AD ATTACK PATHS · SCORED BY REAL REACHABILITY

Your AD attack surface, mapped and scored.

Ferrum Bastion reads Active Directory continuously, builds the whole-domain attack graph, and runs offense-informed analyzers over it — then ranks every finding by its real reachability to Tier 0. It's BloodHound's insight, delivered continuously to defenders: self-contained (no Neo4j), read-only, and correlated with the rest of your posture. You see the few paths that actually matter first, not an exhaustive dump.

Behind Ferrum ID SSO · the Domain Controller is never exposed · read-only by construction

Your DC is never exposed.

Exposure runs the opposite direction to what teams fear. The collector runs inside your trust boundary and reaches the Domain Controller over the private network; the only traffic that ever crosses the boundary is outbound 443 — and in air-gapped mode there is none. Requiring an internet-facing DC would be exactly the kind of critical misconfiguration Bastion exists to flag.

Read-only · I-1

Bastion never writes to the directory. No object edits, no group changes, no remediation. It reads and reports — offensive write capability is absent, not disabled.

No-exploit · I-2

It detects conditions; it never exploits them. It flags a Kerberoastable account without requesting the ticket, detects ESC1 without enrolling the cert. The tool ships zero offensive capability.

No-secrets · I-3

No credential material is ever collected — no hashes, no keys, no DCSync. Config, ACLs, delegation, Kerberos metadata, and object attributes only. Nothing secret to leak.

Least-privilege · I-4

The collector runs as an unprivileged authenticated domain reader. ACLs and config are world-readable to authenticated users by default — no elevated rights to see what it needs.

One outbound port. No inbound firewall holes, no DC on the edge. Snapshots are crown-jewel data — encrypted at rest with the key held separately, tenant-isolated, retention-bounded, never logged in the clear. Air-gapped engagements keep the whole map inside the boundary.

WHAT BASTION DETECTS

The attack paths that lead to Domain Admin.

Offense-informed analyzers run over the in-memory graph and name the technique — every finding carries its ATT&CK / ESC id, its edge chain, and its remediation.

01 / ANALYZERS

The offense-informed analyzer set

Kerberoasting and AS-REP roasting exposure, ADCS certificate-template abuse, delegation, DCSync rights, and dangerous ACLs — the paths red teams actually walk to Tier 0.

Kerberoast AS-REP ESC1–ESC8 Unconstrained · RBCD DCSync WriteDACL · GenericAll
02 / SCORING

Prioritized by real reachability

Every finding is scored by its exposure to Tier 0 — distance in the graph, presence on a Domain Admin path, reachability from an assumed-breach foothold. The reachability_basis is surfaced so the priority is always explainable. Honest by design: if it can't be computed, it's null — never faked.

exposure_hint distance-to-Tier-0 A–F posture grade
03 / DRIFT

What changed since last snapshot

Continuous collection makes drift a first-class view: new paths, resolved paths, and time-to-remediate across repeat engagements — so you watch the attack surface shrink, not re-audit from zero.

new resolved time-to-remediate
04 / EXPLORER

The whole-domain graph explorer

Pivot the entire attack graph interactively — search a principal, expand its edges, and trace the shortest foothold → capability → Tier-0 chain. Hand a client the same picture as a single self-contained HTML report, air-gapped-safe.

force graph pathfinding offline HTML report
DEPLOY THE COLLECTOR

Download the collector.

A lightweight, read-only internal agent — like SharpHound or PingCastle, but continuous and safe by default. Deploy it inside your network, point it at a DC over private LDAPS, and let it egress a single outbound 443 (or nothing at all, air-gapped). Paged, throttled, and schedulable so a 50k-object collection never stresses a Domain Controller.

Default posture is pure-LDAP, read-only, DC-safe. The invasive session/host module (SMB/RPC) stays off and consent-gated.

WIN Windows
Domain-joined host · Task Scheduler
Download for Windows
TUX Linux
Internal host · systemd timer
Download for Linux
PRICING

From a free explorer to a living pentest-portal.

Start free on one domain, or turn an AD engagement into a reachability-scored subscription — forest-wide collection, continuous drift, and the pentest-portal delivery. Annual billing is two months free. Five SMB-aligned tiers, read-only on every one.

  • Free$0
  • Single Domain$99/mo
  • Forest$299/mo
  • Hybrid$599/mo
  • MSSPCustom

Turn an AD assessment into a living, scored portal.

Sign in with Ferrum ID and see the paths that matter first.