Skip to content
ADscan Docs
ADscan PRO

Generate a Compliance Report

Run adscan ci with --generate-report and --type audit to produce a MITRE-mapped PDF and JSON in a single command.

Audit mode vs CTF mode

ADscan has two scan modes. For compliance reports, always use --type audit.

ModeWhat it doesUse for
--type auditFull deep scan — all checks, all findings, complete attack pathsClient engagements, compliance reports
--type ctfStops after domain compromise (pwned)CTF labs (HackTheBox, TryHackMe)

CTF mode exits early by design. Audit mode runs every check and produces the full finding set the report engine needs. If you run CTF mode, your report will be sparse.

Scan modes: auth vs unauth

adscan ci requires a positional mode argument — auth or unauth — and each has different required flags.

Auth mode (you have credentials — standard for compliance engagements):

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain <domain.local> \
  --dc-ip <dc_ip> \
  --username <user> \
  --password '<pass>' \
  --generate-report \
  --frameworks iso27001 \
  --display-name "Client Name" \
  --report-theme premium_dark \
  --keep-workspace

Unauth mode (no credentials — documents unauthenticated exposure):

adscan ci unauth \
  --type audit \
  --interface eth0 \
  --hosts 10.10.10.0/24 \
  --generate-report \
  --frameworks iso27001 \
  --keep-workspace

In unauth mode you can pass --dc-ip instead of --hosts to skip host discovery and target a known DC directly.

ADscan will:

  1. Enumerate the AD environment (DNS, LDAP, SMB, Kerberos, ADCS)
  2. Generate the attack graph and exploit all available paths
  3. Produce a PDF + JSON report mapped to the requested framework
  4. Write outputs to ~/.adscan/workspaces/<workspace>/ (and copy to ./artifacts/ in the current directory)

Required flags summary

Auth mode requires: --domain, --dc-ip, --username, --password, --type, --interface

Unauth mode requires: --type, --interface, and either --hosts or --dc-ip

All flags reference

Scan flags

FlagModeRequiredDescription
auth / unauthboth✅ positionalScan mode
--typebothaudit for compliance engagements, ctf for labs
--interface, -ibothNetwork interface (e.g. eth0, tun0)
--domainauthDomain to scan (e.g. corp.example.com)
--dc-ipauthPrimary DC IP
--username, -uauthUsername
--password, -pauthPassword
--hostsunauth✅*CIDR range — required unless --dc-ip is passed
--dc-ipunauth✅*Known DC IP — alternative to --hosts
--workspace, -wbothWorkspace name (random if omitted)
--keep-workspacebothKeep workspace after scan for re-reporting

Report flags

FlagDefaultDescription
--generate-reportoffEnable report generation after the scan
--frameworksensCompliance framework(s): iso27001, ens, dora, pci_dss
--display-nameClient name shown on the report cover page
--report-themenonepremium_dark or corporate_light
--report-templatepremiumCurrently only premium
--report-enginechromiumPDF rendering engine

Framework examples

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks iso27001 \
  --report-theme premium_dark \
  --display-name "Acme Corp" \
  --keep-workspace

Produces an ISO/IEC 27001:2022 compliance section mapping each AD finding to the relevant Annex A control.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks ens \
  --display-name "Empresa S.A." \
  --keep-workspace

Produces an ENS Alto + NIS2 compliance section. Default framework for Spanish regulated environments.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain bank.internal \
  --dc-ip 192.168.1.5 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks dora \
  --report-theme corporate_light \
  --display-name "Financial Entity" \
  --keep-workspace

Produces a DORA EU 2022/2554 compliance section — designed for financial entities under EU Digital Operational Resilience Act requirements.

adscan ci auth \
  --type audit \
  --interface eth0 \
  --domain corp.example.com \
  --dc-ip 10.10.10.10 \
  --username auditor \
  --password 'P@ssw0rd!' \
  --generate-report \
  --frameworks iso27001,dora \
  --display-name "Client Name" \
  --keep-workspace

Multiple frameworks produce a single PDF with separate compliance sections. One scan, one report, multiple frameworks.

Generate report from the interactive shell

If you prefer working inside the ADscan shell, you can run the scan interactively and then generate the report with a guided prompt flow.

adscan start --image 'adscan/adscan-pro:latest'

Inside the shell, first configure the workspace type:

set type audit

Then run your scan as usual. Once the scan completes, generate the report:

generate_report

ADscan will guide you through two interactive prompts:

1. Framework selection (checkbox — select one or more):

❯ ◉ ENS Alto + NIS2 — Spain / CCN-CERT (recommended)
  ◯ ISO 27001:2022 — International ISMS standard
  ◯ DORA — EU 2022/2554 (financial sector)
  ◯ PCI DSS v4.0 — Payment Card Industry

2. Theme selection:

❯ Corporate Light — white/navy, print-safe
  Premium Dark — navy/cyan palette

You can also pass arguments directly to skip the prompts:

generate_report full iso27001
generate_report technical ens,iso27001
generate_report executive dora

The profiles (full, technical, executive) control which report sections are included. full is the default and recommended for most engagements.

Regenerate the deliverable kit from an existing workspace

If the scan already ran (or you want to regenerate the PDFs without re-scanning), use adscan deliver:

adscan deliver --workspace <workspace_name>

To regenerate just the executive PDF (functional equivalent of the legacy adscan report command):

adscan deliver --workspace <workspace_name> --only executive

Why --keep-workspace matters

By default, auto-created CI workspaces are deleted after the scan. Pass --keep-workspace to preserve the scan data so you can re-run adscan deliver later without re-scanning.

Where are the outputs?

After the scan completes:

~/.adscan/workspaces/<workspace>/
├── report.pdf              ← client-ready PDF
└── technical_report.json   ← structured data for your pipeline

ADscan also copies the PDF to ./artifacts/report.pdf in your current working directory.

Find the workspace name in the scan output, or list workspaces inside the ADscan shell:

adscan start
# Inside ADscan shell:
workspaces

Timing

Environment sizeTypical scan time
< 500 users, 1 domain15–25 min
500–2000 users, 1–2 domains25–45 min
2000+ users, multi-domain45–90 min

Report generation adds ~2–5 minutes after the scan completes.

On this page

Audit mode vs CTF modeScan modes: auth vs unauthAll flags referenceFramework examplesGenerate report from the interactive shellRegenerate the deliverable kit from an existing workspaceWhere are the outputs?Timing
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

Generate a Compliance Report | ADscan