Skip to content
NIS2 · Art. 21 risk-management measures · management liability

When ransomware takes the domain, it takes the operation with it.

ADscan measures your ransomware exposure — every route from a low-privilege user to full domain takeover in your Active Directory — proves it by exploiting it, and maps each one to the NIS2 risk-management measure behind it. On-premise. Open-source engine. Nine in ten intrusions come in through identity.

Book a free assessmentSee how it compares
Low-privilege user → service account → domain admin → Tier 0. Identity is the bridge from IT into operations.
The mechanism

A pentest is a photo. Your Active Directory is a film.

For an essential or important entity, continuity is the obligation. Active Directory is the control plane your operation runs on, and it changes every day. ADscan watches the identity surface that ransomware actually rides, continuously, not once a year.

01

Measure

Map every path from an ordinary domain user to full control of the domain (Tier 0), the route an attacker walks toward your operational systems.

02

Prove

Exploit each path end to end, so a continuity risk is a demonstrated fact, not a maybe in a risk register.

03

Map

Tie each proven path to the NIS2 risk-management measure it addresses, so the evidence is ready for the competent authority.

What is at stake

Different sectors, one shared chokepoint: the identity layer.

01 · Private healthcare

Ransomware is a patient-safety risk.

When the domain falls, it is not records that stop, it is theatres, imaging and pharmacy systems. For a hospital or clinic, downtime is clinical risk, not just a data-protection event.

02 · Industry & OT

Active Directory is the bridge to OT.

In manufacturing, energy, water and transport, the identity layer sits adjacent to operational technology. A path to domain admin is often a path toward the systems that physically run the plant.

03 · Management liability

NIS2 names the management body.

NIS2 makes leadership accountable for approving and overseeing risk-management measures. Evidence that the identity surface is tested continuously is exactly what that accountability needs.

NIS2 mapping

Every proven path lands on an Article 21 measure.

Article 21 lists the risk-management measures essential and important entities must take. The report ties each proven path to the measure it evidences, so the audit trail is built as you go.

Proven AD pathNIS2 measure
Art. 21 measure
How ADscan provides the evidence
21(2)(a)

Risk analysis & IS policy

A continuous, exploited inventory of the identity-layer paths to full domain control, feeding a risk analysis grounded in proven facts.
21(2)(b)

Incident handling

Knowing the live paths to Tier 0 before an incident shortens detection and containment when ransomware moves through identity.
21(2)(c)

Business continuity

The exposure metric maps directly to continuity risk: closing paths to domain takeover is closing routes to operational shutdown.
21(2)(e)

Effectiveness assessment

Continuous re-validation proves the measures actually work, scan over scan, rather than asserting it once a year.
What we keep finding
In the 6 regulated entities where I ran it, 100% had at least one path to full domain takeover. One had gone undetected through two years of annual pentests.
Yeray Martín · Founder, ADscan
100%of those environments had a live path to Tier 0. Across the field, over 95% of Active Directory environments carry attack paths.
The platform

Runs where your operation runs: inside your perimeter.

For an operator of essential services, the assessment tool itself must not become a new exposure. ADscan is on-premise, so the Active Directory data that maps your operational risk never leaves your network.

  • On-premise appliance. AD data never leaves your infrastructure.
  • Open-source engine. Safe to run adjacent to sensitive OT and clinical systems.
  • Continuous scheduled scans with finding lifecycle and SIEM webhooks.
  • NIS2, ENS and DORA reports generated from the same evidence.
The offer

A free Proof of Value. We find your paths to Tier 0, live, this quarter.

Yeray connects over VPN, runs ADscan against your Active Directory, and delivers the NIS2-mapped report the same day. You never touch the platform.

Live assessment

A 1 to 2 hour session where we run the engine against your real domain and map the paths as they surface.

Included free

NIS2-mapped report

Every proven path tied to its Article 21 measure, written for both leadership and the competent authority.

Delivered same day

Remediation priority

The paths ordered by how directly they reach Tier 0, so your team protects continuity first.

Included free
AD Verified guarantee

If we cannot show you a path we can exploit, you owe us nothing and you keep the report. We are this confident because, so far, we have not failed to find one.

Limited to a small number of free assessments per quarter, in exchange for a testimonial.

What you give and what you get
  • You give: VPN access for one session and honest feedback.
  • You get: a proven, NIS2-mapped picture of your ransomware exposure, same day.
  • No procurement, no platform rollout, no commitment to continue.
Book a free assessment

This is the entry point to continuous CTEM, not a sales call. You leave with the evidence either way.

Objections

The questions a Head of Security asks before saying yes.

Our risk is in OT, not Active Directory. Why start here?

Because the path usually starts in IT and crosses over through identity. In manufacturing, energy and transport, Active Directory is adjacent to OT, and domain admin is often a step toward the systems that physically run operations. Closing AD paths closes the most common bridge.

We run sensitive clinical and operational systems. Is it safe to run?

ADscan is on-premise and the engine is open-source, so it runs inside your perimeter with no AD data leaving the network. That posture is what lets you assess identity risk without introducing a new one next to clinical or OT systems.

How is this different from our annual pentest?

An annual pentest is one day of coverage out of 365, and Active Directory changes daily. ADscan covers the surface continuously and exploits each path to prove it. One of the six entities we tested had a live path that two years of annual pentests had missed.

What does leadership receive?

A single, trackable exposure metric: the number of live, exploited paths to full domain control, each tied to the NIS2 measure it evidences. It is what turns board oversight of risk-management measures into something the authority can audit.

NIS2 · continuity is the obligation

Protect the operation by closing the path before ransomware finds it.

A free, live assessment of your ransomware exposure, mapped to NIS2, delivered the same day. No platform to learn, no procurement to start.

Book a free assessmentHow we keep your data
NIS2 Active Directory security — ransomware exposure for essential and important entities | ADscan