Your full Active Directory attack surface, mapped and ready to exploit.
ADscan collects every identity object, delegation, certificate template and trust across your domain natively, then builds the attack graph BloodHound would build — except it does not stop there. Every edge it draws, it can walk.
AD attack surface mapping is the automated discovery of every identity object, privilege relationship and attack-relevant configuration in an Active Directory environment. ADscan goes beyond a BloodHound-style graph snapshot: the same collection run feeds the validation engine that exploits each discovered path.
78%
In 78% of human-operated ransomware attacks the attacker breaches a domain controller. That breach starts by traversing identity relationships that defenders cannot see because they have never been fully inventoried. An attacker does not need a vulnerability scanner. They need an AD they understand better than you do. The first step to closing every path is knowing every object and relationship that creates one.
Microsoft Digital Defense Report, 2025
- 01
Authenticate
ADscan uses a scoped, low-privilege account. No elevated credentials are required for the collection phase. It runs from inside the network, on-premise, and no domain data leaves your perimeter.
- 02
Collect all identity objects
Users, computers, groups, service accounts, managed service accounts and gMSAs across every domain in scope, pulled natively via LDAP and the AD replication protocol.
- 03
Map delegations and ACLs
Every unconstrained delegation, constrained delegation, RBCD configuration and ACL edge that creates a privilege-escalation route is collected and tagged by attack family.
- 04
Inventory ADCS templates and PKI
Every certificate template in Active Directory Certificate Services is enumerated for the 15 ESC classes. Templates that match a known attack class are flagged and fed to the exploitation engine.
- 05
Resolve trusts and forest boundaries
Cross-domain and cross-forest trust relationships are mapped, so attack paths that cross trust boundaries are visible in the graph rather than silently terminating at a domain edge.
- 06
Build the attack graph
The collected surface is assembled into a directed attack graph, exactly as an attacker reasons about it: nodes are identity objects, edges are exploitable relationships, and Tier 0 targets are highlighted as the destination.
Full identity object inventory
Every user, computer, group, service account, GPO and OU across the domain is collected in one run, without an agent and without elevated credentials.
Delegation and ACL enumeration
Unconstrained delegation, constrained delegation, RBCD and GenericAll/WriteDACL/etc. ACL abuses are enumerated and mapped to the attack techniques that exploit them.
ADCS template inventory (ESC1 to ESC15)
Every certificate template is checked against all 15 ESC attack classes. Vulnerable templates are flagged in the map and passed directly to the ADCS exploitation engine.
GPO and trust topology
Group Policy Objects and cross-domain or cross-forest trusts are included in the surface, so privilege paths that traverse GPO links or trust relationships are not invisible.
Beyond BloodHound: the map feeds the exploit
BloodHound produces a snapshot graph you query manually. ADscan produces the same graph and then walks every supported edge end to end, so you know which paths in the map are real, not just present.
One comprehensive inventory per run
The output is a single, consistent snapshot of the full attack surface at collection time, suitable for comparison across runs and for compliance evidence that the surface was assessed.
Mapped to the control your supervisor asks about.
DORA Article 9.4 requires entities to implement protection and prevention measures adequate to the ICT risk in their environment. Knowing the complete attack surface is the prerequisite for that. ENS Alto operational controls and NIS2 Article 21 impose equivalent asset-management and risk-mapping duties. ADscan's inventory is the evidential baseline: it records what existed, when it was assessed, and what attack classes it was checked against, giving auditors a dated, machine-produced inventory rather than a manually maintained one.
The open-source ADscan engine performs the full collection and attack-graph build on the command line. Every identity object, delegation, ADCS template and trust is inventoried and the graph is produced. Free and auditable on GitHub.
Adds the board-ready PDF report with the full attack-surface inventory, per-object findings and DORA, NIS2 and ENS control mapping. Free in beta for consultancies and MSSPs. The Enterprise platform adds scheduled collection runs, surface-drift tracking between runs, and the web dashboard.
Explore the rest of the platform.
In every regulated environment where we have run ADscan, the inventory surfaced at least one delegation or certificate template that had not appeared in previous manual assessments.
Questions, answered.
What is AD attack surface mapping?
AD attack surface mapping is the automated enumeration of every identity object, privilege relationship, delegation, certificate template and trust in an Active Directory environment, assembled into a directed attack graph that shows every route toward Tier 0. It is the discovery layer that precedes validation: you cannot validate a path you have not mapped.
How does ADscan compare to BloodHound for attack surface mapping?
BloodHound produces a graph you query manually to identify candidate paths. ADscan produces the same graph and then walks every supported edge end to end with credential handoff, so the output is not a list of theoretical paths but a set of proven and theoretical findings. ADscan also includes ADCS template enumeration (ESC1 to ESC15) and GPO/trust topology natively, without requiring separate Certipy or manual enrichment runs.
What does an AD attack surface include?
The full AD attack surface includes user accounts and their privilege group memberships, computer accounts, service accounts (standard, managed and group-managed), ACL edges such as GenericAll/WriteDACL/AddMember, unconstrained delegation targets, constrained delegation configurations, RBCD registrations, ADCS certificate templates, GPO links, and cross-domain or cross-forest trusts. ADscan collects all of these in one run.
How often should you map the AD attack surface?
Every AD change, including new accounts, delegation changes, certificate template updates and trust additions, can open new attack paths. A point-in-time snapshot is evidence for the day it was taken. On the Enterprise platform ADscan runs on a schedule and compares each run to the previous one, surfacing new edges and removed ones so drift is visible in near-real time.
Can ADscan replace a manual BloodHound assessment?
For the inventory and graph-building phase, yes. ADscan's collection covers the same objects BloodHound collects and adds ADCS templates and trust topology without requiring additional tooling. For the validation phase there is no manual BloodHound equivalent: ADscan walks and exploits the paths, which BloodHound does not do at all.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.