Active Directory Exposure Validation · Mapped to DORA · NIS2 · ENS

See every path to Domain Admin in your Active Directory, proven by exploiting it.

ADscan is Active Directory Exposure Validation. It walks every supported internal path from a low-privilege user to full domain takeover, exploits it to prove the exposure is real, and maps it to DORA, NIS2 and ENS. Open-source engine, on-premise.

Get your free AD exposure report See a real sample report

attack_pathsExploited and proven

78%

Ransomware exposure

Your number, computed from your own environment

78%

of human-operated ransomware attacks breach a domain controller

Microsoft, 2025

100%

of regulated environments we ran had a live path to Tier 0

ADscan proof of value

29 min

median attacker breakout time, low-privilege to lateral move

CrowdStrike, 2025

€5.08M

average cost of a ransomware incident

IBM, 2025

Why the board should care

The annual pentest is a photograph. The attack surface is a film.

01 · Coverage

A pentest is one day. The other 364 are blind.

Every change after that day, new accounts, delegations, certificate templates, reopens paths nobody re-checks until next year. 73% of organizations change IT quarterly; only 40% test at that pace.

Pentera State of Pentesting, 2024 (vendor survey)

02 · Ransomware

Ransomware rides in on identity.

In 78% of human-operated ransomware attacks the attacker breaches a domain controller. The path from one low-privilege account to Domain Admin is the breach, and it is invisible on a network scan.

Microsoft 2025 · Verizon DBIR 2025

03 · Accountability

Accountability is now personal.

DORA Article 5 puts ICT risk on the management body; Article 50 allows sanctions against individuals. NIS2 and ENS impose the same duty. The board needs dated evidence the path was found and closed.

The platform

One platform: walk the path, prove it, map it, close it.

ADscan runs the same ordered loop a real attacker follows against your live Active Directory, with guardrails and rollback. Every node below is a real identity object; every exploited edge ends at the Tier 0 target, scored into an exposure number the board reads at a glance.

The loop, end to end

01
Discover
Map every identity object, delegation, certificate template and trust across the domain.
02
Exploit
Walk every supported path to Domain Admin and execute it, with credential handoff at each step.
03
Map
Tie every proven path to the DORA, NIS2 and ENS control your supervisor asks about.
04
Prioritize
Rank by exploited severity and blast radius, not by theoretical CVSS noise.
05
Remediate
Hand back concrete, ordered fixes that close the path at its root cause.
06
Revalidate
Re-run on the platform and confirm the path is gone. This is the continuous loop.

Discover, Exploit and Map run on every engagement. Revalidate runs continuously on the on-premise platform tier.

ADscan attack-path graph showing exploited routes from low-privilege users to the Tier 0 domain target, with the Tier 0 node haloed — Attack-path graph: Tier 0 halo, exploited edges

ADscan executive dashboard showing exposure score, severity distribution and top open attack paths — Executive dashboard: exposure score, severity, top paths

Interactive product tour

A live, click-through walkthrough lands here shortly. For now, request the proof of value to see it on your own environment.

You walk away with one report

Not a slide deck, not four loose PDFs. One board-ready report: executive summary, full attack-path narrative, per-step technical detail, and ordered remediation, every finding tied to the control it satisfies.

See a sample report

On-premise by design

Runs entirely on-premise, inside your perimeter
Open-source engine, auditable on GitHub
No AD data uploaded, no vendor cloud processing

Category of one

Not a pentest. Not a generic BAS. Not BloodHound. The Active Directory specialist that proves the path.

BloodHound maps the paths but never walks them. Generic breach-and-attack platforms spread thin across everything and simulate. An annual pentest is one day a year. ADscan goes deep on the one system ransomware actually rides in on, and it exploits every supported path end to end so the finding is fact, not theory.

ADscan

Annual pentest

Generic BAS

BloodHound

Active Directory depth

Specialist

Partial

Surface

Mapping only

Proves the path

Exploits it

Once

Simulates

Never walks it

Coverage

Continuous

1 day / year

Continuous

Snapshot

Open-source engine

Yes

Runs on-premise, data stays in

Yes

Varies

Cloud

Yes

Native DORA / NIS2 / ENS mapping

Yes

Manual

See the full comparison

The wedge no competitor has

Every finding maps to the control your supervisor asks about.

A pentest finding is a technical fact. A supervisor needs it expressed as a control. ADscan does the translation natively, with real legal citations, so the same report defends you in front of an attacker and in front of an auditor.

Exploited pathMapped control

DORA

EU 2022/2554, ICT risk and operational resilience

NIS2

Essential and important entities

ENS

Esquema Nacional de Seguridad, Alto

Need the business case? Put a number on what a path to Tier 0 costs you, and the return on closing it.

Open the ROI calculator

What we found

“In the 6 regulated entities where I ran it, 100% had at least one live path to full domain takeover. One had gone undetected through two years of annual pentests.”

Yeray Martin, founder, senior penetration tester

100%of environments we ran had a live path to Tier 0

The offer

A free proof of value, with a guarantee no consultancy will sign.

The founder runs ADscan on your live Active Directory, you watch, and you get one board-ready report mapped to DORA, NIS2 and ENS the same day.

Comparable consultancy work bills €5,000 to €10,000. Your cost this quarter: €0.

Comparable value

€5,000–€10,000+

Your cost this quarter

€0

The AD Verified guarantee

After every remediation, we re-run it for free until there are zero paths to Tier 0. No cap on iterations.

3 free proofs of value this quarter, in exchange for a testimonial.

Claim a proof of value See the full deal and conditions

Teams that want this continuously move to Enterprise CTEM: the same engine, on-premise, revalidating and mapping your exposure year round. In validation now.

For consultancies and MSSPs

Run a client AD audit in hours. Deliver a board-ready report the same day.

The same engine your clients would buy, in your hands. Start free with the open-source engine, then add the PRO deliverable kit to turn a raw run into a branded, compliance-mapped report you can put your name on.

Open-source engine, free

The full LITE engine on GitHub. Walk and exploit the path to Domain Admin on any engagement, no license.

PRO deliverable kit

Turn a run into a polished, DORA, NIS2 and ENS-mapped report in minutes, not a billable week of writing.

Your brand, your margin

Same-day board-ready reports let you take on more engagements without adding headcount.

Request PRO beta access See the PRO program

PRO beta is free in exchange for feedback and a testimonial. Use it on a real engagement.

Board questions

The questions a board asks before it says yes.

Is it safe to run in production?

Yes. The run is coordinated with your team, scoped to your Active Directory, and you watch it happen. Dangerous techniques are policy-blocked, every change registers a rollback, and the engine refuses unreachable or unsupported paths. It is built for live regulated environments, not lab conditions.

What do you need from us?

A scoped, low-privilege starting account and a way in, VPN or on site. From there the run is autonomous and you observe the whole thing.

What happens to our data?

It stays with you. ADscan runs on-premise inside your perimeter. No Active Directory data is uploaded and nothing is processed in a vendor cloud. The engine is open source and auditable.

Is it really free? What is the catch?

It is free this quarter for 3 entities. In return we ask for honest feedback and an anonymous testimonial, sector and size only. We want the proof points; you want the report.

How is this different from a pentest, or from Pentera?

A pentest is one day a year. Pentera and other generic BAS platforms spread across everything and stay in the cloud. ADscan is an Active Directory specialist that exploits every supported path end to end, runs on-premise, and maps every finding to DORA, NIS2 and ENS.

Start here

Find the path before someone else proves it for you.

Get a board-ready picture of every supported route to full domain takeover, mapped to your supervisor’s framework, in 48 hours.