Skip to content
Active Directory Exposure Validation Platform

See and close every path to Domain Admin in your Active Directory.

ADscan discovers and exploits every supported attack path to Domain Admin, proves the exposure is real, scores it, and maps each finding to DORA, NIS2 and ENS.

Request a PoVTry LITE on GitHub
A proven attack path: low-privilege user to a service account to a vulnerable certificate template to Tier 0 (Domain Admin).
attack_pathspath proven
low-priv usersvc accountADCS templateTIER 0
Built for regulated entitiesBanking · Insurance · Healthcare · Energy · Public administration
The problem

A pentest covers 1 day of 365. Your Active Directory changes every day.

Every new account, group change and certificate template can open a fresh path to Domain Admin. A point-in-time test cannot see what changed last Tuesday. ADscan validates the paths that actually exist today, then re-validates as your environment moves.

How ADscan works in one line

Discover. Exploit. Map to compliance.

Discover

Every AD attack path

A full identity attack-surface graph: users, computers, groups, ACLs, GPOs, ADCS, trusts and delegations, modelled the way an attacker sees them.

Exploit

Proven to Domain Admin

ADscan walks and exploits each supported path with guardrails and rollback, so the exposure is demonstrated, not assumed.

Map

To DORA / NIS2 / ENS

Every finding is tied to the specific DORA, NIS2 and ENS control, with legal citations, in one audit-ready report.

The platform

Ten capabilities, one Active Directory engine.

Every module is a real, audited capability of the ADscan engine, grouped by what it does for you: discover the surface, validate the paths, measure and comply, then operate continuously.

Discover

AD Attack Surface Mapping

Full inventory of your identity attack surface: users, computers, groups, ACLs, GPOs, ADCS, trusts and delegations.

Learn more
Validate

Attack Path Validation

Flagship

Discovers and exploits every supported path from a low-privilege user to Domain Admin, proving the exposure is real.

adscan_web: proven and blocked edges to Tier 0
adscan_web: proven and blocked edges to Tier 0
Learn more

Credential & Password Exposure

Kerberoasting, AS-REP roasting and spraying, plus which password hashes ADscan actually cracked.

Learn more

ADCS / Certificate Exposure

Validates ESC1 to ESC15 certificate-template attack paths against your own PKI.

Learn more

Privilege & Delegation Exposure

RBCD, constrained and unconstrained delegation, and ACL or object-control abuse.

Learn more

Vulnerability Validation

Known AD CVEs and misconfigurations, validated against your environment, not just flagged.

Learn more
Measure & Comply

Domain Security Posture

Exposure Score, identity hygiene, trust topology and ADCS posture in one dashboard.

Learn more

Compliance Mapping

Every finding mapped to the specific DORA, NIS2, ENS Alto and ISO 27001 control.

Learn more
Operate

Continuous Exposure Monitoring

Scheduled re-validation, drift detection and finding lifecycle. Enterprise tier.

Learn more

Integrations

SIEM, webhooks, notifications and PDF or JSON export. Works with your stack.

Learn more
Why it matters
100%

of the regulated environments we ran ADscan in had a live path to Tier 0.

ADscan PoV results to date
78%

of human-operated ransomware attacks breach a domain controller.

Microsoft Security, Apr 2025
1 scan

maps every finding to DORA, NIS2 and ENS, with legal citations.

ADscan report
How it works

From scan to revalidation.

  1. 01

    Scan AD

    Native, agentless collection of users, computers, ACLs, GPOs, ADCS, trusts and delegations.

  2. 02

    Discover paths

    Build the identity attack graph and surface every route toward Tier 0.

  3. 03

    Exploit & validate

    Walk each supported path with guardrails and rollback, proving it reaches Domain Admin.

  4. 04

    Score exposure

    Quantify how reachable Tier 0 is, weighting proven paths over theoretical ones.

  5. 05

    Map to compliance

    Tie each finding to the specific DORA, NIS2 and ENS control in the report.

  6. 06

    Revalidate

    On the Enterprise platform, re-run on a schedule and track drift over time.

Exploit and Revalidate are where ADscan goes beyond detection: it proves the path, then keeps proving it as your environment changes.

Integrations

Works with your stack.

ADscan delivers a standalone report on day one and feeds your existing tooling on the Enterprise platform.

