity-rated, and assigned. No more “we thought IT had that.”

03 / What you get

A 30-minute board readout

Plain English. No jargon. The conversation you've been avoiding - defended.

Every kind of scrutiny

Your sector. Your wording.
Your insurer's exclusions.

Tender qualifications. Cyber claims. FCA reviews. Customer security questionnaires. Each sector has its own language and its own evidence bar.

FCA · Cyber renewal · Defensibility check

If our underwriter walked in tomorrow, what evidence could we hand over?

Regulated wealth firms run on declarations to the FCA, the cyber insurer, and the PI broker — three different versions of "what controls are in place." When any one of those declarations can't be backed with timestamped evidence, the next renewal becomes the problem. Axulu reconciles all three.

Five outcome layers

5 layers of defensibility.

Each layer solves a different evidence gap. Start where the claim risk is highest.

Wedge

Axulu Safe

“Can you prove your claim should pay?” Cyber Liability Protection. Evidence-mapped to your policy, ready for the worst day.

Learn more →
Core

Titanium

“Stop firefighting your own estate.” Hardened, standardised, recoverable. The operating base evidence is built on.

Learn more →
Forward

Axulu Plan

“See what's coming. Decide deliberately.” The 7 Year Plan. Cost, risk, and certification plotted on one canvas.

Learn more →
Accelerate

Supercharge

“Use AI without losing control.” Tailored AI & automation. Practical leverage, governed, role-shaped.

Learn more →
Judgement

Expert Leadership

“CIO-level thinking, without the hire.” Fractional CIO / CTO / Head of Architecture. The human judgement behind the outcomes.

Learn more →
Senior judgement layer

CIO-level thinking,
without the £180k hire.

Matthew - Principal & founder

Matthew - Principal & founder

30 years across enterprise architecture, M&A integration, cyber policy interpretation, and vCIO work. When the insurer interrogates your claim, you need someone who has already built the evidence file - not a script, not a checklist, not a junior in a suit. Every Axulu engagement starts there.

TOGAFCIO/CTO operatingvCIO · 40+ estatesFlywheel · scaled to £12mM&A integrationRegulated sector7-Year Plan methodologyAI-native delivery

Pricing

Three ways to start.
One way to scale.

Begin where the pain is loudest - claim defensibility - and expand into Titanium, Plan, and Supercharge as the base stabilises.

Defensibility Snapshot

A 12-day deep diagnostic. Find out where you stand, signed off by a senior architect.
£2,950one-time
  • Cyber policy parsed & mapped
  • 4-layer defensibility report
  • Director risk register (draft)
  • 90-minute board readout
Book a snapshot
Most chosen

Defensibility Retainer

Live evidence engine + senior architect on call. The base that keeps you provable, not just compliant.
From £4,800/ month
  • Everything in Snapshot
  • Live Defensibility Score
  • Quarterly certified decisions
  • Claim-ready pack on demand
  • Fractional CIO escalation
Start retainer

Enterprise & full-stack

Titanium + Plan + Supercharge bundled with senior architecture and programme leadership.
Customscoped
  • Hardened operating base (Titanium)
  • 7-Year Plan dashboard
  • AI & automation workstream
  • Fractional CIO / CTO
Talk to sales
Multi-entity group? Acquired companies to integrate? Regulated by the FCA?Talk to a senior architect

Frequently asked.

What boards, MDs, and finance directors ask before signing.

Aren't you just another MSP / IT support company?

The Axulu service Titanium looks a bit like an MSP - in the same way a locksmith and an insurance loss adjuster both think about break-ins. But one installs the locks. The other decides whether your claim pays out when somebody gets past them.

I know the difference because I built the locksmith. Ten years running an MSP, grown organically and by acquisition to £12m revenue and 96 staff across the UK. What I learnt the hard way: business owners don't actually want tech. They want two outcomes - that the business keeps running even when the tech doesn't, and that when (not if) they're breached, the regulator and the insurer don't add liability on top of the disruption.

So I built Axulu from the ground up as a Cyber Liability Protection service. Sometimes that means we provide the protected IT underneath. Sometimes it's just expert human governance sitting on top of your current IT company. Either way, the outcome is the same: you sleep at night.

Isn't this just consulting dressed up as software?
The Snapshot is consulting - fixed-scope, fixed-price, delivered by a senior architect. From there, the Retainer is software-like: a live Defensibility Score that refreshes itself, evidence pulled automatically from Microsoft 365 and your MSP's RMM, and a quarterly certified-decisions pack. We sell outcomes, not bodies. Senior humans where judgement matters - software where it doesn't.
How is Axulu different from my MSP?
Your MSP runs your tickets and tools. Axulu runs your evidence. MSPs are paid to fix things; we're paid to prove the things that were true on the day a breach started. We don't compete with your MSP - we sit above them and make sure the controls they implement actually satisfy your insurer, your auditors, and your board.
Do you sell cyber insurance?
No. We're not a broker and we don't sell indemnities. We help you read, interpret, and evidence the cyber policy you already have so it pays out when it has to. Your broker stays your broker; we make their job easier.
The 18% Vulnerable score in your demo - is that representative?
The Hartley & Sons figures shown on this page are a real, anonymised assessment. Of the SME cyber policies we've pressure-tested, most score below 30% on first read - not because the businesses are negligent, but because nobody has ever written down what their insurer would actually ask for. The fix is rarely technical. It's an evidence fix.
What does “evidence-sensitive SME” mean?
Any business where someone might one day ask “prove it”: an FCA-regulated finance firm, a construction tier-1 supplier with security questionnaires, a law firm handling sensitive matters, an education group under DfE scrutiny, a healthcare provider, an acquirer in due diligence, a tenderer for public contracts. If your customers, regulators, or insurers expect proof - you're evidence-sensitive.
What if my environment is a mess?
Most are. The Defensibility Snapshot tells you exactly how messy, in plain English, and prioritises the gaps that actually move claim risk - not the ones that just look bad on a slide. Then Titanium standardises the base.
Who reviews our policy?
A senior architect with three decades of operating-leadership experience - TOGAF-grade, CIO/CTO operating, vCIO across 40+ regulated estates. The diagnostic is AI-assisted, not AI-only. You'll never get a junior consultant on a script.
What if our data is sensitive?
We operate under UK data residency, with a per-engagement NDA, ISO-aligned handling, and the ability to work entirely inside your tenant if required. Policy uploads can be redacted before parsing; evidence stays inside your Microsoft 365 or your equivalent.
CIOCTOARCH

Your next renewal deserves a defensible answer.

12 minutes. Free. Senior-led. You'll walk away knowing exactly where you stand.

Pressure-test my policyMeet the team

No credit card · Senior architect on the call · Outputs yours to keep