Active Directory Security Audit
Active Directory is the heart of IT infrastructure — it controls access to all resources. AD environments grow organically over the years: accounts, groups, delegations, GPOs — rarely cleaned up. Our audit with BloodHound, PingCastle and Purple Knight identifies hidden attack paths and excessive permissions, delivering a prioritized AD hardening plan.
What is an Active Directory Security Audit?
An Active Directory Security Audit is a deep analysis of AD configuration, permissions, and vulnerabilities — the central identity management system in most organizations. It covers AD structure analysis, GPO policies, RBAC permissions, Kerberos configuration, delegations, group membership, privilege escalation paths (attack paths) and hardening. AD compromise means full takeover of the organization.
Hidden privilege escalation paths lead straight to Domain Admin
AD audit with attack path mapping and hardening roadmap
Enumeration
BloodHound, LDAP queries, GPO, Kerberos, delegations, trusts
Attack path analysis
Shortest path to Domain Admin, Kerberoasting, DCSync, Golden Ticket
Hardening roadmap
Prioritized actions: Tiered Administration, GPO, monitoring
What is an Active Directory Security Audit?
An Active Directory Security Audit is a deep analysis of AD configuration, permissions, and vulnerabilities — the central identity management system in most organizations. It covers AD structure analysis, GPO policies, RBAC permissions, Kerberos configuration, delegations, group membership and privilege escalation paths (attack paths).
| Attribute | Value |
|---|---|
| Tools | BloodHound, PingCastle, Purple Knight |
| Scope | Configuration, permissions, attack paths |
| Duration | 1-4 weeks |
| Deliverable | Attack path map + hardening roadmap |
Active Directory is the heart of IT infrastructure — it controls access to all resources. AD compromise means full takeover of the organization.
Hidden paths to Domain Admin
AD environments grow organically over the years: accounts, groups, delegations, GPOs are added — but rarely cleaned up. Over time, a complex web of permissions emerges with hundreds of non-obvious escalation paths. An administrator with permissions to a single server can, through a chain of delegations, obtain Domain Admin.
Without an AD audit:
- You don’t know the privilege escalation paths to Domain Admin
- Service accounts vulnerable to Kerberoasting remain unsecured
- Unconstrained delegation enables TGT ticket theft
- Excessive permissions accumulate for years without verification
- You don’t meet NIS2/ISO 27001 requirements for identity management
BloodHound + nFlo experts = complete threat map
We use specialized tools (BloodHound, PingCastle, Purple Knight) to analyze attack paths and AD configuration. We manually verify: GPO, delegations, group membership, Kerberos, trusts. We identify Tier 0 assets and verify their protection.
What you get:
- Attack path map (BloodHound): privilege escalation visualization to Domain Admin
- AD security scoring: PingCastle assessment with benchmark comparison
- Technical report: AD configuration, GPO, delegations, Kerberos, trusts, attack paths
- Permissions audit: group membership, delegations, service accounts, admin accounts
- AD hardening plan: Tiered Administration, GPO hardening, Kerberos hardening, monitoring
- IT workshop: attack path demonstration and remediation walkthrough
Who is this for?
This service is for you if:
- You have an Active Directory environment and want to assess its security
- You’re planning an AD migration or Azure AD / Entra ID deployment
- You’ve had an internal pentest with AD compromise and want to harden the environment
- You want to implement a Tiered Administration Model
- You need to meet NIS2/ISO 27001 requirements for identity management
Packages
BASIC
1 domain, up to 500 users:
- Basic assessment and enumeration
- Attack path analysis (BloodHound)
- PingCastle scoring
- Remediation roadmap
From 15,000 PLN | 7 business days
STANDARD
1-2 domains, up to 2,000 users:
- Full assessment with attack paths
- Kerberos deep dive (Kerberoasting, AS-REP)
- GPO security review
- Azure AD integration (if applicable)
From 28,000 PLN | 12 business days
ADVANCED
Multi-forest, up to 5,000 users:
- Full attack simulation
- Privilege escalation testing
- Trust relationship analysis
- IT workshop + re-audit after remediation
From 50,000 PLN | 18 business days
Related Glossary Terms
Learn more about key concepts related to this service:
Contact your account manager
Discuss Active Directory Security Audit with your dedicated account manager.
How we work
Our proven service delivery process.
Discovery
Environment information gathering, domain and forest trust identification
Enumeration
BloodHound data collection, LDAP queries, GPO, service accounts, Kerberos
Analysis
ACL/DACL, group membership, privileged accounts, password policies
Attack Path Analysis
Shortest path to DA, Kerberoasting, AS-REP Roasting, DCSync, Golden/Silver Ticket
Report & Remediation
Technical report, executive summary, remediation roadmap, IT workshop
Benefits for your business
What you gain by choosing this service.
Attack path map
BloodHound visualization — see exactly how attackers reach DA
PingCastle scoring
Numerical AD security score with industry benchmarks
Hardening plan
Prioritized actions with effort estimates and timelines
Knowledge transfer
Workshop with IT team — attack path demonstration and remediation
Related Articles
Expand your knowledge with our resources.
CVE-2019-25727: WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that...
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers ...
Read more →CVE-2026-4104: Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics...
Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This issue affects TeknoPass: fr...
Read more →CVE-2026-8037: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows...
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting uns...
Read more →Frequently Asked Questions
Common questions about Active Directory Security Audit.
What tools do you use for the AD audit?
BloodHound CE for attack path visualization, PingCastle for quick assessment and scoring, Purple Knight for security evaluation, and manual tools: PowerView, Rubeus, Mimikatz (PoC). All tools operate in read-only mode — we don't modify the environment.
Does the audit require a Domain Admin account?
No. A Domain Users account (read-only) is sufficient. For deeper analysis (deep dive), we optionally request a higher-privilege account, but the basic attack path audit is performed with minimal permissions.
How long does an AD audit take?
From 7 business days (1 domain, up to 500 users) to 24 business days (multi-forest, 5000+ users). A typical audit for a mid-size organization takes 2-3 weeks.
Do you cover Azure AD / Entra ID?
Yes — in Standard and higher packages. We analyze hybrid join, synchronization, conditional access policies and attack paths between on-prem AD and Azure AD.
What do we get in the report?
Executive summary with risk score, technical report with attack paths (BloodHound visualization), permissions audit, PingCastle scoring with benchmarks and a prioritized remediation roadmap with concrete steps.