“Cyver Core has finally allowed us to provide a continuous pentest model. We’ve been struggling with that and working to provide the best value with testing and the next step was to build a dashboard to deliver customer interaction. With Cyver Core, it’s all just there. The reporting is a little bit easier and more seamless; consistency is there, I’ve been very pleased overall and now we have that pentest-as-a-service product ready to go” _ Scott Sailors
AlphaONE Operations is a managed security service provider offering organizations an all-in-one cybersecurity service solution. From security advisory to full-stack solutions complete with cybersecurity and monitoring to pentesting, AlphaONE Operations does it all. The firm has been in business since 2020, when partners Kevin Sutton and Scott Sailors brought their 20+ years of working together to a single organization.
“We worked with a lot of companies doing pentesting,” Says Scott, “We’d deliver 100 pages of vulnerabilities, and then come back a year and a half later and deliver 125 – they weren’t fixing it, we wanted to change that. So, we started AlphaONE Operations with the goal of delivering the cybersecurity stack and tools to fix those gaps – and pentesting is still a core part of that business”
Today, AlphaONE’s full package solution means they serve clients across the USA with ready-to-go compliance solutions. Their customers are finance and financial compliance institutions that need to meet governance obligations.
Who are AlphaONE Operations?
AlphaONE Operations delivers the full cybersecurity package, complete with pentesting, incident management, cloud security, monitoring, cybersecurity tooling, consultation, and much more.
- Projects on Cyver Core: 23+
- Plan: Enterprise
- Team: 5+ external contractors
- Location: USA
- Started on Cyver Core: 2024
“For us, Cyver Core is all about delivering quality. We do save time, we improve consistency, it’s a lot better. But the quality of the testing, we get to spend more time on testing and delivering quality to the customer instead of dealing with overhead like managing customers and planning.” Kevin Sutton
In Search of Scalability for Continuous Pentesting
AlphaONE Operations was already using a pentest reporting tool. Kevin and Scott also had a plan to scale up, with intentions to bring the pentesting team size to 10-12 people by 2026. Plus, with big goals to deliver continuous pentesting, complete with a client-facing dashboard, they needed scalable tooling.
“Our core problem was that we needed a good reporting engine to take the work out of generating reports. We were using Serpico and had been for many years,” says Scott, “We’d spent a lot of time developing templates and findings, so we wanted to make sure we didn’t lose that data when we moved.”
“We were also looking to grow our team, we needed standard operating procedures, checklists, lists of items testers should do when they deliver a pentest, so the client gets the same pentest, every time, regardless of the experience of their tester.” adds Kevin
Choosing Cyver Core
Kevin and Scott reviewed multiple tools including PlexTrac, AttackForge, and FaradaySec. Eventually, they opted for Cyver Core
“Ease of implementation was key for us,” says Kevin, “with some other solutions, we needed a custom Azure development. Many of our clients work in finance so data sovereignty was a concern. Having the option to keep our data in the U.S., managed in the U.S., was key for us there”
“Cost was also a component,” added Scott, “with our team growing rapidly, we didn’t want a solution that charges per agent.”
Delivering Continuous Pentesting with Cyver Core
“We still have a long way to go, Cyver Core has been very well received by our customers, they love seeing that active testing is going on instead of just getting a report”
AlphaONE Operations also delivers pentesting for different organizations, different companies, and under different brands.
“We use templates to allow us to quickly pivot between brands. Sometimes all we have to change is a logo and a text block with company data. WIth Cyver Core, that’s easy” says Scott.
“We’re setting up structure with the Continuous Assessments module to deliver scanning and vulnerability reporting. The custom reporting also allows us to add a lot more data to reports than just what we pull from tools, and we can automatically pull that from our prepared content. We’re adding pentesting to that – we deliver much more than a scan.”
AlphaONE Operations is also using the customer and client management functions in Cyver Core:
“Even when we haven’t finished building out a report for the client, we’ll still deliver in Cyver. We’ll just upload the final report into Cyver, so we don’t have to worry about secure emails and codes. They can just access everything from one place” adds Scott.
“We really like the customer insights, the snapshot of findings by vulnerability type, risk summary, where they fall in terms of business impact and it’s all just automatically there,” says Kevin, “It’s nice to have one place to manage everything from the client side. In the past, we’d keep client info in files and folders so having a one-stop-shop has been key”.
“Cyver also means clients can manage themselves. They can add and remove team members and assets; we don’t have to deal with that”
Collaboration with Cyver Core
“Cyver is a young and nimble company, that’s key for software development, we talk to Luis and our specific requirements are addressed pretty quickly, and that’s been a big thing” says Kevin. “Support is very responsive.
“I try to stay in sync with the quarterly updates, it’s nice you’re trying to continuously evolve the product, it’s great you’re demonstrating it to existing customers and going ‘here’s a new feature we added’. Having that video demonstration and not just a blog or article helps a lot”.
“Sometimes I submit a ticket and then a day or a week later I get a message and you guys have added something to fix that issue, that’s been very pleasant,” adds Scott.
Reducing Time Spent on Overhead
“Cyver makes us a little bit more efficient. Reporting is easier. The first few reports required more work while we customized them. But the text blocks, those are huge for us. In the past we’d deliver reports to different customers and have to build unique templates just for them. Now, we use the same template and change text blocks for minor sections with company data. We’ve reduced complexity and management, so managing report templates is just so much easier” says Kevin
“One of the ways Cyver Core has saved us is by simplifying the process. We’ve used pentest report automation for a long time. Cyver Core makes it easy to add findings, it flows better”, adds Scott, “Having a single place where clients can go to access reports, and access those reports over time for historical data, is also key to delivering more value with the platform.”
“Importing findings is a little bit faster, flows are better, overall, the result is better. To some degree, I don’t know that it’s about time so much as quality. We know every single pentest is done the exact same way – it’s not dependent on what we remember to do.”
“Being able to see projects on a timeline, to see how they overlap, and being able to manage where we might have 3-4 projects going on at the same time and where each of those phases applies in relation to one another has been great too”
“Planning and dates is nice”, Scott agrees, “we’re onboarding a project manager, and being able to hand them that data is also going to be key”
Quality Assurance with Transparent Testing & Checklists
“The real improvement is in quality,” says Kevin, “No matter how many times you run a pentest, there’s a risk of forgetting something. Having the checklist and the processes to flow through, linking that to the compliance norms, and just being able to see and track what’s been checked – that adds so much structure and therefore quality.”
“It’ doesn’t matter who goes in, they see the checklist for the pentest, make sure they are checking the box, look at the compliance norms,” adds Scott, “Being able to throw someone into a web application pentest and see the norm there, you can make sure you’re covering every area because you have oversight”
“Quality of testing and engagement with customers is a lot more positive because they’re able to see things during, before, and after a test. That’s all in one platform, without having to rely on email or update messages. Being able to guarantee that every pentest is delivered with the same quality, regardless of doing the pentesting is also a plus. We’re a relatively small team and we’re growing. We want to make sure every single customer is getting exactly what they pay for, so that quality is key to our business model.”