Skip to content
ADscan Docs
ADscan PRO

Generate a Compliance Report

Two paths to a MITRE-mapped PDF and JSON — interactive REPL (recommended) or the experimental adscan ci one-shot pipeline.

Two paths to a report

ADscan PRO supports two flows. Pick the one that fits how you work.

FlowCommandWhen
Interactive REPL (recommended)adscan start → scan → deliverAny real engagement. Full visibility per phase. Same flow you know from LITE.
Automated CI (experimental)adscan ci auth ...CI/CD pipelines or batching engagements after you've validated the flow interactively.

The interactive flow is what every pentester and consultant gets onboarded on. The CI flow is a power-user shortcut once the engagement shape is known.

Audit mode vs CTF mode

ADscan has two scan modes. For compliance reports, always use audit mode (--type audit in CI, or pick audit at the REPL prompt).

ModeWhat it doesUse for
auditFull deep scan — all checks, all findings, complete attack pathsClient engagements, compliance reports
ctfStops after domain compromise (pwned)CTF labs (HackTheBox, TryHackMe)

CTF mode exits early by design. Audit mode runs every check and produces the full finding set the report engine needs. If you run CTF mode, your report will be sparse.

This is the same REPL you already know from LITE. The PRO image just adds the report engine.

export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan start

Banner should show ADscan 9.0.0 PRO. From the prompt, the REPL guides each phase:

recon → kerberos → ACL → attack-path collection → exploitation

When the scan is complete, package the four client PDFs with one command:

deliver --display-name "Client Name"

That produces the Security Assessment Report, AD Hardening Playbook, and AD Control Coverage Report — plus the MITRE ATT&CK Navigator bundle — all under ~/.adscan/workspaces/<workspace>/deliverables/.

For framework selection, the REPL prompts you at report-time. Or call generate_report directly to override.

Automated CI flow (experimental)

adscan ci is the non-interactive variant — useful for CI/CD pipelines or running batches after you've validated the engagement shape. Flag coverage is narrower than the REPL.

Validate interactively first

Use adscan ci only after you've run the same target shape through adscan start at least once. Surprises during a non-interactive run are harder to recover from than the same surprises with the REPL in front of you.

It requires a positional mode argument — auth or unauth. Each has different required flags.

Auth mode (you have credentials — standard for compliance engagements):

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain <domain.local> \
  --dc-ip <dc_ip> \
  --username <user> \
  --password '<pass>' \
  --generate-report \
  --frameworks iso27001 \
  --display-name "Client Name" \
  --report-theme premium_dark \
  --keep-workspace

Unauth mode (no credentials — documents unauthenticated exposure):

adscan ci unauth \
  --type audit \
  --interface eth0 \
  --hosts 10.10.10.0/24 \
  --generate-report \
  --frameworks iso27001 \
  --keep-workspace

In unauth mode you can pass --dc-ip instead of --hosts to skip host discovery and target a known DC directly.

ADscan will:

  1. Enumerate the AD environment (DNS, LDAP, SMB, Kerberos, ADCS)
  2. Generate the attack graph and exploit all available paths
  3. Produce a PDF + JSON report mapped to the requested framework
  4. Write outputs to ~/.adscan/workspaces/<workspace>/ (and copy to ./artifacts/ in the current directory)

Required flags summary (CI mode)

Auth mode requires: --domain, --dc-ip, --username, --password, --type, --interface

Unauth mode requires: --type, --interface, and either --hosts or --dc-ip

All flags reference

Scan flags

FlagModeRequiredDescription
auth / unauthboth✅ positionalScan mode
--typebothaudit for compliance engagements, ctf for labs
--interface, -ibothNetwork interface (e.g. eth0, tun0)
--domainauthDomain to scan (e.g. corp.example.com)
--dc-ipauthPrimary DC IP
--username, -uauthUsername
--password, -pauthPassword
--hostsunauth✅*CIDR range — required unless --dc-ip is passed
--dc-ipunauth✅*Known DC IP — alternative to --hosts
--workspace, -wbothWorkspace name (random if omitted)
--keep-workspacebothKeep workspace after scan for re-reporting

