See every path an attacker has to Domain Admin, continuously, not once a year.
The ADscan Enterprise platform runs the full Active Directory attack-path validation on your schedule, tracks every proven path to Tier 0 over time, and maps each finding to DORA, NIS2 and ENS. The annual pentest is a photograph. This is the film.
Continuous Threat Exposure Management, specialised for Active Directory.
Enterprise is the on-premise platform tier. It schedules the same engine that exploits every supported path from a low-privilege user to Domain Admin, runs it on the cadence you set, and keeps a dated history of your exposure. Where the open-source CLI is run-driven, the platform is continuous: scheduled scans, a web dashboard, finding and attack-path lifecycle, drift between runs, and the audit trail your supervisor expects to see kept current.
Scheduled validation runs
Configure the cadence: daily, weekly, or after a defined AD change event. The platform runs the full collection and attack-path validation on schedule, no human trigger required.
Web dashboard
A live executive view of your exposure: open paths to Tier 0, severity distribution, and the trend across runs. The interactive attack-path graph haloes the Tier 0 target and animates every exploited edge.
Finding and attack-path lifecycle
Every finding has a state: open, remediated, re-opened. Paths to Domain Admin are tracked across runs, so a closed path that re-appears after a change is surfaced, not lost.
Attack-path history and drift
Each run is compared to the last. New findings, closed findings and changed severity are highlighted. Drift is the signal that matters: what changed in your AD since we last looked.
MTTR and exposure trend
Track mean time to remediate across the finding lifecycle, and watch the exposure trend move down as paths close. The trend chart is the board-level evidence that the programme is working.
Same engine, on-premise
The platform runs entirely inside your perimeter on the same open-source validation engine. No AD data is uploaded, nothing is processed in a vendor cloud.
A guided demo, on your own Active Directory.
Not a self-serve trial you wrestle with alone. An ADscan AD specialist connects to your environment, runs ADscan against your live Active Directory, walks you through the web platform as the paths surface, and hands you the report the same day. We run it for you: done-for-you, lower effort on your side, with a senior pentester explaining every path.
- 01
We connect and run it on your live AD
Remote over VPN or on site. An ADscan AD specialist runs ADscan against your real Active Directory, scoped and coordinated with your team. You watch the whole thing.
- 02
We walk you through the platform live
As each supported path to Domain Admin is exploited and proven, we show it on the web platform: the attack-path graph, the finding lifecycle, the exposure view.
- 03
You get the report the same day
One board-ready report, mapped to DORA, NIS2 and ENS, lands the same day the run finishes. Every proven path, every finding, every control reference.
The demo is free. We are validating Enterprise with a small number of regulated entities; in return we ask for honest feedback and an anonymous testimonial.
From proven paths to defensible accountability.
Every path to Domain Admin, visualised
The interactive graph shows each exploited route from a low-privilege user to the Tier 0 target, haloed and proven by exploitation, not theory and not a CVSS list.
Your ransomware exposure, in context
Ransomware rides in on identity: in 78% of human-operated attacks the adversary breaches a domain controller (Microsoft, 2025). The platform shows exactly which proven paths put your Tier 0 at risk.
Mapped to DORA, NIS2 and ENS
Every finding is tied to the specific control your supervisor asks about, with real legal citations. The same report defends you in front of an attacker and in front of an auditor.
Continuous revalidation, not a yearly snapshot
Scheduled runs and drift detection mean a new Kerberoastable account or certificate template is caught when it appears, not at next year’s pentest. The dated run history is your evidence of ongoing testing.
Every finding maps to the control your supervisor asks about.
A pentest finding is a technical fact. A supervisor needs it expressed as a control, kept current. ADscan does the translation natively, with real legal citations, and the continuous run history turns "we ran a pentest last year" into a dated record of ongoing testing that DORA Article 24, NIS2 Article 21 and ENS Alto expect to see.
EU 2022/2554, ICT risk, recurring testing (Art. 24)
Essential and important entities (Art. 21)
Esquema Nacional de Seguridad, Alto
“In the 6 regulated entities where I ran it, 100% had at least one live path to full domain takeover. One had gone undetected through two years of annual pentests.”
Yeray Martin, founder, senior penetration tester
Built on an open-source engine
The same validation engine the platform runs is open source and auditable on GitHub. There is nothing to take on faith: the techniques, the exploitation, the path-walking are all in the open.
Questions, answered.
What is CTEM for Active Directory?
Continuous Threat Exposure Management (CTEM) is the practice of discovering, validating and prioritising exploitable exposure on a continuous basis, rather than at point-in-time assessments. For Active Directory it means proving which paths to Domain Admin are real and exploitable, on a schedule, so that a new path introduced by an AD change is caught quickly. ADscan Enterprise implements CTEM for the AD identity layer: scheduled validation, drift detection between runs, and a dated audit trail. We implement the practice; we do not hold a Gartner badge.
How is continuous validation different from an annual pentest?
An annual pentest is an accurate picture of one day. Active Directory changes constantly, with new accounts, delegations, service principals and certificate templates, and every change is a potential new path to Domain Admin that the last pentest cannot see. Continuous validation re-runs the full attack-path exploitation on a schedule and detects drift between runs, so exposure introduced after the last test is surfaced rather than waiting for next year.
How does the guided demo work?
An ADscan AD specialist connects to your environment over VPN or on site, runs ADscan against your live Active Directory scoped and coordinated with your team, walks you through the web platform as paths surface, and delivers a board-ready report the same day. It is done-for-you: we run it, you watch, you keep the report. It is not a self-serve trial you configure alone.
Does it run on-premise? Where does our data go?
Enterprise runs entirely on-premise, inside your perimeter, on the same open-source validation engine. No Active Directory data is uploaded and nothing is processed in a vendor cloud. The engine is auditable on GitHub. Your data stays with you.
Is it safe to run in production?
Yes. The run is scoped to your Active Directory and coordinated with your team, and you watch it happen. A readiness gate refuses unreachable or unsupported paths, dangerous techniques are policy-blocked, and every AD change registers a rollback. It is built for live regulated environments, not lab conditions.
What DORA evidence does it produce?
Each run produces a dated, compliance-mapped report tying every proven finding to its specific control, with real legal citations (for example DORA Article 9.4 and Article 24 recurring testing). The history of runs is the audit trail that demonstrates ongoing testing rather than a single annual snapshot, which is what DORA Article 24, NIS2 Article 21 and ENS Alto expect.
Find every path to Domain Admin before someone else proves it for you.
Book a guided demo and we will run ADscan against your live Active Directory, walk you through the platform, and deliver the compliance-mapped report the same day.