Every path to Domain Admin in your Active Directory, exploited and proven.
ADscan walks each supported attack path from a low-privilege user to Domain Admin and exploits it, so you know which routes to full domain takeover are real today, not which ones a scanner thinks might exist.
Attack path validation is the practice of proving an Active Directory attack path is exploitable rather than just mapping it. ADscan executes each supported path end to end, from foothold to Tier 0, and records the exposure as a proven fact.
100%
In every regulated environment where we have run ADscan, there was a live, exploitable path to Domain Admin. Mapping tools surface thousands of theoretical edges and leave you to guess which ones an attacker can actually walk. The path from one low-privilege account to Tier 0 is how 78% of human-operated ransomware attacks reach a domain controller, and it is invisible to a network scan. Validation tells you which paths are real.
ADscan proof of value, regulated entities to date · Microsoft Security, 2025
- 01
Collect
Native, agentless collection of users, computers, groups, ACLs, GPOs, ADCS templates, trusts and delegations across the domain.
- 02
Graph the paths
Build the identity attack graph and surface every route toward Tier 0, modelled the way an attacker reasons about it.
- 03
Exploit each supported path
Walk each supported path with credential handoff at every step, with a readiness gate that refuses unreachable or unsupported routes.
- 04
Prove or mark theoretical
Each path is recorded as proven when ADscan reached Tier 0, or theoretical when it was detected but not executed. You see the difference at a glance.
- 05
Map and prioritise
Rank by exploited severity and blast radius, tie each proven path to its DORA, NIS2 and ENS control, and hand back root-cause remediation.
- 06
Revalidate
On the Enterprise platform, re-run on a schedule and confirm the path is gone after remediation. This is the continuous loop.
64 supported AD techniques
ADscan executes 64 supported attack techniques across the identity graph, from credential abuse to certificate-template exploitation and delegation, all natively and async.
Proven vs theoretical, never blended
A proven path is one ADscan actually walked to Domain Admin. A theoretical path is detected but not executed. The report keeps the two apart so you act on fact, not noise.
Production-safe by design
A readiness gate refuses unreachable or unsupported paths, dangerous CVEs are policy-blocked, and every AD change registers a cleanup and rollback step.
Credential handoff across steps
ADscan carries recovered credentials and tickets from one step to the next, exactly as an attacker would, so multi-hop paths to Tier 0 are executed end to end.
Root-cause remediation per path
Each proven path comes with the concrete fix that closes it at the source, ordered by what actually reaches Domain Admin, not by theoretical CVSS.
One audit-ready report
Executive summary, the full attack-path narrative, per-step technical detail with MITRE technique and Windows event IDs, and compliance mapping, in a single report.
Mapped to the control your supervisor asks about.
Every proven path to Domain Admin is tied to the specific control it satisfies: DORA Article 9.4 (protection and prevention) and Article 24 (testing of ICT tools and systems), the NIS2 Article 21 risk-management measures, ENS Alto operational and access-control controls, and ISO 27001:2022 Annex A. The same report defends you in front of an attacker and in front of an auditor, with the legal citation attached to each finding.
The open-source ADscan engine on the command line. Discover the identity attack graph and walk every supported path to Domain Admin, free and auditable on GitHub. The full validation engine, no license.
Adds the board-ready PDF report, the attack-path narrative and DORA, NIS2 and ENS compliance mapping. Free in beta for consultancies and MSSPs in exchange for feedback. The Enterprise platform adds scheduled re-validation and drift tracking.
Explore the rest of the platform.
In every regulated environment where we have run ADscan, there was a live, exploitable path to Domain Admin. One had gone two years of annual pentests without it being found.
Questions, answered.
What is attack path management in Active Directory?
Attack path management is the discipline of finding, prioritising and closing the chains of misconfigurations and privileges that let an attacker move from a low-privilege account to Domain Admin. ADscan goes one step further than mapping: it validates each supported path by exploiting it, so you manage the paths that are real rather than the thousands of theoretical edges a graph tool surfaces.
How is attack path validation different from a pentest?
A pentest is a point-in-time engagement that covers one day of the year and depends on the individual tester. Attack path validation runs the same exploitation repeatably and on demand. ADscan walks each supported path to Domain Admin, proves it, and on the Enterprise platform re-validates continuously as your Active Directory changes, so coverage is not limited to a single day.
What is a path to Domain Admin?
A path to Domain Admin is a chain of steps, for example a low-privilege user whose credentials are sprayed, then a service account that is Kerberoastable, then a certificate template that is abusable, that ends at full control of the domain (Tier 0). Each step grants the privilege needed for the next. ADscan walks the chain end to end with credential handoff at every hop.
How does ADscan validate attack paths automatically?
ADscan collects the identity attack surface natively, builds the attack graph, and then executes each supported path. A readiness gate refuses unreachable or unsupported routes, dangerous CVEs are policy-blocked, and every change registers a rollback. Paths it reaches Tier 0 on are marked proven; paths it detects but does not execute are marked theoretical. It covers 64 supported AD techniques.
Which DORA and ENS controls require attack-path evidence?
DORA Article 9.4 requires entities to implement protection and prevention measures, and Article 24 requires testing of ICT tools and systems, both of which a proven path to Domain Admin speaks to directly. ENS Alto operational and access-control controls and NIS2 Article 21 risk-management measures impose the same duty. ADscan maps each proven path to the specific control with its legal citation.
Does ADscan exploit every possible attack path?
ADscan exploits every supported path. Of the techniques in its catalogue, 64 are executable end to end today, including credential, ADCS certificate-template and delegation paths. Some families, such as coercion (PetitPotam) and RBCD via unconstrained delegation, are detected and surfaced but not auto-exploited yet. The report is explicit about which paths were proven and which were detected.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.