ADscan Documentation
Active Directory exposure management — from assessment to client deliverable in one command.
ADscan
Active Directory exposure management for pentesters, MSSPs, and CISOs.
One command runs the assessment. Another delivers four client-ready PDFs. No tool-hopping.
Current version: 9.1.1 LITE
Three tiers
| Tier | What it is | Who uses it |
|---|---|---|
| LITE | Free CLI engine — community-maintained scan core | Pentesters, red teamers, students |
| PRO | LITE + Client Deliverable Kit (4 PDFs + ZIP) | MSSPs, consultancies billing engagements |
| Enterprise | Continuous CTEM/BAS web service with weekly digest | CISOs operating their own AD posture |
Three paths to start
I'm a pentester running an engagement
LITE quickstart — install, scan, attack-paths in under 10 minutes.
I'm an MSSP delivering audit reports
PRO setup — generate the Client Deliverable Kit in 90 seconds.
I'm a CISO evaluating ADscan
Architecture, deployment model, and what the kit looks like.
What ADscan does
- Active Directory enumeration — DNS, LDAP, SMB, Kerberos, ADCS, trust spidering, native graph collection.
- Attack execution — Kerberoasting, AS-REP roasting, ACL abuse, GPP, GPO abuse, constrained-delegation SPN-jacking (SPNJack), DCSync, ADCS ESC1-16.
- Client Deliverable Kit (PRO) — Executive Assessment Report, AD Hardening Playbook, MITRE Remediation Checklist, Coverage Matrix — generated in 90 seconds with
adscan deliver.
Reference
All commands
Workspace, scanning, attack paths, credentials, AI assistant.
Client Deliverable Kit
Four PDFs your client signs off on. Generated in 90 seconds.
Lab walkthroughs
HTB Forest, Active, Cicada — step-by-step auto-pwn.
Guides
Best practices, troubleshooting, configuration patterns.
Community & support
- GitHub: github.com/ADscanPro/adscan
- Discord: discord.com/invite/fXBR3P8H74
- Enterprise: [email protected]