Active Directory Security

Your Active Directory Is Still Your Biggest Blast Radius.

Native AD scanning finds privilege escalation paths, stale accounts, weak GPOs, and Kerberos misconfigurations before attackers do.

Attack surface

What the AD scanner finds

01

Privilege escalation paths

Graph every route from an unprivileged user to Domain Admin — nested groups, ACL misuse, shadow admins, and forgotten delegations.

02

Stale & orphaned accounts

Surface dormant users, disabled-but-enabled service accounts and orphaned SIDs that keep sitting inside privileged groups.

03

Weak GPO configurations

Detect insecure logon rights, unsigned scripts, permissive password policies and GPOs writable by non-admin principals.

04

Kerberos misconfigurations

Identify Kerberoasting exposure, unconstrained delegation, RC4-enabled accounts and AS-REP roastable identities.

Collector

Least-privilege collector, on your terms.

The AD collector agent runs read-only LDAP and SYSVOL queries with a scoped service account, supports scheduled credential rotation, and never stores plaintext credentials. Data stays within the customer's chosen deployment boundary — hosted cloud, self-managed on-premises, or fully air-gapped install. No domain writes, no replication rights, no shadow copies.

Dashboard

Privilege escalation detection at a glance

app.alexocloud.ai / tenants / contoso / active-directory
Attack path graph
usergroupaclsvcgpoDA
17 paths to Domain Admin · shortest: 3 hops
Open findings · 6
SeverityFindingScope
CRITICALPath from Domain Users to Domain Admin5-hop ACL chain
CRITICALUnconstrained delegation on member serverSRV-APP-07
HIGHKerberoastable service account in Domain Adminssvc-sql-prod
HIGHGPO writable by authenticated usersDefault Domain Policy
MEDIUM142 stale accounts in privileged groupsEnterprise Admins, Backup Operators
MEDIUMRC4 encryption enabled on user accounts38 identities

See every path an attacker would take.