Report flags

FlagDefaultDescription
--generate-reportoffEnable report generation after the scan
--frameworksensCompliance framework(s): ens, nis2, iso27001, dora, pci_dss
--display-nameClient name shown on the report cover page
--report-themenonepremium_dark or corporate_light
--report-templatepremiumCurrently only premium
--report-enginechromiumPDF rendering engine

Framework examples

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks iso27001 \
  --report-theme premium_dark \
  --display-name "Acme Corp" \
  --keep-workspace

Produces an ISO/IEC 27001:2022 compliance section mapping each AD finding to the relevant Annex A control.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks ens \
  --display-name "Empresa S.A." \
  --keep-workspace

Produces an ENS Alto (CCN-CERT) compliance section — the default, for Spanish public-sector regulated environments.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks nis2 \
  --display-name "Operador Crítico S.A." \
  --keep-workspace

Produces a NIS2 (EU Directive 2022/2555) compliance section — for critical-infrastructure operators. NIS2 and ENS are distinct frameworks; request --frameworks ens,nis2 for both.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain bank.internal \
  --dc-ip 192.168.1.5 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks dora \
  --report-theme corporate_light \
  --display-name "Financial Entity" \
  --keep-workspace

Produces a DORA EU 2022/2554 compliance section — designed for financial entities under EU Digital Operational Resilience Act requirements.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks iso27001,dora \
  --display-name "Client Name" \
  --keep-workspace

Multiple frameworks produce a single PDF with separate compliance sections. One scan, one report, multiple frameworks.

Generate report from the interactive shell

Same flow most pentesters and consultants are already used to from LITE: the REPL walks every phase and deliver packages the three PDFs plus the MITRE ATT&CK Navigator bundle at the end.

export ADSCAN_DOCKER_IMAGE=ghcr.io/adscanpro/adscan-pro:latest
adscan start

Inside the shell, first configure the workspace type:

set type audit

Then run your scan as usual. Once the scan completes, generate the report:

generate_report

ADscan will guide you through two interactive prompts:

1. Framework selection (checkbox — select one or more):

❯ ◉ ENS Alto — Spain / CCN-CERT (recommended)
  ◯ NIS2 — EU Directive (EU) 2022/2555 (critical infrastructure)
  ◯ ISO 27001:2022 — International ISMS standard
  ◯ DORA — EU 2022/2554 (financial sector)
  ◯ PCI DSS v4.0 — Payment Card Industry

2. Theme selection:

❯ Corporate Light — white/navy, print-safe
  Premium Dark — navy/cyan palette

You can also pass arguments directly to skip the prompts:

generate_report full iso27001
generate_report technical ens,iso27001
generate_report executive dora

The profiles (full, technical, executive) control which report sections are included. full is the default and recommended for most engagements.

Regenerate the deliverable kit from an existing workspace

If the scan already ran (or you want to regenerate the PDFs without re-scanning), use adscan deliver:

adscan deliver --workspace <workspace_name>

To regenerate just the executive PDF (functional equivalent of the legacy adscan report command):

adscan deliver --workspace <workspace_name> --only executive

Why --keep-workspace matters

By default, auto-created CI workspaces are deleted after the scan. Pass --keep-workspace to preserve the scan data so you can re-run adscan deliver later without re-scanning.

Where are the outputs?

After the scan completes:

~/.adscan/workspaces/<workspace>/
├── report.pdf              ← client-ready PDF
└── technical_report.json   ← structured data for your pipeline

ADscan also copies the PDF to ./artifacts/report.pdf in your current working directory.

Find the workspace name in the scan output, or list workspaces inside the ADscan shell:

adscan start
# Inside ADscan shell:
workspaces

Timing

Environment sizeTypical scan time
< 500 users, 1 domain15–25 min
500–2000 users, 1–2 domains25–45 min
2000+ users, multi-domain45–90 min

Report generation adds ~2–5 minutes after the scan completes.

Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

Generate a Compliance Report | ADscan