SIEM

Splunk, Microsoft Sentinel

Automation

Webhooks, notifications

Ticketing

Jira, ServiceNow

Export

PDF, JSON, CSV evidence bundle

SIEM, ticketing and webhook connectors ship with the Enterprise platform. Every tier exports the full report and evidence bundle.

Compliance

Four frameworks. One scan. Real citations.

ADscan does not list a wall of frameworks it half-supports. It maps every finding to the specific control, with the legal article, for the four that matter to regulated Spanish entities.

Proven path to Tier 0DORA Art. 9.4
DORA

Regulation (EU) 2022/2554. ICT risk, resilience testing, incident windows.

NIS2

Directive (EU) 2022/2555. Risk-management measures for essential entities.

ENS Alto

Esquema Nacional de Seguridad, CCN-STIC controls for the high category.

ISO 27001

ISO/IEC 27001:2022, Annex A control evidence.

For your team

One platform, three jobs done.

CISO

Board-defensible evidence

A proven exposure picture and a compliance-mapped report you can take to the board and the supervisor, not a list of theoretical findings.

Request a PoV
IT security lead

Fix the paths before the audit

Root-cause remediation per path, prioritised by what actually reaches Tier 0, so you close the real exposure before the auditor arrives.

See a sample report
Consultancy / MSSP

Deliver client reports faster

The same engine, in your hands, producing client-ready AD exposure reports in a fraction of the manual time. Free PRO beta in exchange for feedback.

Get PRO access
Three tiers

From the open-source engine to the continuous platform.

Start free on the command line, deliver board-ready reports with PRO, run it continuously on the Enterprise platform.

LITEOpen-source CLI engine

The full ADscan engine on the command line. Discover and validate paths to Domain Admin, free and open source.

Get it on GitHub
PROBoard-ready report + compliance

Premium PDF report, attack-path narrative and compliance mapping. Free beta for consultancies and MSSPs in exchange for feedback.

Request beta access
EnterpriseContinuous platform + dashboard

On-prem platform with scheduled re-validation, the exposure dashboard, finding lifecycle, monitoring and integrations.

Request a PoV
Compare tiers in full
Proof
In every regulated environment where we have run ADscan, there was a live, exploitable path to Domain Admin. One had gone two years of annual pentests without it being found.
Yeray Martín, founder, ADscan
100%of regulated environments tested had a live path to Tier 0.
Resources

See it before you ask.

Sample report

The full AD exposure report, mapped to compliance

OpenGuide

Active Directory attack paths and BloodHound

OpenGuide

DORA and Active Directory for financial entities

Open
FAQ

Questions, answered.

What is Active Directory exposure validation?

It is the practice of not just detecting Active Directory misconfigurations but proving they are exploitable. ADscan walks and exploits each supported attack path from a low-privilege user to Domain Admin, so you know which exposures are real, today, in your environment.

How long does a scan take?

A single ADscan run against a typical mid-sized domain completes in hours, not weeks. Collection is native and agentless, and exploitation is automated per path. On the Enterprise platform, scans run on a schedule.

Does it touch production?

Yes, safely. A readiness gate refuses unreachable or unsupported paths, dangerous CVEs are policy-blocked, and every change ADscan makes registers a cleanup and rollback step. It is designed to run against live Active Directory.

Which compliance frameworks does it cover?

DORA (Regulation EU 2022/2554), NIS2, ENS Alto and ISO 27001:2022. Each finding is mapped to the specific control with the legal citation, in a single report. We map the frameworks that matter to regulated Spanish entities deeply, rather than a long list shallowly.

How is this different from a pentest?

A pentest is a point-in-time engagement that covers one day of the year and depends on the tester. ADscan validates the paths that exist today, repeatably, and on the Enterprise platform re-validates continuously as your Active Directory changes.

What is the difference between LITE and PRO?

LITE is the open-source ADscan engine on the command line: discover and validate paths, free. PRO adds the board-ready PDF report, the attack-path narrative and compliance mapping, and is free in beta for consultancies and MSSPs in exchange for feedback.

Is continuous monitoring available in every tier?

Continuous, scheduled re-validation and drift detection are part of the Enterprise platform. LITE and PRO are run on demand. The same engine underpins all three tiers.

See your real exposure

Find out which path to Domain Admin you have today.

Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.

Request a PoVGet PRO access
Active Directory Exposure Validation Platform | ADscan