Privilege escalation paths
Graph every route from an unprivileged user to Domain Admin — nested groups, ACL misuse, shadow admins, and forgotten delegations.
Native AD scanning finds privilege escalation paths, stale accounts, weak GPOs, and Kerberos misconfigurations before attackers do.
Graph every route from an unprivileged user to Domain Admin — nested groups, ACL misuse, shadow admins, and forgotten delegations.
Surface dormant users, disabled-but-enabled service accounts and orphaned SIDs that keep sitting inside privileged groups.
Detect insecure logon rights, unsigned scripts, permissive password policies and GPOs writable by non-admin principals.
Identify Kerberoasting exposure, unconstrained delegation, RC4-enabled accounts and AS-REP roastable identities.
The AD collector agent runs read-only LDAP and SYSVOL queries with a scoped service account, supports scheduled credential rotation, and never stores plaintext credentials. Data stays within the customer's chosen deployment boundary — hosted cloud, self-managed on-premises, or fully air-gapped install. No domain writes, no replication rights, no shadow copies.
| Severity | Finding | Scope |
|---|---|---|
| CRITICAL | Path from Domain Users to Domain Admin | 5-hop ACL chain |
| CRITICAL | Unconstrained delegation on member server | SRV-APP-07 |
| HIGH | Kerberoastable service account in Domain Admins | svc-sql-prod |
| HIGH | GPO writable by authenticated users | Default Domain Policy |
| MEDIUM | 142 stale accounts in privileged groups | Enterprise Admins, Backup Operators |
| MEDIUM | RC4 encryption enabled on user accounts | 38 identities |