No, that’s exactly the point: a realistic AD pentest is a post-compromise scenario. We start with the rights of a regular domain user or a standard service account.

Our goal is to demonstrate how an attacker who already has a foot in the door (e.g., through a phishing email) can gradually escalate their privileges through misconfigurations, Kerberoasting, or insecure delegations. We show you the path from the 'smallest' user all the way to Domain Administrator. This is the only way to find out if your internal security boundaries can withstand a real attack.

An infrastructure pentest focuses on the attack surface of your services: we look for open SMB shares containing sensitive data, crack default credentials in web interfaces or routers, and exploit misconfigurations in network protocols. An AD pentest starts exactly where these services merge with your central identity management.

Active Directory Certificate Services (ADCS) are currently one of the most critical attack targets. Misconfigured certificate templates often allow attackers to request certificates for any user—including domain admins—and thus authenticate irrevocably as an administrator.

In our pentest, we specifically check for these 'ESC' vulnerabilities. Since ADCS is deeply rooted in the system and often remains untouched for years, we frequently find critical paths to total domain takeover here. We help you understand and securely close these complex misconfigurations.

Security is our priority. We do not use destructive tools that blindly try passwords and could cause account lockouts. Instead, we use passive techniques and targeted queries.

During password spraying, we meticulously respect your configured lockout thresholds. For attacks like Kerberoasting, we only request encrypted tickets, which the server sees as a perfectly legitimate action. We work 'non-disruptively' throughout the entire process, ensuring your employees can continue working undisturbed while we test the resilience of your domain behind the scenes.

Most AD takeovers succeed because administrators log in with highly privileged accounts on insecure systems (Tier 2) where an attacker is already lurking. We check if you have a clean separation of admin levels.

Our report provides you with concrete strategies for implementing tiering: Domain admins may only log in to Domain Controllers (Tier 0), and server admins only to servers (Tier 1). We show you where 'privileged identity' traces lie in the network that we could extract via credential dumping, and how to permanently block these paths.

Service accounts are often the 'Achilles' heel' in Active Directory. They frequently have passwords that never expire and possess extensive permissions on databases or servers.

Through Kerberoasting, we attempt to crack the password hashes of these accounts in offline mode. Since many service accounts were created manually and have weak passwords, this is often a direct path to privilege escalation. We identify these accounts for you and provide recommendations for switching to Group Managed Service Accounts (gMSA), which are significantly more secure.

You receive much more than just a list. We provide a graphical representation of the most critical attack paths. You see in black and white: 'User A reaches Domain Admin via Group B and Permission C'.

Every finding is prioritized: what must be fixed immediately (e.g., an ESC1 template) and what is a long-term design change (e.g., decommissioning legacy protocols). Our goal is not just for you to plug current holes, but to harden the AD as a whole so that future attackers find no more viable paths.

Audit tools often deliver thousands of warnings that are nearly impossible to manage. We, however, filter out the noise and focus on real, verified paths.

A tool might warn you about 'too many privileged users.' We, on the other hand, show you that one of those users has a weak password that we cracked, and how we used that to take over the entire domain. We provide the context and the proof-of-concept. Furthermore, in the debriefing session, we help you plan the necessary changes so they don't hinder your IT workflows.