A practice built on the discipline, not the pitch.
CyberOne Assurance is a newly launched, Little Rock, Arkansas-based penetration testing and cybersecurity readiness practice. Here's the background, the mission, and the ground rules we test under.
Adrian Thomas, founder of CyberOne Assurance.
Before founding CyberOne Assurance, Adrian served in the United States Air Force and worked within Department of Defense environments, where security is treated as mission-critical, not a checkbox. That background built a level of discipline, attention to detail, and respect for process that carries directly into how engagements are run here: nothing is scoped loosely, nothing is tested carelessly, and nothing goes in a report without being verified first.
That operational foundation is paired with a B.S. in Cybersecurity and Information Assurance and an A.S. in Aeronautics, combining formal security education with the procedure-driven, checklist-and-verify mindset aviation demands. CyberOne Assurance was founded to bring that same rigor to civilian organizations that need a straight answer about where they actually stand.
CyberOne Assurance operates out of Little Rock, Arkansas, and works with clients there and remotely across the country.
Three things that don't change from engagement to engagement.
Evidence over assumption
Every finding is manually verified before it goes in a report. If it can't be reproduced and demonstrated, it doesn't get reported as confirmed risk.
Plain-English reporting
Reports are written so a non-technical decision-maker can understand business impact, and a technical team can understand exactly how to fix it.
Framework-aligned methodology
Testing follows recognized industry references rather than an unstructured scan-and-report approach — see below.
The frameworks that shape how testing is structured.
NIST SP 800-115
The NIST Technical Guide to Information Security Testing and Assessment — the baseline reference for planning, executing, and documenting a security test.
PTES
The Penetration Testing Execution Standard — a widely referenced framework covering pre-engagement, intelligence gathering, exploitation, and reporting phases.
OWASP Testing Guide
The reference methodology for web application security testing, aligned with the OWASP Top 10 risk categories.
NIST CSF & CIS Controls
The control frameworks used to structure readiness evaluations and translate findings into a maturity roadmap.
Authorized testing, every time — no exceptions.
No engagement begins without a signed scope of work and written authorization from someone with the authority to grant it. Testing stays within the agreed boundaries, with defined emergency stop procedures and a point of contact reachable throughout the engagement.
Confidentiality
Findings, credentials, and any data encountered during testing are handled under a mutual NDA and are not disclosed, retained beyond the engagement, or reused for any other client.
Independence
Assessment findings are not used as leverage to upsell unrelated remediation work — the report reflects what was found, not a sales funnel.