Your Active Directory security posture, measured by what an attacker can actually exploit.
Most AD posture tools count misconfigurations. ADscan scores posture from proven exposure: every number in the dashboard is backed by a path ADscan walked or a vulnerability it confirmed, not a configuration flag it read.
AD Identity Security Posture Management (ISPM) is the discipline of measuring, scoring and continuously tracking the security state of an Active Directory environment at the identity layer. ADscan implements ISPM by validating real exploitability: the Exposure Score reflects paths that ADscan actually exploited or confirmed, not only configurations that match a known weakness pattern.
72%
Configuration checklists tell you what looks wrong. They do not tell you whether it can be exploited, how far a successful exploitation reaches, or what a board-level number for that risk is. An AD audit that counts weak password policies and stale accounts without asking "can an attacker reach Domain Admin from here?" is answering the wrong question. Posture has to be measured from the attacker's point of view.
Mandiant M-Trends, 2025 — percentage of intrusions involving identity as the primary vector
- 01
Collect the full identity surface
ADscan inventories every user, computer, group, service account, GPO, ADCS template, delegation and trust in the domain. The posture measurement is only as complete as the surface it covers.
- 02
Validate exploitability
For each supported attack technique, ADscan attempts to execute the path. Posture is scored from what succeeds, not from what is configured incorrectly. A misconfiguration that cannot be reached gets a different weight than one that leads directly to Tier 0.
- 03
Score your Exposure
The Exposure Score is computed from the count, severity and blast radius of proven and detected paths in your specific environment. It is your number, from your AD, not a universal benchmark.
- 04
Assess identity hygiene
Stale accounts, over-privileged service accounts, weak password policies, Kerberoastable accounts and AS-REP-roastable accounts are enumerated and weighted by the attack paths they enable.
- 05
Review ADCS and trust topology
Certificate Services posture covers all 15 ESC classes. Trust posture covers cross-domain and cross-forest relationships that extend the blast radius of a domain compromise.
- 06
Track posture over time
On the Enterprise platform, posture is re-measured on a schedule. The dashboard shows the Exposure Score trend, new and closed paths, and drift in identity hygiene metrics since the last run.
Exposure Score, computed from your AD
A single metric that aggregates the severity and blast radius of every proven and detected path in your environment. Grounded in exploitation results, not configuration counts.
Identity hygiene dashboard
Stale accounts, Kerberoastable service accounts, AS-REP-roastable users, over-privileged accounts and password policy gaps, enumerated and weighted by the paths they open.
ADCS posture across ESC1 to ESC15
Every certificate template is checked against all 15 ESC attack classes. The posture view shows which classes have vulnerable templates and whether any of those templates have been exploited by ADscan.
Trust topology and forest posture
Cross-domain and cross-forest trusts are included in the posture calculation. A trust that extends Domain Admin access to a low-trust forest partner is a posture risk, not just a topology fact.
Executive web dashboard
The adscan_web dashboard gives the security team and CISO a real-time view of the Exposure Score, severity distribution and top open paths. Designed to answer the board question: "are we better or worse than last quarter?"
Posture validates exploitability, not just configuration
A configuration checker flags everything that looks wrong. ADscan walks the path. A misconfiguration that cannot be reached from a real low-privilege foothold is weighted differently from one that reaches Tier 0 in three steps.
Mapped to the control your supervisor asks about.
DORA Article 9 requires ICT risk measurement. An Exposure Score computed from validated attack paths is directly auditable evidence of that measurement — more credible than a count of open findings, because each number is backed by an exploit attempt. ENS Alto Measures (MP.S and OP.ACC) and NIS2 Article 21 impose risk-proportionate security measures: ADscan's posture output quantifies the risk by showing which paths are exploitable, which are theoretical, and what the aggregate exposure number is. ISO 27001:2022 Annex A.8 (asset management) and A.5.15 (access control) align directly with the identity hygiene and privilege-path dimensions of posture.
The open-source engine on the command line produces the full collection and exploitation run, and the CLI output includes the per-finding severity and path status. The Exposure Score is available as a summary in the terminal output. Free on GitHub.
Adds the board-ready PDF report with the full posture narrative, Exposure Score, identity hygiene findings and DORA, NIS2 and ENS mapping. Free in beta for consultancies and MSSPs. The Enterprise platform adds the adscan_web dashboard, scheduled re-runs, trend tracking and posture-drift alerts.
Explore the rest of the platform.
In every regulated environment where we have run ADscan, the Exposure Score surfaced at least one exploitable path that a configuration-only audit had missed, because the misconfiguration was present but the path was only reachable from a specific low-privilege account.
Questions, answered.
What is Identity Security Posture Management (ISPM)?
ISPM is the discipline of continuously measuring and improving the security state of identity infrastructure, particularly Active Directory. It goes beyond point-in-time audits by tracking posture over time and beyond configuration checklists by validating whether misconfigurations are exploitable. ADscan implements ISPM by validating each supported attack path and scoring posture from the results.
How is ISPM different from traditional AD auditing?
Traditional AD auditing counts weak configurations: stale accounts, weak password policies, SPN-enabled service accounts. ISPM measures exploitability: can an attacker use those configurations to reach Domain Admin? ADscan does both, but the posture score is driven by exploitation results rather than configuration findings alone, so it reflects actual risk rather than a checklist.
What does the AD Exposure Score measure?
The Exposure Score is a metric computed from the count, severity and blast radius of proven and detected attack paths in your specific Active Directory. A higher score means more paths exist, or more severe ones, or paths that reach more Tier 0 targets. It is your score from your environment, not a benchmark. The score goes down as you remediate proven paths and up when new ones are created.
How does ADscan score posture rather than just auditing configuration?
ADscan collects the full attack surface and then attempts to execute each supported path. A misconfiguration that cannot be reached from a real low-privilege foothold is weighted lower than one that leads to Tier 0 in three hops. The Exposure Score aggregates these weighted results into a single number. Configuration-only tools cannot make this distinction because they never try to walk the path.
Which AD assessment tools does ADscan replace?
ADscan covers the attack-surface inventory of BloodHound, the ADCS assessment of Certipy, the identity hygiene checks of PingCastle-style auditors, and the exploitation validation that none of those tools perform. It does not replace a comprehensive pentest of non-AD systems, but for the Active Directory layer it consolidates collection, graph-building, exploitation and compliance mapping into one run.
Can ADscan produce posture evidence for DORA or ENS auditors?
Yes. The PRO report includes the Exposure Score, the full list of proven and detected paths, and each finding mapped to its DORA, NIS2 or ENS control with a legal citation. Auditors receive a dated, machine-produced assessment of the AD attack surface rather than a manually maintained spreadsheet. On the Enterprise platform, the trend data shows how posture changed between assessment periods.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.