Continuous exposure management for Active Directory: validated attack paths every day, not just on pentest day.
The Enterprise ADscan platform schedules and re-runs the full AD attack-path validation on your timetable, tracks exposure over time, and alerts your team when new paths to Domain Admin appear. One annual pentest is one day of the year. ADscan is the other 364.
Continuous Threat Exposure Management (CTEM) is the practice of discovering, validating and prioritising exploitable exposure in your environment on a continuous basis, rather than at discrete point-in-time assessments. ADscan implements CTEM for Active Directory: it validates every supported path to Domain Admin on a scheduled cadence, records proven vs theoretical findings, tracks drift between runs, and produces the compliance evidence your auditor expects to see updated regularly.
1 day
Active Directory changes constantly. Accounts are created and delegated privileges. Service principals are added. Group Policy is modified. Certificate templates are updated. Every change is a potential new path to Domain Admin that your last pentest cannot see. A point-in-time assessment is an accurate picture of one day; it does not tell you whether a new Kerberoastable account appeared three weeks later, or whether a developer added an SPN to a service account this morning. Continuous validation closes this window.
A single annual pentest covers 1 of 365 days — ADscan covers the other 364 on the Enterprise platform
- 01
Schedule the validation cadence
On the Enterprise platform, configure the frequency: daily, weekly, or after specific AD change events. The platform runs the full ADscan collection and validation engine on schedule, without manual intervention.
- 02
Execute the full validation on each run
Each scheduled run collects the current state of the identity attack surface, executes every supported path to Domain Admin, and records a dated snapshot of proven and theoretical findings.
- 03
Detect drift between runs
The platform compares each run to the previous one and highlights new findings, closed findings and changed severity. A new Kerberoastable account that appeared since the last run is flagged immediately.
- 04
Alert on new exposure
Configurable alerts notify the security team when a new proven path to Domain Admin appears, when a previously remediated finding re-opens, or when exposure score crosses a configured threshold.
- 05
Track the exposure score over time
The dashboard shows the exposure score trend across runs, broken down by finding family (credential, ADCS, delegation, vulnerability). Downward trend confirms that remediation is working; upward trend signals new risk.
- 06
Generate updated compliance evidence
Each run produces an updated compliance-mapped report. The audit trail shows regulators that validation is continuous rather than annual, satisfying DORA, NIS2 and ENS requirements for ongoing testing.
Scheduled re-validation on the Enterprise platform
The ADscan Enterprise platform runs the full attack-path validation engine on a configurable schedule, without requiring a human to trigger each run. This is the continuous tier; the CLI provides the same validation on demand.
Exposure drift detection
Between runs, the platform identifies new findings (new exposure), closed findings (remediated), and findings whose severity has changed. Drift is the signal that matters: what changed since we last looked.
Exposure score and trend
A per-environment exposure score aggregates proven path count, severity and remediation coverage across runs. The trend chart is the evidence that your security posture is improving, not a static snapshot.
Alert-based response
The platform triggers alerts when a new proven path to Domain Admin is detected, when exposure rises above a threshold, or when a remediated finding re-opens. Alerts can be delivered via webhook for integration with SIEM or ticketing systems.
Continuous compliance evidence
Each run produces a dated, compliance-mapped report. The history of reports is the audit trail that demonstrates continuous testing to DORA Article 24, NIS2 Article 21 and ENS Alto, replacing the statement "we ran a pentest last year" with a dated record.
On-demand CLI for ad hoc re-runs
The open-source CLI provides the same validation engine for on-demand re-runs after specific changes: a new service account, a GPO modification, a certificate template change. Not continuous by itself, but the same engine under the hood.
Mapped to the control your supervisor asks about.
DORA Article 24 requires financial entities to test ICT tools and systems, and the Article 24 RTS specifies that threat-led penetration testing must cover the full ICT environment on a recurring basis. NIS2 Article 21 imposes a proportionate and continuous obligation for risk management measures. ENS Alto requires ongoing validation. A single annual test does not satisfy any of these requirements interpreted strictly. ADscan Enterprise continuous validation produces a dated run history with compliance-mapped findings that demonstrates ongoing testing, not a single point-in-time snapshot. Every run is a fresh DORA Article 9.4 evidence document.
The open-source CLI runs the full validation engine on demand, on any schedule you set up yourself. It produces the same findings and compliance output per run. There is no scheduling, dashboard or drift tracking: those require the Enterprise platform.
Adds the board-ready PDF and compliance mapping per run. Free in beta for consultancies and MSSPs who want to offer continuous AD validation as a managed service. The Enterprise platform (continuous tier) adds scheduled runs, the web dashboard, drift detection, alerts and the full audit trail required for DORA continuous testing.
Explore the rest of the platform.
In proof-of-value engagements, every re-run after a remediation cycle has confirmed the remediated path was closed and surfaced at least one new finding introduced by an AD change made during the remediation window.
Questions, answered.
What is CTEM (Continuous Threat Exposure Management)?
Continuous Threat Exposure Management (CTEM) is a framework for continuously discovering, validating, prioritising and remediating exploitable exposure in your environment. Rather than relying on periodic assessments, CTEM runs validation on a continuous cadence so that new risks introduced by infrastructure changes are caught quickly. The core requirement is that validation must be exploitability-based, not configuration-check-based: you need to know which exposure an attacker can actually use, not which setting is misconfigured in theory.
How does ADscan implement CTEM for Active Directory?
ADscan implements the three CTEM stages for the AD identity layer: discover (collect the full identity attack surface), validate (execute every supported path to Domain Admin, marking proven vs theoretical), and prioritise (rank by exploited severity and compliance deadline). On the Enterprise platform, this cycle runs on a schedule, drift is detected between runs, and alerts fire when new proven paths appear. The CLI provides the same discovery and validation stages on demand.
How is CTEM different from vulnerability scanning?
Vulnerability scanning checks for the presence of known CVEs or misconfigurations by comparing configuration state against a known-bad list. It cannot tell you whether the vulnerability is exploitable in your specific environment, whether it leads to Domain Admin, or whether a chain of lower-severity misconfigurations combines into a critical path. CTEM requires validation: actually executing the path, not just identifying the condition. ADscan executes each supported path end to end, so the exposure it reports is proven, not inferred.
Is the "continuous" feature available in the free CLI?
No. The CLI is run-driven: you execute it when you choose to, and it validates the full AD attack surface in that run. Continuous means the Enterprise platform schedules and runs the validation automatically, detects drift between runs, and maintains the audit trail. The CLI gives you the same validation quality on demand; the Enterprise platform adds the scheduling, dashboard, drift detection and alerting that make it continuous.
What does Gartner CTEM require for identity security?
Gartner's CTEM framework (published 2022, updated 2024) requires exposure management to be exploitability-validated rather than configuration-check-based, to cover the full scope including identity infrastructure, and to be prioritised by business impact rather than CVSS score. For Active Directory, this means proving which paths to Domain Admin are real, not just listing Kerberoastable accounts. ADscan validates exploitability end to end for the AD identity layer. We do not hold a Gartner recognition or badge.
How often should an organisation run AD exposure validation?
DORA Article 24 requires recurring testing; the frequency is proportionate to the entity's risk profile and the pace of change in its ICT environment. For most regulated entities, monthly validation is the practical minimum given how often Active Directory changes in a live financial environment. After any significant change (new service accounts, domain controller patching, GPO modification, ADCS template changes), an immediate re-run is warranted. The Enterprise platform lets you configure the cadence and run ad hoc scans after change events.
Find out which path to Domain Admin you have today.
Request a proof of value and we will run ADscan against your Active Directory, then deliver the compliance-mapped report.