Skip to content
ENS Alto · RD 311/2022 · CCN-CERT

Public service does not stop. The path that stops it is inside your Active Directory.

ADscan measures your ransomware exposure — every route from a low-privilege user to full domain takeover in your Active Directory — proves it by exploiting it, and produces auditable evidence mapped to ENS Alto, ready for CCN-CERT. On-premise. Open-source engine.

Book a free assessmentSee how it compares
Low-privilege user → service account → domain admin → Tier 0. The path that takes the service offline.
The mechanism

A pentest is a photo. Your Active Directory is a film.

For a public administration, continuity of service is the duty and ENS compliance is the proof of it. An audit is a moment; Active Directory changes every day. ADscan watches the surface that ransomware uses, continuously, and produces the evidence CCN-CERT expects.

01

Measure

Map every path from an ordinary domain user to full control of the domain (Tier 0), the route that would take the public service offline.

02

Prove

Exploit each path end to end, so the finding is auditable fact, the kind of evidence an ENS assessment is built on.

03

Map

Tie each proven path to the ENS Alto control it touches, producing a CCN-CERT-ready record without a manual translation step.

What is at stake

When a public administration goes down, the citizen has nowhere else to go.

01 · Public hospitals

Care cannot wait for recovery.

A domain takeover in a public hospital halts clinical systems for a population that has no alternative provider. Continuity here is a duty of care, measured in patient outcomes.

02 · Local & regional gov

The register, the payroll, the service.

For a town hall or regional body, ransomware freezes the systems citizens depend on and the payroll of the people who run them. Recovery is public, scrutinised and slow.

03 · Auditable evidence

ENS Alto demands proof, CCN-CERT reviews it.

ENS is not a checkbox; it expects demonstrable security. A continuous, exploited, control-mapped record is the evidence an assessor and CCN-CERT can act on directly.

ENS Alto mapping

Every proven path lands on an ENS Alto control.

ENS Alto (RD 311/2022) sets the security framework for the Spanish public sector. The report ties each proven path to the control it evidences, producing the auditable trail CCN-CERT expects.

Proven AD pathENS Alto control
Control area
How ADscan provides the evidence
op.acc

Access control

Proven paths show exactly where privilege and access controls fail in practice, not just in policy, across the identity layer.
op.exp

Operation

Continuous scanning evidences ongoing operational security of Active Directory rather than a point-in-time snapshot.
op.mon

Monitoring

Each scan compares against the last and feeds your SIEM, evidencing continuous monitoring of the identity attack surface.
mp.eq / org

Evaluation & audit

Exploited, mapped findings produce the demonstrable, CCN-CERT-ready evidence an ENS Alto assessment is built on.
What we keep finding
In the 6 regulated entities where I ran it, 100% had at least one path to full domain takeover. One had gone undetected through two years of annual pentests.
Yeray Martín · Founder, ADscan
100%of those environments had a live path to Tier 0. Across the field, over 95% of Active Directory environments carry attack paths.
The platform

Sovereign by design: the data never leaves the administration.

For a public body, where the data lives is a requirement, not a preference. ADscan is on-premise, so the Active Directory data that maps your exposure stays inside the administration, the posture an ENS Alto deployment expects.

  • On-premise appliance. AD data never leaves the administration.
  • Open-source engine. Inspectable, auditable, no vendor black box.
  • Continuous scheduled scans with finding lifecycle and SIEM webhooks.
  • ENS, NIS2 and DORA reports generated from the same evidence.
The offer

A free Proof of Value. We find your paths to Tier 0, live, this quarter.

Yeray connects over VPN, runs ADscan against your Active Directory, and delivers the ENS-mapped report the same day. Your team never has to operate the platform.

Live assessment

A 1 to 2 hour session where we run the engine against your real domain and map the paths as they surface.

Included free

ENS-mapped report

Every proven path tied to its ENS Alto control, ready to put in front of an assessor or CCN-CERT.

Delivered same day

Remediation priority

The paths ordered by how directly they reach Tier 0, so your team protects service continuity first.

Included free
AD Verified guarantee

If we cannot show you a path we can exploit, you owe us nothing and you keep the report. We are this confident because, so far, we have not failed to find one.

Limited to a small number of free assessments per quarter, in exchange for a testimonial.

What you give and what you get
  • You give: VPN access for one session and honest feedback.
  • You get: a proven, ENS-mapped picture of your exposure, ready for CCN-CERT, same day.
  • No procurement, no platform rollout, no commitment to continue.
Book a free assessment

This is the entry point to continuous CTEM, not a sales call. You leave with the evidence either way.

Objections

The questions a public-sector security lead asks before saying yes.

We pass our ENS audit. Why look at this?

An ENS audit is a moment in time; Active Directory changes every day in between. ADscan covers that surface continuously and exploits each path to prove it, producing evidence that strengthens, not duplicates, your ENS posture. One of the six entities we tested had a live path two years of annual pentests had missed.

Can the data stay inside the administration?

Yes, and that is the point. ADscan is on-premise with an open-source engine, so the Active Directory data that maps your exposure never leaves your network, which is the deployment posture ENS Alto expects.

Will this produce something CCN-CERT can use?

The report ties each proven path to its ENS Alto control, so the output is auditable evidence rather than a raw scan, the kind of artifact an assessor and CCN-CERT can act on directly.

Our team is stretched. Who runs it?

For the free assessment, we do. Yeray connects over VPN and delivers the ENS-mapped report the same day; your team does not have to operate the platform to get the evidence.

ENS Alto · evidence for CCN-CERT

Keep the service running by finding the path before ransomware does.

A free, live assessment of your exposure, mapped to ENS Alto and ready for CCN-CERT, delivered the same day. No platform to learn, no procurement to start.

Book a free assessmentHow we keep your data
ENS Active Directory security — ransomware exposure for the Spanish public sector | ADscan