Red Team Trust

SVCMini Security Assessment

An unbiased view of yourendpoint security posture.

Conducted by RedTeamTrust — not your MSSP. Reports carry the RedTeamTrust brand, not your service provider's. That independence is the point: a neutral third-party finding carries more weight with leadership, auditors, and insurers than a report from your own vendor.

01Why Independent Matters

“You wouldn't ask your IT team to judge their own work and trust the result to be fully unbiased.”

Not because they're untrustworthy — but because independence is what makes an assessment meaningful. Your IT team understands this. The fact that they sought a third-party evaluation rather than running their own checklist is a deliberate choice.

They want your leadership to have a view of your security posture that hasn't been filtered through the team responsible for it. That's a sign of professional integrity. This report is not a grade on your IT team — it's the honest picture they wanted you to have.

02What The Assessment Covers

60+ checks. 9 attack surfaces.

A single-endpoint run of our visibility agent checks the controls that matter most, organized by the same 9 attack surfaces that appear on the executive scorecard. No credentialed access, no network agent, no persistent install — the agent runs once and sends structured telemetry to generate your reports.

// 01

[ 04 checks ]

Backups

  • Volume Shadow Copy service health
  • Shadow copy recency on system volume
  • Windows Backup event log presence (Event ID 4)
  • Backup tool registration via WMI/wbadmin fallback

// 02

[ 06 checks ]

Accounts & Identity

  • Local administrator count and non-expiring passwords (ADSI flag)
  • Built-in Administrator SID-500 — enabled or default-named?
  • Account lockout threshold (secedit fallback for locale safety)
  • Browser-saved password databases detected on disk
  • Stale and dormant local accounts (no logon 90+ days)
  • Windows LAPS or managed privilege-elevation product (ThreatLocker, CyberArk EPM, BeyondTrust PMfW, Delinea, etc.)

// 03

[ 04 checks ]

Microsoft 365 Posture

  • M365 / Entra token cache file presence (no content read)
  • MFA coverage (operator-confirmed)
  • Admin role hygiene (operator-confirmed)
  • Tenant monitoring & alerting (operator-confirmed)

// 04

[ 05 checks ]

Patches & Maintenance

  • Windows Update pending software updates
  • Days since last installed hotfix
  • Feature update / Windows version lifecycle status
  • Reboot pending after updates
  • Disk free space (point-in-time)

// 05

[ 08 checks ]

Endpoint

  • AV product registration (SecurityCenter2 — Webroot, CrowdStrike, SentinelOne, etc.)
  • Microsoft Defender real-time protection (cross-referenced with 3rd-party AV)
  • EICAR test file probe — does your AV actually remove threats?
  • EDR behavioral probe — does your EDR catch encoded process launches?
  • Defender ASR rules, Tamper Protection, AppLocker / WDAC
  • TPM version (required for Credential Guard and Secure Boot)
  • Microsoft Defender for Endpoint (MDE) sensor enrollment
  • Service binary paths — unquoted privilege-escalation risk

// 06

[ 07 checks ]

Firewalls & Remote Access

  • Host firewall profile status (domain / private / public)
  • RDP listening on TCP 3389 + registry fDenyTSConnections
  • WinRM service exposure and active listeners
  • Remote Registry service status
  • Open network shares (Everyone / Authenticated Users)
  • Remote-access tools (LogMeIn, ScreenConnect, TeamViewer, AnyDesk, etc.)
  • Outbound HTTPS egress probe

// 07

[ 03 checks ]

Security Education

  • Phishing simulation program (operator-confirmed)
  • Security awareness training cadence (operator-confirmed)
  • Policy library and acknowledgment workflow (via Compliance Management)

// 08

[ 06 checks ]

Encryption

  • BitLocker on all fixed volumes
  • Secure Boot (UEFI) status
  • Unencrypted SSH private keys in user profile
  • AWS / Azure / GCP credential files and .env files on disk
  • SMB signing required on client and server
  • NTLM hardening / LMCompatibilityLevel

// 09

[ 09 checks ]

Detection

  • PowerShell script block, module, and transcription logging
  • Process creation auditing (Event ID 4688)
  • Logon auditing (Event ID 4624) — verified via AuditPol CSV
  • Sysmon installed and running
  • Windows Event Log sizing — will logs survive a 48-hour incident?
  • LLMNR / NBT-NS / mDNS — the Responder poisoning triad
  • WPAD proxy auto-detection and IPv6 exposure
  • AMSI providers intact
  • PowerShell Constrained Language Mode

03Deliverables

Five deliverables.

One risk score everyone uses, plus four documents — one for the proposal meeting, one for leadership, one for IT, and one internal to the MSSP partner.

Everyone

Risk Score

A weighted 0–100 risk score calibrated across all 9 attack surfaces and whether active probes completed without interception.

Proposal meeting

Findings Slide Deck (PPTX)

Cover, risk score, 9-section attack surface scorecard, ranked findings, real-world incident case studies, and managed service callouts. Runs a 30–45 minute proposal meeting without prep.

Leadership

Executive Summary PDF

Section-by-section narrative explaining each gap in business terms, with a risk band and finding table. Suitable for board presentations, insurance renewals, and compliance narratives.

IT team

Technical Detail PDF

Full finding inventory with category, detection outcome, raw evidence, and remediation steps. The working document your IT team uses to implement fixes.

Partner only

MSSP Remediation PDF

Step-by-step remediation per finding, organized by attack surface. Includes service:path entries for unquoted-service findings and credential file paths so technicians can act immediately.

04Referral Model

How the MSSP referral model works.

Many assessments are initiated by an MSSP who refers their client to RedTeamTrust. Here's what that means for each party.

// your-mssp

Your MSSP

  • Initiates the assessment and obtains written authorization from you
  • Downloads the assessment bundle on your behalf
  • Identified on the report cover as the referring partner
  • Does not control the findings or the scoring — that is RedTeamTrust's role

// redteamtrust

RedTeamTrust

  • Conducts the assessment and generates all reports independently
  • Scores findings against a calibrated, fixed methodology
  • Delivers PDFs branded RedTeamTrust — not your MSSP's brand
  • Maintains the platform and the assessment methodology

// your-organization

Your Organization

  • Provides written authorization before any agent runs (required)
  • Runs the agent binary — no persistent install, one-time collection
  • Receives executive and technical PDFs with a clear risk score
  • Owns the remediation path — your MSSP or internal team executes

Ready to see your real risk?

One-time engagement. No persistent agents. Independent report you can share with leadership, insurers, and auditors.