Services

Testing built to answer one question: what happens if someone actually tries?

Every engagement below is scoped up front, run under a signed rules-of-engagement agreement, and delivered with a report that separates real risk from noise.

01 / Penetration Testing

Hands-on testing, not just a scan with a logo on it.

Automated scanners find configuration drift. They don't tell you whether a vulnerability is actually exploitable, chainable, or business-critical. Manual, methodology-driven testing does.

NET

Network Penetration Testing

External and internal testing against your network perimeter and internal segments to identify exploitable misconfigurations, weak credentials, and lateral-movement paths.

  • External perimeter testing
  • Internal / segmentation testing
  • Privilege escalation & pivoting attempts
  • Patch & configuration review
WEB

Web Application Penetration Testing

Manual testing of authentication, session handling, business logic, and injection points, referenced against the OWASP Testing Guide and OWASP Top 10.

  • Authentication & access control
  • Injection & input validation
  • Business logic abuse cases
  • API endpoint testing
WIFI

Wireless Security Assessment

On-site or remote-supervised testing of wireless infrastructure — encryption strength, rogue access points, segmentation between guest and internal networks.

  • Encryption & authentication review
  • Rogue AP / evil-twin detection
  • Guest / internal network segmentation

Deliverable

An executive summary written for leadership, a technical findings appendix with CVSS-style risk ratings and reproduction steps for your engineers, and a prioritized remediation list ranked by real-world impact.

02 / Cybersecurity Readiness Evaluations

Know your maturity level before an incident forces the question.

A structured gap assessment measuring your current program against recognized control frameworks — not a generic checklist, a control-by-control review with evidence.

CSF

NIST Cybersecurity Framework (CSF)

Evaluation across the CSF functions — Govern, Identify, Protect, Detect, Respond, Recover — to produce a current-state and target-state maturity picture.

CIS

CIS Critical Security Controls

Control-by-control review against the CIS Controls, prioritized by Implementation Group (IG1–IG3) so smaller organizations aren't handed an enterprise-scale to-do list.

Deliverable

A maturity scorecard, a gap list mapped to the framework's specific controls, and a prioritized remediation roadmap sequenced by risk reduction and effort.

03 / Compliance Readiness

Walk into your official audit with the gaps already closed.

These are readiness assessments — they prepare you for a formal audit or certification, they are not the certification itself. Formal SOC 2 reports are issued only by a licensed CPA firm, and CMMC certification is issued only by an accredited C3PAO. CyberOne Assurance's role is to find and help close the gaps before you engage with either.

SOC2

SOC 2 Gap Assessment

Review against the Trust Services Criteria relevant to your scope (typically Security, and where applicable Availability, Confidentiality, or Privacy) to flag gaps before your formal SOC 2 audit.

CMMC

CMMC Readiness Assessment

Gap review against the applicable CMMC level's practice requirements for organizations handling FCI/CUI, ahead of a formal C3PAO assessment.

HIPAA

HIPAA Security Rule Review

Assessment of administrative, physical, and technical safeguards required under the HIPAA Security Rule for organizations handling ePHI.

Deliverable

A control-by-control gap report mapped to the relevant framework, evidence notes, and a remediation plan sequenced so you're not scrambling in the weeks before your official audit window.

04 / Social Engineering & Phishing Simulations

Your strongest firewall still can't stop a convincing email.

Controlled, consent-scoped exercises that test whether security awareness training actually holds up against a real attempt.

MAIL

Phishing Campaigns

Simulated phishing sent to an agreed target group, tracking click-through, credential submission, and reporting rates.

TXT

Pretext Scenarios

Scenario-based social engineering (phone/email pretexting) scoped and pre-approved with your leadership before execution.

RPT

Awareness Reporting

Aggregated, anonymized metrics on organizational susceptibility — never used to single out individual employees.

Deliverable

An awareness report with click/report rates by department (not by individual), and specific recommendations for training focus areas.

How Every Engagement Runs

Same disciplined process, every time.

No testing begins without a signed scope of work and written authorization. That protects you, and it protects the integrity of the results.

Scoping & Authorization

Targets, boundaries, timing, and emergency contacts are defined and signed off before anything starts.

Reconnaissance

Passive and active discovery to map the real attack surface — assets, exposure, entry points.

Testing & Exploitation

Controlled exploitation attempts against the agreed scope, following the relevant methodology for that engagement type.

Analysis & Validation

Every finding is manually verified and risk-rated — no un-triaged scanner output makes it into your report.

Reporting

Executive summary plus technical detail, with reproduction steps and prioritized remediation guidance.

Retest

A follow-up validation pass once fixes are in place, to confirm the issue is actually closed.