Active Directory Security Assessment
Ransomware operators do not brute force their way to Domain Admin. They walk there, through a misconfigured ACL or a Kerberoastable service account your IT team set up three years ago and forgot about. We map every attack path before they do. CREST-certified. UK-based.
Active Directory Audit:
Attack Path Analysis
Attackers think in graphs. Defenders think in lists. We help you see your Active Directory the way an adversary does. Beyond automated scanning, we map the complex relationships, hidden permissions, and legacy configurations that allow attackers to reach Domain Admin.
Attack Path Mapping
We use BloodHound with SharpHound for data collection and custom Cypher queries to identify every attack path from standard user to Domain Admin, including paths the built-in queries miss. All collection is read-only. We enumerate derivative admin relationships, ACL and DACL abuse paths, GPO control chains, session hunting, orphaned accounts, and domain trust relationships.
Kerberoasting & Credential Analysis
We identify every account vulnerable to Kerberoasting, AS-REP Roasting, and DCSync, enumerate their privilege level, and provide prioritised remediation including password rotation schedules and gMSA migration. A single Kerberoastable Tier 0 service account is a direct path to complete domain compromise.
AD Certificate Services (ESC1-ESC8)
We enumerate all AD CS certificate templates and configurations against the ESC1 through ESC8 vulnerability classes. Misconfigured certificate templates are the single fastest privilege escalation path in most modern Active Directory environments.
GPO & ACL Configuration Audit
We audit Group Policy Objects for insecure defaults, over-permissive delegation, and misconfigured security settings. ACL review covers GenericAll, GenericWrite, WriteDacl, and WriteOwner permissions across all object classes. This is where most Active Directory hardening projects fail: the tiered model looks correct in ADUC, but BloodHound shows a different picture.
Entra ID & Hybrid Assessment
For hybrid environments using Azure AD Connect or Entra ID with on-premises sync. We assess Conditional Access policy gaps, over-privileged App Registrations and Service Principals, PIM configuration, guest access policies, and Primary Refresh Token attack surface. We ensure a compromise on-premises cannot pivot to the cloud, and vice versa.
Choke Point Prioritisation
We prioritise fixes based on Choke Points: the few changes that break the most attack paths. Remediation is tiered as Critical (break active attack paths), High (reduce attack surface), and Medium (hardening baseline). Named controls include LAPS deployment, gMSA migration, KRBTGT rotation, Protected Users group, and tiered admin model validation.
Active Directory Risk Profile
Quantifiable risk reduction for the identity layer that controls your entire on-premises network.
Average Breakout Time
Average eCrime breakout time from initial access to lateral movement. The fastest recorded: 27 seconds. Your AD controls are the only thing between initial access and domain compromise.
Find Path to Domain Admin
Of our AD security assessments identify at least one exploitable path from a standard user account to Domain Admin. The paths are there. The question is who finds them first.
Compliance Mapping
Every finding mapped directly to ISO 27001 A.8/A.9, NIST CSF v2.0 PR.AA, Cyber Essentials Plus, and GDPR Art. 32. The evidence pack your auditor needs.
Controls
On-Premises AD and Entra ID
Whether your environment is fully on-premises or hybrid, we cover the complete attack surface. Both scopes are available as standalone or combined engagements.
On-Premises AD Assessment
For environments running Windows Server AD (2012+). All testing is read-only using a standard user account.
Hybrid Assessment (AD + Entra ID)
For environments using Azure AD Connect or Entra ID with on-premises sync. Covers cloud-to-prem pivot paths.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Scoping
We agree forest and domain scope, Entra ID inclusion, and rules of engagement. You provide a single standard user account. No Domain Admin credentials required.
Data Collection
Tools like SharpHound collect AD object data in read-only mode. No objects are modified, no passwords are reset, no accounts are created. Collection typically completes within hours. Your network stays clean.
Attack Path Analysis
Attack path mapping, manual ACL review, GPO audit, AD CS vulnerability assessment (ESC1-ESC8), Kerberoasting detection, and credential hygiene analysis. Analysis happens in our lab.
Report & Debrief
Prioritised findings delivered via secure portal with attack graphs, compliance mapping (ISO 27001, NIST CSF, Cyber Essentials, GDPR Art. 32), and ranked remediation steps. Technical debrief call included.
