Telemetry
What ADscan collects, how it's sanitized, and how to opt out.
Overview
ADscan collects anonymous, sanitized usage analytics to improve the tool. Telemetry is enabled by default and can be disabled at any time.
All sensitive data (domains, IPs, usernames, passwords, hashes, file paths, hostnames, internal lab/workspace identifiers) is automatically sanitized before leaving your machine. ADscan never transmits raw identifiable information about your targets or engagements.
If you opt out with ADSCAN_TELEMETRY=0 or telemetry off, ADscan stops sending:
- usage events
- session recordings
- exception/error telemetry
- lab-tracking webhook notifications
What is collected
| Data | Example | Purpose |
|---|---|---|
| Commands run | enum ldap, creds show | Understand which features are used |
| Feature usage | BloodHound collection triggered | Prioritize development |
| Errors and exceptions | Sanitized exception summaries | Fix bugs faster |
| Timing metrics | Time to first credential | Measure tool effectiveness |
| System context | OS, Python version, architecture | Ensure compatibility |
| ADscan version | 4.1.2 | Track adoption |
| Session recordings | Sanitized Rich CLI recordings | Debug rendering and workflow issues without exposing engagement data |
What is NOT collected
- Target domain names, IP addresses, or hostnames
- Usernames, passwords, NTLM hashes, or Kerberos tickets
- File paths from your system
- BloodHound data or query results
- Network topology or scan results
- Any content from your engagements
How sanitization works
ADscan uses a marker-based sanitization system. When sensitive data is displayed in the CLI, it is tagged with invisible zero-width Unicode markers at creation time. Before any data leaves your machine, the telemetry module:
- Detects markers around sensitive values (domains, IPs, users, passwords, paths, hostnames)
- Replaces each value with a deterministic, length-preserving pseudonym
- Falls back to pattern-based detection for any unmarked sensitive data (IP regex, domain patterns, etc.)
This means:
- structured event properties are sanitized before POST
- session recordings (CLI output captures) are sanitized before upload
- exception telemetry is sanitized before forwarding to remote sinks
- if sanitization fails, the upload is aborted instead of falling back to raw data
Pseudonymization example
# What you see in your terminal:
DCSync successful: [email protected] → Passw0rd!
# What telemetry receives:
DCSync successful: user_a3f2@domain_7b1c.pseudonym → [PASSWORD_REDACTED]How to disable
For a single session
export ADSCAN_TELEMETRY=0
adscan startPermanently (from inside ADscan)
(ADscan) > telemetry offPermanently (environment variable)
Add to your shell profile (~/.bashrc, ~/.zshrc):
export ADSCAN_TELEMETRY=0Session recordings only
To disable CLI session recordings while keeping event telemetry:
export ADSCAN_SESSION_CAPTURE=0This disables only Rich CLI recording uploads. Regular telemetry events remain enabled unless you also set ADSCAN_TELEMETRY=0.