Skip to content
DORA · EU 2022/2554 · in force since January 2025

Your board is now personally accountable for the ransomware path you cannot see.

ADscan measures your ransomware exposure — every route from a low-privilege user to full domain takeover in your Active Directory — proves it by exploiting it, and maps each one to the DORA article your supervisor will ask about. On-premise. Open-source engine.

Book a free assessmentSee how it compares
Low-privilege user → service account → domain admin → Tier 0. The path ransomware takes.
The mechanism

A pentest is a photo. Your Active Directory is a film.

A TLPT cycle runs every three years. An annual pentest covers one day out of 365. Your Active Directory changes every day a privilege is granted, a service account is created, a delegation is set. ADscan watches the surface that ransomware actually uses, continuously.

01

Measure

Map every path from an ordinary domain user to full control of the domain (Tier 0), the way an attacker enumerates it after the first foothold.

02

Prove

Exploit each path end to end, so the finding is a demonstrated fact, not a theoretical misconfiguration on a slide.

03

Map

Tie each proven path to the DORA article it touches, producing evidence your supervisor and your board can read without a translator.

What the board is betting

For a financial entity, the exposure is not just data. It is the institution.

01 · Personal liability

Article 5 names the management body.

DORA puts ICT risk on the board itself, and Article 50 reaches individuals. "We had an annual pentest" is no longer a defensible answer when the path was live for months.

02 · Operational resilience

Ransomware halts settlement.

A domain takeover does not leak a spreadsheet. It encrypts core banking, custody and payment systems. For a cooperative bank or a mutual, that is existential, not a fine line item.

03 · Supervisory scrutiny

The auditor wants evidence, not assurances.

Testing requirements under Articles 24 to 26 expect proof. A continuous, exploited, article-mapped record is the artifact that answers the question before it is asked.

DORA mapping

Every proven path lands on a DORA article.

The report your supervisor receives is not a vulnerability dump. Each finding is already mapped to the obligation it satisfies, so the evidence trail writes itself.

Proven AD pathDORA article
Article
How ADscan provides the evidence
Art. 5

Governance & management body

Board-readable exposure metric: the number of live paths to Tier 0, tracked over time, so the management body can demonstrate active oversight.
Art. 9

ICT risk management

Continuous identification of the identity-layer risk that carries ransomware, not a once-a-year point estimate.
Art. 13

Learning & evolving

Each scan compares against the last, so remediation is measured and the risk posture is shown to improve.
Art. 24-26

Digital operational resilience testing

Exploited paths between TLPT cycles: continuous testing of the Active Directory surface, the gap a three-year cycle leaves open.
What we keep finding
In the 6 regulated entities where I ran it, 100% had at least one path to full domain takeover. One had gone undetected through two years of annual pentests.
Yeray Martín · Founder, ADscan
100%of those environments had a live path to Tier 0. Across the field, over 95% of Active Directory environments carry attack paths.
The platform

Built for an institution that cannot let its data leave.

ADscan runs inside your perimeter. The Active Directory data that defines your attack surface never reaches a third-party cloud, which is exactly the posture a DORA-supervised entity needs to be able to attest.

  • On-premise appliance. AD data never leaves your infrastructure.
  • Open-source engine. The exploitation logic is inspectable, not a black box.
  • Continuous scheduled scans with finding lifecycle and SIEM webhooks.
  • DORA, NIS2 and ENS reports generated from the same evidence.
The offer

A free Proof of Value. We find your paths to Tier 0, live, this quarter.

Yeray connects over VPN, runs ADscan against your Active Directory, and delivers the DORA-mapped report the same day. You never touch the platform.

Live assessment

A 1 to 2 hour session where we run the engine against your real domain and map the paths as they surface.

Included free

DORA-mapped report

Every proven path tied to its article, written for both your board and your supervisor.

Delivered same day

Remediation priority

The paths ordered by how directly they reach Tier 0, so your team fixes what closes ransomware first.

Included free
AD Verified guarantee

If we cannot show you a path we can exploit, you owe us nothing and you keep the report. We are this confident because, so far, we have not failed to find one.

Limited to a small number of free assessments per quarter, in exchange for a testimonial.

What you give and what you get
  • You give: VPN access for one session and honest feedback.
  • You get: a proven, DORA-mapped picture of your ransomware exposure, same day.
  • No procurement, no platform rollout, no commitment to continue.
Book a free assessment

This is the entry point to continuous CTEM, not a sales call. You leave with the evidence either way.

Objections

The questions a CISO asks before saying yes.

We already do a TLPT and an annual pentest. Why add this?

Both are point-in-time. A TLPT cycle is every three years, a pentest one day out of 365. Active Directory changes daily. ADscan covers the surface in between, which is exactly the surface ransomware exploits. One of the six entities we tested had a live path that two years of annual pentests had missed.

Will our Active Directory data leave our network?

No. ADscan is an on-premise appliance. The engine runs inside your perimeter and the AD data never reaches a third-party cloud, so the deployment posture is itself attestable under DORA.

Is this a Pentera or BAS replacement?

It is the Active Directory specialist. Generalist BAS platforms spread across web, cloud and external surfaces. If AD is your ransomware-bearing surface and you need on-premise, open-source, DORA-mapped proof, ADscan is the sharper fit. See the comparison for the honest version.

What does the board actually receive?

A single exposure metric they can track quarter over quarter: the number of live, exploited paths to full domain control, each tied to its DORA article. It is the artifact that turns "we are managing ICT risk" into evidence.

DORA · accountable since January 2025

Find the path before your supervisor, or an attacker, does.

A free, live assessment of your ransomware exposure, mapped to DORA, delivered the same day. No platform to learn, no procurement to start.

Book a free assessmentHow we keep your data
DORA Active Directory security — ransomware exposure for financial entities | ADscan