Do you know what an attacker sees in your Active Directory?
For regulated entities under DORA, ENS Alto and NIS2. ADscan shows exactly what is exploitable in your AD: 48 hours, your real environment, no consultants, no changes.
Banking · Insurance · Healthcare · Critical Infrastructure
Are you a pentester or consultant? PRO beta access →
The gap
AD is the #1 target. When did you last look at it as an attacker would?
Annual pentests aren't enough.
Attackers look for paths 24/7. A consultancy charges €15k–50k for a one-day snapshot. You repeat it every 6 months.
Compliance tools don't detect exploitability.
ENS and ISO 27001 verify controls. They don't check if those controls are exploitable when chained.
Your team doesn't have time to analyze AD like an attacker.
BloodHound exists. But someone has to interpret it, correlate it, and turn it into action.
max fine
Regulatory exposure
DORA (in force Jan 2025) and NIS2 require documented AD technical controls. Every audit cycle without visibility is real regulatory exposure: fines up to €10M or 2% of annual turnover.
How it works
Pentest-grade AD intelligence in three steps.
No agents. No infrastructure changes. From a domain-joined Windows VM.
Deploy
Deploy in hours, not months. No agents, no special VPN.
Discover
Full AD enumeration, attack path analysis, critical vulnerability detection.
Report
Executive report for CISO and board. Technical report for IT. MITRE ATT&CK mapped.
ADscan in action
Attack paths from standard users to Domain Admin, detected automatically.
22 Tier-0 paths · DOMAIN USERS → Domain Admin in 3 steps · Lab environment
Safe by design
Built for production environments.
Read-only by default
Never modifies AD objects, accounts, or GPOs without explicit operator confirmation. Same read surface as any authenticated user.
See what it reads vs. never does →Operator confirms every step
Every exploitation step requires explicit operator confirmation. ADscan never autonomously writes to AD. Ever.
Read the 6 architecture principles →100% on-prem
AD data, findings and reports never leave your network. Offline license. Air-gapped deployments supported.
See data sovereignty details →Capabilities
Designed for the CISO.
Complete attack path visibility
Detect exactly how an attacker can reach Domain Admin from a standard user.
Simulation with operator confirmation
Doesn't modify anything without your confirmation. Pentest rigor, production control.
Reports for board and audit
Executive for CISO/board. Technical for IT. MITRE ATT&CK, ENS, NIS2.
Deploy in hours, not months
No agents. No infrastructure changes. Domain-joined Windows VM.
Spanish regulatory framework
ENS Alto (CCN-CERT), NIS2, ISO 27001, DORA, GDPR. Traceable evidence for audits.
Continuous validation, not one-time
Repeat analysis when the environment changes. Detect regressions before auditors do.
Risk calculator
Calculate your risk exposure.
Based on IBM Cost of Data Breach 2024 and Verizon DBIR 2024 data.
AD Risk Exposure Calculator
Estimate your annual exposure to AD-related breaches and the expected ROI of ADscan. Based on IBM Cost of Data Breach 2024 and Verizon DBIR 2024.
Estimated ADscan annual cost: €24,000
Estimates based on IBM Cost of Data Breach 2024 and Verizon DBIR 2024. Actual results vary by environment.
Request DemoField signals
From the pilot program.
100% of environments analyzed in the pilot program had at least one full domain access path the internal team had not previously identified.
ADscan Pilot Program
May 2026
Domain Admin escalation path identified in the first session. Time to full domain compromise: under 2 hours from standard user credentials.
Financial Sector
DORA-regulated environment
Automates 80% of the enumeration and attack path mapping work I used to do manually with 4–5 different tools. The report comes out ready to deliver to the client.
Security Consultant
Red Team
Pilot program data · May 2026 · No nominal identification.
Regulatory framework
Built for Spanish and EU regulation.
Traceable evidence to comply with Spain's National Security Scheme (High level).
DORA is law since January 2025. The Bank of Spain activated its supervisory channel in February 2025. ADscan generates the report the same day.
Aligned with ISO 27001:2022 asset management and operational security controls.
AD data, findings, and reports never leave your network. Usage telemetry is anonymous, sanitized, and opt-out. Data sovereignty guaranteed.
The offer
Free AD Exposure Assessment
AD Verified Guarantee: we work with you until your AD has zero domain compromise paths. We re-audit as many times as needed at no cost, as long as you remediate between runs.
This session · No card · No agents · No infrastructure changes
What's included
- Full audit: 41 exposure checks + chained attack paths on your real environment
- Executive report for CISO/board + technical report for IT (ENS Alto, NIS2, ISO 27001, DORA)
- Results in 48 hours · No agents · No infrastructure modifications
Free with three conditions
- 1.Run it on a real environment
- 2.Give honest feedback after
- 3.Recommend it if it delivers
DORA in force since January 2025. Supervisory reviews are now active. Each week without technical evidence increases regulatory exposure.
Request Free AssessmentQuestions
FAQ
DORA is in force. Do you have the technical evidence your supervisor can ask for?
The CISO who arrives at the board with the report before the incident makes the decisions. The one who arrives after executes under pressure. AD Verified Guarantee: we re-audit as many times as needed, at no cost.