Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Trustwave Fusion Platform: A Window Into Your Penetration Test

One of the lesser-known but extremely important roles the Trustwave Fusion portal, known as the Fusion Security Testing Suite (STS) plays is as a conduit for our clients when running a penetration testing program. 

We've written about, Red Team and Purple Team penetration testing and the need to discover vulnerabilities before they become a problem over the last few months, but while those blogs covered the need for different types of testing, we also wanted to cover the process and tools used by our Trustwave SpiderLabs pentesters. 

So, how do we go about conducting a penetration test and then present the results to our clients?

To start with, Trustwave's process has been in place for more than 10 years and is tied directly to our industry-leading Fusion platform. 

Fusion is a cloud-based cybersecurity platform that serves as the foundation for the Trustwave Managed Security Services, Managed Detection and Response, and other cybersecurity offerings. Generally, Fusion gives clients an up-to-the-minute, single pane of glass view into their security situation, but it also serves an essential role in our pentest program.

Here we utilize a remarkable aspect of Fusion, the Security Testing Suite (STS), which gives the client an incredibly detailed view of the results of their pentest. As a result, Trustwave does not merely print out a report, drop it on the client's desk and leave. 

Fusion STS brings visibility into the process and scalability, allowing Trustwave to conduct pentests for any size organization, from a small or medium-sized business to enterprise-class. 

Trustwave's Penetration Testing Process

So, before a client gets to the point when information is available on Fusion, a pentest must be set up. The first step has a client purchasing the credits needed to run the test and then putting together a testing plan.


The Fusion STS enrollment page.

Three types of tests can be conducted. The first is a managed test that includes basic hygiene checks. Next is system scanning with actionable findings for remediation. Third, are network and application penetration tests. Each of these tests has four tiers of service: (Please click here for a complete breakdown of Trustwave’s offerings.) We can also deliver ad hoc testing via the portal with more traditional day rates.

  • Basic – a simulation of a basic attack executed by an attacker of limited sophistication with minimal skill, typically using freely available automated attack tools
  • Opportunistic – a simulation of an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks, typically seeking easy targets using a mix of automated tools and manual exploitation
  • Targeted – a simulation of a targeted attack executed by a skilled and patient attacker expending a significant effort trying to compromise a specific organization’s systems
  • Advanced – a simulation of an advanced attack executed by a highly motivated, well- funded and sophisticated attacker, who will exhaust all options for compromise before relenting.

Setting an Assessment Schedule

Once testing has been purchased as a package or otherwise our operations team creates an account enabling each side to schedule an assessment.  Retesting can also be purchased and scheduled to ensure the client fixed any issues found by the test.

Once the test is scheduled and the prerequisites have been entered into STS, it appears in the consultant view ready to be picked up or assigned. The team then ensures that the client has completed all the test prerequisites and are working as intended. 

Once all these ducks are in a row, the test begins and is generally completed within the testing window for the particular piece of work. 

We are capable of testing applications, internal and external networks, and infrastructure along with red and purple team exercises.  Cloud and OS configuration reviews as well as other bespoke engagements are also covered.

Once the testing is complete, adhering to industry standards and the test classes defined in our delivery model we send the test for QA.

The QA team makes sure the report is not only technically correct but grammatically on target and that all the methodologies we are supposed to use were, in fact, followed during the test. This team also ensures the testing is consistent.

The report is then made available to the client within the portal.



Problems are Uncovered, What's Next?

Once the process is completed, and the client has viewed the results in Fusion STS, we discuss how to fix the issues.

This aspect generally falls into a couple of categories. 

First, the report includes recommendations made by the Trustwave team on how to rectify any problems, along with a detailed description and the supporting reference information related to the problem(s).

Generally, a client takes this information and fixes the problems internally. Trustwave's role is to conduct a follow-up or maintenance test to check that its remediation actions have fixed those issues.

However, if a client does not have the internal capability to fix the problem, the client can call upon SpiderLabs  to assist in remediation.

The Trustwave Difference

Trustwave believes in creating a direct and strong connection with all of our pentest clients. Therefore, we do not run a test, generate a PDF report, and then just toss it back to the customer and move on. 

Fusion STS gives clients a centralized place where all their tests live. So, if you are running hundreds of pentests over a period of time all of them can be found in Fusion STS. This single pane of glass not only gives 24/7 visibility, but if the client contact leaves that company, their replacement has instant access without having to dig through emails or wort through a paper trail.

Fusion STS also has an API which allows all parties to track a problem from discovery to mitigation. The system assigns findings a unique identifier that we use to follow the workflow within the portal. The outcome can then be used for integration into ticketing systems such as those found in ServiceNow and save a great deal of manual data entry for clients.

We believe this capability is incredibly useful because a client can track the life cycle of that vulnerability in an automated way to the point where we can close that vulnerability. 



8 Reasons to use a Programmatic Approach to Penetration Testing

One of the essentials of your security defenses should be an organized and programmatic approach to penetration testing.


Latest Trustwave Blogs

The Two Sides of ChatGPT: Helping MDR Detect Blind Spots While Bolstering the Phishing Threat

ChatGPT is proving to be something of a double-edged sword when it comes to cybersecurity.

Read More

Trustwave MailMarshal Email Security Protects Against WinRAR Vulnerability CVE-2023-38831

The importance of email security cannot be understated. Proof of this can be seen in some recent research conducted by the Trustwave SpiderLabs team around our email security product MailMarshal.

Read More

Bah, Humbug! Grinchbots and Freebie Bots Attempt to Ruin Holiday Shopping for Consumers and Retailers

If the holiday classic “How the Grinch Stole Christmas” was remade in 2023, the mean green guy might be played by an Internet bot.

Read More