What You Receive
Every AD security assessment produces a structured findings report formatted for security teams, compliance officers, and board-level stakeholders.
Reports delivered via encrypted portal within 5 working days of data collection. Findings structured for direct auditor submission and risk register integration.
Audit-Ready Framework Mapping
Every finding is mapped directly to the regulatory controls it satisfies. ISO 27001 Annex A.8/A.9, SOC 2 CC6, NIST CSF v2.0, and Cyber Essentials evidence in a single report.
| Finding Category | ISO 27001 | NIST CSF v2 | Cyber Essentials | GDPR |
|---|---|---|---|---|
| Privileged Access | A.8.2 / A.9.2 | PR.AA-05 | Access Control | Art. 32 |
| Stale Accounts | A.8.1 | PR.AA-01 | User Access | Art. 32 |
| GPO Misconfiguration | A.8.9 | PR.IP-01 | Patch Management | N/A |
| Service Account Audit | A.9.2 / A.9.4 | PR.AA-02 | Access Control | Art. 32 |
| Password Policy | A.8.5 | PR.AA-03 | Password Policy | Art. 32 |
| AD CS Vulnerabilities | A.8.3 | PR.DS-01 | Patch Management | Art. 32 |
Findings also mapped to ISO 27001 requirements and Cyber Essentials Plus.
When Do Organisations Commission an AD Assessment?
An Active Directory security assessment is typically triggered by one of these six scenarios. If any apply, you are in the right place.
Ransomware Threat Intelligence
Ransomware operators walk to Domain Admin through a misconfigured ACL or a Kerberoastable SPN your IT team set up three years ago. You need to know if that path exists.
ISO 27001 / SOC 2 Audit Gap
Your auditor flagged Active Directory access controls as inadequate or not independently tested. Self-assessment does not satisfy ISO 27001 A.8.2 or SOC 2 CC6.
Cyber Insurance Renewal
Underwriters are asking directly: when did you last independently test your Active Directory? A CREST-certified assessment report is evidence your insurer can accept.
Pentest Flagged Kerberoasting
Your last penetration test came back with Kerberoasting identified as a finding. That is a symptom. The question is: what does the full attack path from that SPN look like?
AD Migration or Consolidation
You are migrating forests, consolidating after M&A, or moving to hybrid Entra ID. You need to know the security state of the environment before and after the change.
Tiered Admin Validation
You implemented Microsoft security baselines and tiered administration. You need an independent offensive assessment to validate there are no legacy ACLs or trust relationships bypassing your tier boundaries.
Fixed-Price Engagements
All tiers include BloodHound attack path mapping, Kerberoasting detection, ACL/GPO audit, AD CS review, compliance-mapped report, and technical debrief. No hidden day-rate additions. Quote confirmed before engagement starts.
Small
Single domain, 3 to 4 days
Medium
Single domain, 4 to 5 days
Large
Multi-domain / hybrid, Forest trusts, Entra ID, 5 to 8 days
Find the Attack Paths.
Then Monitor for Them.
AD assessment reveals the attack paths. Our 24/7 SOC deploys detection rules for the specific credential abuse, lateral movement, and privilege escalation techniques your report identifies, closing the loop between offensive testing and defensive monitoring.
Explore Defensive ServicesInternal Network Pentest
Full internal penetration test covering AD and the broader network. AD assessment tightens the scope.
AD Password Audit
Complementary credential hygiene testing. Audit password hashes against breach databases.
Red Team Operations
Full adversarial simulation. AD assessment provides the reconnaissance layer for red team engagements.
SOC Monitoring
24/7 identity threat detection tuned to your AD attack paths. Kerberoasting, DCSync, lateral movement alerts.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
An Active Directory audit is a comprehensive configuration review: we analyse every object, ACL, GPO, and account against security best practices and compliance frameworks. A penetration test is goal-oriented: it finds one viable path to Domain Admin and stops. Our AD Security Assessment combines both: systematic audit coverage across the full environment, with attack simulation to validate exploitability. You receive a complete picture, not just the path we happened to find first.
EDR tools monitor for malicious execution but cannot fix architectural flaws. If a user has GenericWrite permissions over a Domain Admin account due to a bad ACL, an attacker can take over the domain using built-in Windows tools without triggering any EDR alert. These are logic and configuration flaws that exist in the directory structure itself. EDR detects execution. Active Directory penetration testing and audit detects the misconfigured relationships that make execution unnecessary.
