Generate a Compliance Report
Two paths to a MITRE-mapped PDF and JSON — interactive REPL (recommended) or the experimental adscan ci one-shot pipeline.
Two paths to a report
ADscan PRO supports two flows. Pick the one that fits how you work.
| Flow | Command | When |
|---|---|---|
| Interactive REPL (recommended) | adscan start → scan → deliver | Any real engagement. Full visibility per phase. Same flow you know from LITE. |
| Automated CI (experimental) | adscan ci auth ... | CI/CD pipelines or batching engagements after you've validated the flow interactively. |
The interactive flow is what every pentester and consultant gets onboarded on. The CI flow is a power-user shortcut once the engagement shape is known.
Audit mode vs CTF mode
ADscan has two scan modes. For compliance reports, always use audit mode (--type audit in CI, or pick audit at the REPL prompt).
| Mode | What it does | Use for |
|---|---|---|
audit | Full deep scan — all checks, all findings, complete attack paths | Client engagements, compliance reports |
ctf | Stops after domain compromise (pwned) | CTF labs (HackTheBox, TryHackMe) |
CTF mode exits early by design. Audit mode runs every check and produces the full finding set the report engine needs. If you run CTF mode, your report will be sparse.
Interactive flow (recommended)
This is the same REPL you already know from LITE. The PRO image just adds the report engine.
export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan startBanner should show ADscan 9.0.0 PRO. From the prompt, the REPL guides each phase:
recon → kerberos → ACL → attack-path collection → exploitationWhen the scan is complete, package the four client PDFs with one command:
deliver --display-name "Client Name"That produces the Security Assessment Report, AD Hardening Playbook, and AD Control Coverage Report — plus the MITRE ATT&CK Navigator bundle — all under ~/.adscan/workspaces/<workspace>/deliverables/.
For framework selection, the REPL prompts you at report-time. Or call generate_report directly to override.
Automated CI flow (experimental)
adscan ci is the non-interactive variant — useful for CI/CD pipelines or running batches after you've validated the engagement shape. Flag coverage is narrower than the REPL.
Validate interactively first
Use adscan ci only after you've run the same target shape through adscan start at least once. Surprises during a non-interactive run are harder to recover from than the same surprises with the REPL in front of you.
It requires a positional mode argument — auth or unauth. Each has different required flags.
Auth mode (you have credentials — standard for compliance engagements):
adscan ci auth \
--type audit \
--interface eth0 \
--domain <domain.local> \
--dc-ip <dc_ip> \
--username <user> \
--password '<pass>' \
--generate-report \
--frameworks iso27001 \
--display-name "Client Name" \
--report-theme premium_dark \
--keep-workspaceUnauth mode (no credentials — documents unauthenticated exposure):
adscan ci unauth \
--type audit \
--interface eth0 \
--hosts 10.10.10.0/24 \
--generate-report \
--frameworks iso27001 \
--keep-workspaceIn unauth mode you can pass --dc-ip instead of --hosts to skip host discovery and target a known DC directly.
ADscan will:
- Enumerate the AD environment (DNS, LDAP, SMB, Kerberos, ADCS)
- Generate the attack graph and exploit all available paths
- Produce a PDF + JSON report mapped to the requested framework
- Write outputs to
~/.adscan/workspaces/<workspace>/(and copy to./artifacts/in the current directory)
Required flags summary (CI mode)
Auth mode requires: --domain, --dc-ip, --username, --password, --type, --interface
Unauth mode requires: --type, --interface, and either --hosts or --dc-ip
All flags reference
Scan flags
| Flag | Mode | Required | Description |
|---|---|---|---|
auth / unauth | both | ✅ positional | Scan mode |
--type | both | ✅ | audit for compliance engagements, ctf for labs |
--interface, -i | both | ✅ | Network interface (e.g. eth0, tun0) |
--domain | auth | ✅ | Domain to scan (e.g. corp.example.com) |
--dc-ip | auth | ✅ | Primary DC IP |
--username, -u | auth | ✅ | Username |
--password, -p | auth | ✅ | Password |
--hosts | unauth | ✅* | CIDR range — required unless --dc-ip is passed |
--dc-ip | unauth | ✅* | Known DC IP — alternative to --hosts |
--workspace, -w | both | — | Workspace name (random if omitted) |
--keep-workspace | both | — | Keep workspace after scan for re-reporting |
Report flags
| Flag | Default | Description |
|---|---|---|
--generate-report | off | Enable report generation after the scan |
--frameworks | ens | Compliance framework(s): ens, nis2, iso27001, dora, pci_dss |
--display-name | — | Client name shown on the report cover page |
--report-theme | none | premium_dark or corporate_light |
--report-template | premium | Currently only premium |
--report-engine | chromium | PDF rendering engine |
Framework examples
adscan ci auth \
--type audit \
--interface eth0 \
--domain corp.example.com \
--dc-ip 10.10.10.10 \
--username auditor \
--password 'P@ssw0rd!' \
--generate-report \
--frameworks iso27001 \
--report-theme premium_dark \
--display-name "Acme Corp" \
--keep-workspaceProduces an ISO/IEC 27001:2022 compliance section mapping each AD finding to the relevant Annex A control.
