The open-source Active Directory attack-path engine.
ADscan Community is the free command-line engine behind everything we build. It enumerates your domain, generates the attack paths from a low-privilege user to Domain Admin, and walks the techniques a real intrusion uses. You run it. No license, no account, no cloud.
Free forever. Source-available under the Business Source License.
A pentester-grade engine for Active Directory, on your own terminal.
Community is the same core engine the PRO and Enterprise editions are built on. It is a CLI you run yourself, against an Active Directory you are authorized to test. Nothing is staged: it works the domain the way an attacker would, then hands you the raw output.
Domain enumeration
Map identity objects, groups, delegations, GPOs, certificate templates and trusts across the domain from a single foothold.
Attack-path generation
Compute the routes from a low-privilege user to Domain Admin and Tier 0, the same graph BloodHound surfaces, generated by the engine.
ADCS, ESC1 to ESC15
Find and walk certificate-template abuse paths against your PKI, the full ESC1 through ESC15 family.
Credential techniques
Kerberoasting, AS-REP roasting, password spraying and DCSync, run against the live domain.
BloodHound collection
Collect the data BloodHound consumes, so you can pivot between ADscan and the graph you already know.
Raw, scriptable output
Structured output you can pipe, diff and feed into your own tooling. It is a CLI first, built to compose.
Built for the people who run engagements, not the people who buy them.
- 01
Pentesters and consultants
Run a full AD assessment on a client engagement without a per-seat license or a phone-home agent.
- 02
Red teamers
Walk the path to Domain Admin end to end, with the credential handoff a real operator needs at each step.
- 03
Security researchers
The engine is source-available. Read it, audit it, extend it, and see exactly what it does to a domain.
The free CLI is the floor, not the ceiling.
Community gives you the raw engine and raw output. PRO turns a run into an automated, board-ready report mapped to DORA, NIS2 and ENS. Enterprise runs it continuously as a CTEM platform. Same engine underneath, three different jobs.
The free CLI you download and run. Raw output, no report layer.
Automated board-ready reports, compliance mapping, and a continuous web platform.
Source-available, free to use, honest about it.
Community is published under the Business Source License. The source is on GitHub for you to read, audit and run. It is free to use on your engagements. We do not hide what the engine does, because the engine is the proof.
Questions, answered.
Is ADscan Community really free?
Yes. The Community CLI is free to download and run. There is no license fee, no account and no seat limit. It is source-available under the Business Source License, so you can read and audit exactly what it does.
What is the difference between Community and a trial?
Community is not a trial. It is a free, permanent edition: a CLI for pentesters and researchers that you run yourself. The paid PRO and Enterprise editions add the report layer and the continuous platform on top of the same engine.
What can the free CLI actually do?
It enumerates the domain, generates attack paths from a low-privilege user to Domain Admin, walks ADCS abuse from ESC1 to ESC15, runs credential techniques like Kerberoasting and DCSync, and collects BloodHound data. The output is raw and scriptable.
How is it different from BloodHound?
BloodHound maps the paths. ADscan generates and walks them, with the credential handoff at each step that a real intrusion uses. Community can also collect the data BloodHound consumes, so the two work together.
Is it safe to run against a production domain?
Run it only against an Active Directory you are authorized to test. It is a real attack engine, not a simulator. Scope it the way you would scope any authorized engagement.
Do I need PRO or Enterprise to get value from Community?
No. Community is a complete engine on its own. PRO and Enterprise exist for teams that want the automated board-ready report and the continuous platform, not because Community is crippled.
Clone it, point it at a domain, walk the path.
The full Community engine is on GitHub. Free to download, free to run on your next engagement.