Red Team Trust

TRTTrust & Security

What we collect.What we don't.

This page documents exactly what the RedTeamTrust agent collects, how data is handled, how long it is retained, and the authorization requirements that must be met before any agent runs.

01Authorization Protocol

Authorization is a hard requirement.

The assessment agent will not run without a written authorization from the organization being assessed. This is not optional language — the portal workflow requires a signed scope authorization before an assessment bundle is issued.

  • MSSP operators obtain written authorization before downloading any bundle
  • Each bundle is cryptographically scoped to a single organization — it cannot transmit to a different tenant
  • The authorization record is stored in the platform and linked to every telemetry submission
  • Assessments without a matching authorization record are rejected at ingestion

02Collection Scope

What the agent collects.

The agent is a single-run PowerShell script. It does not persist, does not install services, and does not run again unless explicitly re-executed.

// Collected
  • OS version, build number, hostname, and domain membership
  • Security configuration state: BitLocker, Firewall, Secure Boot, TPM, Windows Update
  • Security product registration: AV, EDR, Windows Defender configuration
  • Identity hardening: local admin count, password policy, LSASS protection, Credential Guard
  • Logging configuration: PowerShell logging, audit policy, Sysmon presence, Event Log sizing
  • Network configuration state: LLMNR, NBT-NS, mDNS, SMB signing, WPAD, IPv6 binding
  • Presence (not content) of credential file paths: ~/.aws, ~/.azure, ~/.ssh/id_*, .env files
  • Active probe results: whether your AV intercepted an EICAR test file, whether your EDR flagged an encoded process launch
  • Same-LAN OS scan (optional): hostname and OS fingerprint of /24 peers, initiated only when authorized
// Not collected
  • No file contents — only file presence is checked for credential path detection
  • No process memory or running process list
  • No document, database, or application data
  • No user activity, browser history, or keystrokes
  • No Active Directory enumeration beyond DC detection (unless explicitly in scope)
  • No screenshots or clipboard data
  • No outbound network connections beyond the single POST to the ingest endpoint

03Data Handling & Retention

Data handling.

01

Transmission

All telemetry is transmitted over TLS 1.2+ to a single ingest endpoint. The bearer token in the script is scoped to one organization — it is rejected by any other tenant's ingest path.

02

Storage

Assessment telemetry, findings, and reports are stored in an isolated per-MSSP partition. MSSP operators can only access organizations within their own account. RedTeamTrust infrastructure staff have access under strict internal controls.

03

Evidence files

Compliance evidence uploaded through the client portal (PDFs, screenshots, policy documents) is stored in isolated cloud object storage. Files are served through an authenticated download endpoint — direct URLs are never exposed.

04

Retention

Assessment data is retained for the duration of the active MSSP engagement. Operators may request deletion at any time. We do not sell, share, or use assessment findings for purposes beyond providing the platform service.

05

Confidentiality

Assessment reports are generated for the assessed organization and their MSSP partner only. RedTeamTrust does not share findings with third parties, law enforcement, or other customers without explicit written consent except as required by law.

04Responsible Disclosure

Found a vulnerability?

If you discover a vulnerability in our platform or assessment tooling, please report it to us before public disclosure. We commit to acknowledging reports within 2 business days, providing a remediation timeline within 10 business days, and not pursuing legal action against good-faith researchers who follow responsible disclosure practices.