[For the purpose of full disclosure here, I work for Trustwave. I am also the head of their SpiderLabs organization.]

I think you may have your security and compliance testing paradigms very much confused. Let me help explain these a bit.

Trustwave is a Qualified Security Assessor (QSA) for the Payment Card Industry Security Standard Council (PCI SSC) and is authorized to perform security assessments for merchants and service providers against the Payment Card Industry Data Security Standard (PCI DSS). As a QSA there are testing procedures and standards interpretation that every firm performing these assessments must follow. Simply stated, a PCI DSS assessment might be called a "checklist compliance" because it was designed to be that to attempt to ensure uniformity across QSA's performing the review of the target organization. This process is dictated by the PCI SSC. A PCI DSS assessment is in no way attempting to be a "red team assessment".

Trustwave, like WhiteHat Security, also offers more traditional penetration testing through its SpiderLabs organization. While WhiteHat is focused on web application security (and are respected in the industry for their services here), SpiderLabs has global teams each with a focus on in the various aspects of red team attack vectors. Some organizations opt to just hire us for application, network, or physical testing, but other want the full red team treatment. In any case, we follow a well documented and tested methodology (similar to the Penetration Testing Execution Standard [PTES]) but in no way is the work we do a check-list engagement.