TSI
CYBER
Full-Suite Penetration Test (FPT)
The Full-Suite Penetration Test (FPT) is a comprehensive two-week gray-box engagement that integrates various services into a unified delivery. The first week simulates an external threat remotely from TSI Cybersecurity Division labs, while the second week emulates internal threat capabilities, conducted either on-site or remotely based on client preference.
Clients can tailor sub-services within this engagement to match their scope. External services in the first week include OSINT Review, Host Discovery, Vulnerability Assessment, Web Server Penetration Testing, Web Application Assessment, Phishing Campaigns, and External Threat Emulation. The second week focuses on internal services such as Network Discovery, Internal Vulnerability Assessment, Network Penetration Testing, Internal Web Application Assessment, Database Assessment, Wi-Fi Assessment, Asset Discovery and Targeting, and Insider Threat Emulation.
The FPT delivers daily activity summaries, a client outbrief at assessment close (on-site or remote), and an assessment report provided as a draft one week after the assessment, with the final version delivered post-client review and approval.
TSI
CYBER
External Penetration Test (EPT)
The External Penetration Test (EPT) is a one-week gray-box engagement conducted entirely remotely, designed for clients emphasizing their externally accessible attack surface. It centers on discovering and validating public-facing technical vulnerabilities.
EPT services cover OSINT, Host Discovery, Vulnerability Assessment, Web Server Penetration Testing, Web Application Assessment, Phishing Campaigns (clickrate only), and External Threat Emulation.
Deliverables include daily activity summaries, a remote client outbrief at the assessment's close, and an assessment report provided as a draft one week after the assessment. The final report is delivered after client review and approval. Assessment data, including tool-generated reports, is included in the comprehensive deliverables.
The EPT is tailored to offer a thorough examination of external vulnerabilities, providing actionable insights for organizations focused on enhancing their security posture.
TSI
CYBER
Web Application Assessment
This service specializes in identifying web application vulnerabilities, assessing an organization's security against OWASP standards. It targets issues like Cross-Site Scripting and SQL injection, evaluating their impact. Assessments involve manual engagement and input in a black-box perspective, reviewing business logic, application behavior, and source code.
Communication channels between web clients and servers are analyzed for data manipulation. Tests confirm proper access controls on application accounts and assess the risk of unauthorized access via web application attacks. The assessment includes a detailed examination of data sanitization practices. Results encompass risk exposure, attack paths, and potential impacts, with a concluding report offering mitigation recommendations.
Assessment activities can be remote or on-site based on web application accessibility and sensitivity. Importantly, this model focuses solely on testing the web application and hosting server. Activities beyond obtaining server-side code execution for internal resource access are deemed out of scope.
Comprehensive Reporting
Receive detailed reports outlining discovered vulnerabilities, attack vectors, and recommended mitigation strategies. This actionable intelligence empowers you to fortify your defenses and maintain a proactive security posture.
TSI
CYBER
Red Team Operation (RTO)
Our Red Team Operation spans 90 days, utilizing real-world APT Tactics, Techniques, and Procedures for comprehensive threat emulation. It operates as a pure black-box scenario, testing both technical controls and organizational resilience without the knowledge of security personnel.
Beginning with a "no prior knowledge" approach, the first phase involves leveraging publicly available information to identify potential access points through various methods. After gaining access, the environment is clandestinely enumerated to establish an attack path toward full compromise, including the identification of critical assets.
The first phase concludes with attempts to breach targets and simulated data exfiltration. In the second phase, specific actionable events are executed to gauge the security team's response efficacy, escalating in overtness with a measured time to respond. The assessment culminates in a two-day on-site outbrief covering assessment activity, attack emulation training, and recommended mitigations for leadership and technical personnel.
Throughout the engagement, coordination is maintained through primary and alternate Trusted Points of Contact (TPOCs) for deconfliction and reporting, with the assessment conducted 100% remotely, requiring a full 24/7 open scope of the organization except for the on-site outbrief.
Regulatory Compliance
Stay compliant with industry standards and regulations such as NIST, ISO, and CMMC. Our assessments are designed to align with annual requirements, ensuring your organization meets and exceeds the necessary cybersecurity benchmarks.
Let's Get Started
To give our team an idea of what kind of services you're interested in, fill out this short form.