AD security assessments are scoped based on the number of domain objects (users, computers, groups), forest complexity, and whether Entra ID is included. Single domain environments up to 2,000 users typically cost from £3,750. Larger single domains (2,000 to 5,000 users) typically cost from £5,500. Multi-domain environments with forest trusts or hybrid Entra ID scope typically cost from £7,500. All engagements are fixed-price with no hidden day-rate additions. We provide a formal quote after a 30-minute scoping call, typically within one working day.
Yes. Our assessment is strictly read-only. We query AD objects, ACLs, and GPOs using SharpHound for data collection. No objects are modified, no passwords are reset, and no accounts are created during the engagement. Analysis is performed in our lab environment, not on your network. Zero production disruption.
No. Any authenticated domain user can read most directory information. We only need a standard user account to perform the assessment. This reflects real-world attacker capability: an attacker with a phished helpdesk account can enumerate the same data we collect. That is exactly why this assessment matters.
We cover hybrid environments. Our Entra ID scope includes: Azure AD Connect sync configuration, Conditional Access policy gaps, over-privileged App Registrations and Service Principals, PIM configuration review, guest access policies, and Primary Refresh Token attack surface. We ensure a compromise on-premises cannot pivot to the cloud, and vice versa. Entra ID scope is available as an extension to any on-premises AD assessment.
Kerberoasting is a post-exploitation technique where any authenticated domain user requests Kerberos TGS tickets for service accounts with SPNs set. These tickets are encrypted with the service account's password hash and can be cracked offline. Our assessment identifies every account vulnerable to Kerberoasting, enumerates their privilege level, and provides prioritised remediation including password rotation schedules and gMSA migration where applicable. In our experience, 3 in 5 AD environments contain at least one Kerberoastable Tier 0 account.
Cyber insurance underwriters increasingly require evidence of independent Active Directory security testing. A CREST-certified assessment report from an accredited firm, with a formal findings document mapping to recognised frameworks (ISO 27001, NIST CSF), is the format underwriters recognise and accept. The assessment cost typically represents less than the premium reduction it justifies. We can scope and deliver an assessment within 3 to 5 working days to meet your renewal deadline.
Purple Knight and PingCastle are automated AD security scanning tools that check for known misconfiguration patterns. They are useful as a baseline but cannot validate the attack path from a real user to Domain Admin through chained ACL relationships. That requires graph-based analysis and manual verification by an experienced analyst. A professional AD security assessment also produces a report with legal weight for compliance purposes, includes ESC1-ESC8 AD CS testing, and provides a technical debrief. Automated tools identify individual misconfigurations. We identify the attack chains that connect them.
Microsoft security baselines, LAPS, and tiered administration are essential Active Directory hardening measures and a strong starting point. However, configuration hardening and offensive attack path analysis are complementary. LAPS secures local admin credentials but does not address ACL-based privilege escalation, Kerberoastable SPNs, or trust relationship abuse. Most AD hardening projects fail at the ACL layer: the tiered model looks correct in Active Directory Users and Computers, but BloodHound shows legacy group memberships and forgotten ACL entries that bypass every tier boundary. Independent third-party assessment is also a requirement of ISO 27001 Annex A.8.2 and SOC 2 CC6.
Yes. DCSync is a technique where an attacker with Replicating Directory Changes permissions can request password hash replication from a domain controller, effectively extracting every credential in the domain. Our assessment identifies all accounts and objects with DCSync-capable permissions, determines whether those permissions are legitimate or misconfigured, and provides remediation guidance. Testing is conducted safely: we enumerate the permissions without executing replication.
Most AD assessments complete in 3 to 5 working days, including scoping, data collection, analysis, report writing, and debrief. Larger or more complex environments with multiple forests, external trusts, or Entra ID scope may extend to 7 to 10 days. We provide a fixed timeline during scoping.
Yes. We use tools like BloodHound with SharpHound for data collection and write custom Cypher queries to identify attack paths that the built-in queries miss. BloodHound allows us to visualise every route from a standard user to Domain Admin and demonstrate the exact sequence of exploitation steps. This is the core differentiator between an Active Directory audit using only configuration scanning tools and a genuine offensive assessment.