Skip to content
CyberXplore - Xplore the Unseen
Penetration Testing

Active Directory Security Assessment

Find the privilege-escalation and lateral-movement paths attackers use to reach Domain Admin.

Active Directory - acme.corp
Sample · Illustrative
Tier 2 · Workstations
Tier 1 · Servers
Tier 0 · Domain Controllers
T2WIN-7F3A
LOW

user: jdoe · foothold

KerberoastT1558.003
T1svc-sql
HIGH

SPN · hash cracked offline

Lateral · Pass-the-HashT1550
T1FILE01
HIGH

local-admin credential reuse

DCSyncT1003.006
T0DC01
CRIT

replication rights abused

krbtgt → Domain Admin
T0acme.corp
CRIT

Domain Admin obtained

DOMAIN COMPROMISED
5 hops · initial user → Domain Adminno EDR alerts
What is AD Security Assessment?

An Active Directory security assessment is a manual, attacker-focused review of your on-premises Active Directory and Microsoft Entra ID that maps how a foothold becomes full domain compromise - through Kerberoasting, AS-REP roasting, ACL and delegation abuse, and credential theft. CyberXplore's senior-led testers (OSCP, CRTP, CREST) replay real adversary tradecraft mapped to MITRE ATT&CK, then deliver prioritized, attack-path-based remediation with a free retest and attestation letter so you can prove every path is closed.

MITRE ATT&CKPTESNISTCIS Benchmarks

Why CyberXplore

  • Senior-only testers (OSCP, CRTP, CREST)
  • ISO 27001 & ISO 9001 certified
  • Free retest + attestation letter
  • Tailored scope and quote in 24 hours

Why it matters

Active Directory authenticates almost every user and system you run - a single attack path to Domain Admin gives attackers control of your entire estate, including the ability to deploy ransomware domain-wide.

Most AD compromises exploit misconfiguration and accumulated technical debt, not software bugs: weak service-account passwords, dangerous ACLs, unconstrained delegation, and orphaned admin rights that no patch will fix.

Hybrid identity expands the blast radius - a foothold on-prem can pivot into Microsoft Entra ID (and your cloud tenant) through Entra Connect, federation, and synced privileged accounts.

Standard vulnerability scans and even web/network pentests rarely model AD privilege-escalation chains, so these issues persist silently until an intruder finds them first.

Aligned with industry standards: MITRE ATT&CK · PTES · NIST · CIS Benchmarks

Our methodology

  1. 01

    Scoping & Rules of Engagement

    We agree on in-scope domains, forests, and Entra ID tenants, the starting position (assumed-breach standard-user foothold or unauthenticated), and safe limits - then confirm change-freeze windows and emergency contacts.

  2. 02

    Enumeration & Attack-Path Mapping

    From a low-privilege account we enumerate users, groups, GPOs, trusts, ACLs, delegation, and certificate services, building a full graph of viable privilege-escalation routes with tooling such as BloodHound and PingCastle.

  3. 03

    Credential & Kerberos Attacks

    We safely test Kerberoasting, AS-REP roasting, password spraying, and abuse of weak or reused service-account credentials to extract and crack tickets without disrupting authentication services.

  4. 04

    Privilege Escalation & Lateral Movement

    We chain ACL abuse, constrained/unconstrained/resource-based delegation, AD CS misconfigurations (ESC1-ESC8), and credential theft to move laterally and demonstrate a concrete path to Domain and Enterprise Admin.

  5. 05

    Hybrid & Entra ID Review

    Where in scope, we assess Entra Connect, federation, privileged-role assignments, conditional access, and on-prem-to-cloud pivots to show how an AD foothold can reach your Microsoft 365 and Azure environment.

  6. 06

    Reporting, Remediation & Retest

    You receive attack-path narratives mapped to MITRE ATT&CK with prioritized fixes; we support your team through remediation and retest every finding free of charge to confirm the paths are closed.

What we test

  • Active Directory domain & forest enumeration (users, groups, GPOs, trusts)
  • Kerberoasting & AS-REP roasting against service and user accounts
  • Password spraying, weak/reused credentials & default account review
  • Dangerous ACL & object permission abuse (GenericAll, WriteDACL, DCSync rights)
  • Kerberos delegation abuse (unconstrained, constrained, resource-based)
  • Active Directory Certificate Services misconfigurations (ESC1-ESC8)
  • Privileged group hygiene & tiering / Tier 0 administration model review
  • LAPS, SMB signing, NTLM relay & legacy protocol exposure
  • Microsoft Entra ID roles, conditional access & hybrid identity (Entra Connect, federation)
  • Domain Controller hardening & Group Policy security baseline review

What you get

  • Executive summary translating attack paths into business and ransomware risk
  • Detailed technical findings with severity, evidence, and MITRE ATT&CK mapping
  • Visual attack-path graphs from standard user to Domain/Enterprise Admin
  • Step-by-step reproduction for every privilege-escalation chain
  • Prioritized, practical remediation guidance and a tiering-model roadmap
  • Free retest with a remediation verification letter once fixes are applied
  • Attestation letter for customers, auditors, and compliance frameworks
Sample deliverable

What you'll see in your report

Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.

Findings by severity

23 total
Critical
1
High
10
Medium
8
Low
4
Critical · CVSS 9.1CX-714

DCSync via excessive ACL on the domain object

CWE-269CORP\helpdeskRetested
High · CVSS 8.1CX-702

Kerberoastable service account with weak password

CWE-262svc-sql.corp.localOpen

Illustrative active directory security assessment sample - anonymized to example.com.

Want the full anonymized sample report? We'll include it with your quote.

See a sample report

Ready to scope your engagement?

Tell us what you need tested - get a tailored scope and quote within 24 hours.

Get a Quote
Proof, not promises

Teams that tested with us

0+
Security engagements delivered
0+
Vulnerabilities found & reported
0+
Organizations secured
0+
Years of offensive expertise

Cumulative figures across our team's combined engagement history

Shared under NDA · details anonymized
CyberXplore found critical issues three previous vendors missed. The report was the clearest we've ever received - our engineers fixed everything in a week, and the free retest confirmed every fix held.
23 critical findings surfaced
Head of Security
European SaaS platform · Series C · 450 employees
B2B SaaS
Shared under NDA · details anonymized
Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.
SOC 2 passed first attempt
VP of Engineering
Series B FinTech · Payments platform
FinTech

Certifications held by our testers

  • OSCP
  • CRTP
  • CREST
  • CEH
  • eWPTX
  • ISO 27001
  • ISO 9001

Frequently asked questions

It is a manual, adversary-led review of your on-premises Active Directory and Microsoft Entra ID that identifies the misconfigurations and privilege-escalation paths an attacker would chain to reach Domain Admin - covering Kerberoasting, AS-REP roasting, ACL and delegation abuse, AD CS, and hybrid-identity pivots. The goal is to show real attack paths and how to break them, not just produce a list of settings.

Ready to see what attackers see?

Get a tailored scope and quote in 24 hours. No pressure, no jargon - just clarity on your risk.

  • Free retest on every fix
  • Scoped quote within 24 hours
  • Senior-only testers
  • ISO 27001
  • ISO 9001
  • OSCP
  • CRTP
  • CREST
Get a Quote