Compliance Risk Assessments
Evaluate and treat risks related to in-scope assets
Stay up-to-date on risk assessment requirements
Risk assessments are required as part of many regulatory and contractual processes, and ISO 27005, NIST 800-30, PCI DSS all include specific practices for performing these assessments. Our risk assessments use specific practices for evaluating and treating risks related to in-scope assets. The ISO 27005 methodology aligns closely with the requirements of ISO 27001, while NIST SP 800-30 methodology is often used to support other federal requirements including NIST SP 800-53, NIST SP 800-171, CMMC, and HIPAA.
“Weaving risk, group theory, and adaptation with business strategy is one way we stand out.”Rockie BrockwayDirector of Advisory Innovations
Rockie Brockway
Director of Advisory InnovationsRockie's focus is on helping organizations strengthen their security posture by better aligning security with business needs and requirements.
Read Our Blog
Explore current cybersecurity topics on the TrustedSec Security Blog
Why Risk Assessments are Essential for Information Security Maturity
Introduction Many compliance frameworks require Information Security Risk Assessments, and some organizations may receive third-party requests for Risk…
Keys to JWT Assessments - From a Cheat Sheet to a Deep Dive
The Cheat Sheet section is for quick reference.The Learn section is for those who have never touched the topic before.The Implement section is for more…
MCP in Burp Suite: From Enumeration to Targeted Exploitation
MCP-ASD Burp extension has been submitted to the BApp Store and is awaiting approval.MCP OVERVIEWMCP (Model Context Protocol) servers are becoming more common…
LDAP Channel Binding and LDAP Signing
With Microsoft “enforcing” Lightweight Directory Access Protocol (LDAP) Signing by default in Server 2025, it once again seems like a good time to revisit our…
Adventures in Primary Group Behavior, Reporting, and Exploitation
If you’ve administered Active Directory (AD) for any significant time, chances are you’ve come across the primaryGroupID attribute. Originally developed as a…
Colonel Clustered: Finding Outliers in Burp Intruder
TL;DR, gimme the goods: https://github.com/hoodoer/ColonelClusteredExtension has been submitted to the Bapp store, awaiting approval.This is a Burp Suite…
CMMC Scope – Understanding the Sprawl
The CMMC program contains complex, and potentially confusing, scope requirements. Contractors that are preparing for a CMMC assessment will need to pay close…
Updating the Sysmon Community Guide: Lessons Learned from the Front Lines
Over the past few weeks I’ve been spending a significant amount of time updating the Sysmon Community Guide. This wasn’t driven by theory, trends, or what…
Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure
Before we dive in, let’s get all the TrustedSec Certified Absolutes out of the way:All software presents some level of inherent risk.Only required software…
Top 10 Blogs of 2025
Everyone has a year-end list, and this is ours. See what our top-performing cybersecurity blogs were in 2025, there could be some you might have missed!
Empower your business through better security design.
Talk directly with our experienced advisory consultants to learn how we can help.