adscan ci auth \
--type audit \
--interface eth0 \
--domain corp.example.com \
--dc-ip 10.10.10.10 \
--username auditor \
--password 'P@ssw0rd!' \
--generate-report \
--frameworks ens \
--display-name "Empresa S.A." \
--keep-workspaceProduces an ENS Alto (CCN-CERT) compliance section — the default, for Spanish public-sector regulated environments.
adscan ci auth \
--type audit \
--interface eth0 \
--domain corp.example.com \
--dc-ip 10.10.10.10 \
--username auditor \
--password 'P@ssw0rd!' \
--generate-report \
--frameworks nis2 \
--display-name "Operador Crítico S.A." \
--keep-workspaceProduces a NIS2 (EU Directive 2022/2555) compliance section — for critical-infrastructure operators. NIS2 and ENS are distinct frameworks; request --frameworks ens,nis2 for both.
adscan ci auth \
--type audit \
--interface eth0 \
--domain bank.internal \
--dc-ip 192.168.1.5 \
--username auditor \
--password 'P@ssw0rd!' \
--generate-report \
--frameworks dora \
--report-theme corporate_light \
--display-name "Financial Entity" \
--keep-workspaceProduces a DORA EU 2022/2554 compliance section — designed for financial entities under EU Digital Operational Resilience Act requirements.
adscan ci auth \
--type audit \
--interface eth0 \
--domain corp.example.com \
--dc-ip 10.10.10.10 \
--username auditor \
--password 'P@ssw0rd!' \
--generate-report \
--frameworks iso27001,dora \
--display-name "Client Name" \
--keep-workspaceMultiple frameworks produce a single PDF with separate compliance sections. One scan, one report, multiple frameworks.
Generate report from the interactive shell
Same flow most pentesters and consultants are already used to from LITE: the REPL walks every phase and deliver packages the three PDFs plus the MITRE ATT&CK Navigator bundle at the end.
export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan startInside the shell, first configure the workspace type:
set type auditThen run your scan as usual. Once the scan completes, generate the report:
generate_reportADscan will guide you through two interactive prompts:
1. Framework selection (checkbox — select one or more):
❯ ◉ ENS Alto — Spain / CCN-CERT (recommended)
◯ NIS2 — EU Directive (EU) 2022/2555 (critical infrastructure)
◯ ISO 27001:2022 — International ISMS standard
◯ DORA — EU 2022/2554 (financial sector)
◯ PCI DSS v4.0 — Payment Card Industry2. Theme selection:
❯ Corporate Light — white/navy, print-safe
Premium Dark — navy/cyan paletteYou can also pass arguments directly to skip the prompts:
generate_report full iso27001
generate_report technical ens,iso27001
generate_report executive doraThe profiles (full, technical, executive) control which report sections are included. full is the default and recommended for most engagements.
Regenerate the deliverable kit from an existing workspace
If the scan already ran (or you want to regenerate the PDFs without re-scanning), use adscan deliver:
adscan deliver --workspace <workspace_name>To regenerate just the executive PDF (functional equivalent of the legacy adscan report command):
adscan deliver --workspace <workspace_name> --only executiveWhy --keep-workspace matters
By default, auto-created CI workspaces are deleted after the scan. Pass --keep-workspace to preserve the scan data so you can re-run adscan deliver later without re-scanning.
Where are the outputs?
After the scan completes:
~/.adscan/workspaces/<workspace>/
├── report.pdf ← client-ready PDF
└── technical_report.json ← structured data for your pipelineADscan also copies the PDF to ./artifacts/report.pdf in your current working directory.
Find the workspace name in the scan output, or list workspaces inside the ADscan shell:
adscan start
# Inside ADscan shell:
workspacesTiming
| Environment size | Typical scan time |
|---|---|
| < 500 users, 1 domain | 15–25 min |
| 500–2000 users, 1–2 domains | 25–45 min |
| 2000+ users, multi-domain | 45–90 min |
Report generation adds ~2–5 minutes after the scan completes.