An Active Directory security assessment is a manual, attacker-focused review of your on-premises Active Directory and Microsoft Entra ID that maps how a foothold becomes full domain compromise - through Kerberoasting, AS-REP roasting, ACL and delegation abuse, and credential theft. CyberXplore's senior-led testers (OSCP, CRTP, CREST) replay real adversary tradecraft mapped to MITRE ATT&CK, then deliver prioritized, attack-path-based remediation with a free retest and attestation letter so you can prove every path is closed.
MITRE ATT&CKPTESNISTCIS Benchmarks
Why CyberXplore
Senior-only testers (OSCP, CRTP, CREST)
ISO 27001 & ISO 9001 certified
Free retest + attestation letter
Tailored scope and quote in 24 hours
Why it matters
Active Directory authenticates almost every user and system you run - a single attack path to Domain Admin gives attackers control of your entire estate, including the ability to deploy ransomware domain-wide.
Most AD compromises exploit misconfiguration and accumulated technical debt, not software bugs: weak service-account passwords, dangerous ACLs, unconstrained delegation, and orphaned admin rights that no patch will fix.
Hybrid identity expands the blast radius - a foothold on-prem can pivot into Microsoft Entra ID (and your cloud tenant) through Entra Connect, federation, and synced privileged accounts.
Standard vulnerability scans and even web/network pentests rarely model AD privilege-escalation chains, so these issues persist silently until an intruder finds them first.
Aligned with industry standards: MITRE ATT&CK · PTES · NIST · CIS Benchmarks
Our methodology
01
Scoping & Rules of Engagement
We agree on in-scope domains, forests, and Entra ID tenants, the starting position (assumed-breach standard-user foothold or unauthenticated), and safe limits - then confirm change-freeze windows and emergency contacts.
02
Enumeration & Attack-Path Mapping
From a low-privilege account we enumerate users, groups, GPOs, trusts, ACLs, delegation, and certificate services, building a full graph of viable privilege-escalation routes with tooling such as BloodHound and PingCastle.
03
Credential & Kerberos Attacks
We safely test Kerberoasting, AS-REP roasting, password spraying, and abuse of weak or reused service-account credentials to extract and crack tickets without disrupting authentication services.
04
Privilege Escalation & Lateral Movement
We chain ACL abuse, constrained/unconstrained/resource-based delegation, AD CS misconfigurations (ESC1-ESC8), and credential theft to move laterally and demonstrate a concrete path to Domain and Enterprise Admin.
05
Hybrid & Entra ID Review
Where in scope, we assess Entra Connect, federation, privileged-role assignments, conditional access, and on-prem-to-cloud pivots to show how an AD foothold can reach your Microsoft 365 and Azure environment.
06
Reporting, Remediation & Retest
You receive attack-path narratives mapped to MITRE ATT&CK with prioritized fixes; we support your team through remediation and retest every finding free of charge to confirm the paths are closed.
What we test
Active Directory domain & forest enumeration (users, groups, GPOs, trusts)
Kerberoasting & AS-REP roasting against service and user accounts
Microsoft Entra ID roles, conditional access & hybrid identity (Entra Connect, federation)
Domain Controller hardening & Group Policy security baseline review
What you get
Executive summary translating attack paths into business and ransomware risk
Detailed technical findings with severity, evidence, and MITRE ATT&CK mapping
Visual attack-path graphs from standard user to Domain/Enterprise Admin
Step-by-step reproduction for every privilege-escalation chain
Prioritized, practical remediation guidance and a tiering-model roadmap
Free retest with a remediation verification letter once fixes are applied
Attestation letter for customers, auditors, and compliance frameworks
Sample deliverable
What you'll see in your report
Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.
Findings by severity
23 total
Critical
1
High
10
Medium
8
Low
4
Critical · CVSS 9.1CX-714
DCSync via excessive ACL on the domain object
CWE-269CORP\helpdeskRetested
High · CVSS 8.1CX-702
Kerberoastable service account with weak password
CWE-262svc-sql.corp.localOpen
Illustrative active directory security assessment sample - anonymized to example.com.
High · CVSS 8.0CX-720
Unconstrained delegation on application server
CWE-266app01.corp.localOpen
Want the full anonymized sample report? We'll include it with your quote.
Cumulative figures across our team's combined engagement history
Shared under NDA · details anonymized
“CyberXplore found critical issues three previous vendors missed. The report was the clearest we've ever received - our engineers fixed everything in a week, and the free retest confirmed every fix held.”
23 critical findings surfaced
HS
Head of Security
European SaaS platform · Series C · 450 employees
B2B SaaS
Shared under NDA · details anonymized
“Senior testers, fast turnaround, and a free retest that actually proved our fixes worked. They made our SOC 2 audit painless.”
SOC 2 passed first attempt
VE
VP of Engineering
Series B FinTech · Payments platform
FinTech
Certifications held by our testers
OSCP
CRTP
CREST
CEH
eWPTX
ISO 27001
ISO 9001
Frequently asked questions
It is a manual, adversary-led review of your on-premises Active Directory and Microsoft Entra ID that identifies the misconfigurations and privilege-escalation paths an attacker would chain to reach Domain Admin - covering Kerberoasting, AS-REP roasting, ACL and delegation abuse, AD CS, and hybrid-identity pivots. The goal is to show real attack paths and how to break them, not just produce a list of settings.