The offense-informed analyzer set
Kerberoasting and AS-REP roasting exposure, ADCS certificate-template abuse, delegation, DCSync rights, and dangerous ACLs — the paths red teams actually walk to Tier 0.
Ferrum Bastion reads Active Directory continuously, builds the whole-domain attack graph, and runs offense-informed analyzers over it — then ranks every finding by its real reachability to Tier 0. It's BloodHound's insight, delivered continuously to defenders: self-contained (no Neo4j), read-only, and correlated with the rest of your posture. You see the few paths that actually matter first, not an exhaustive dump.
Behind Ferrum ID SSO · the Domain Controller is never exposed · read-only by construction
Exposure runs the opposite direction to what teams fear. The collector runs inside your trust boundary and reaches the Domain Controller over the private network; the only traffic that ever crosses the boundary is outbound 443 — and in air-gapped mode there is none. Requiring an internet-facing DC would be exactly the kind of critical misconfiguration Bastion exists to flag.
Bastion never writes to the directory. No object edits, no group changes, no remediation. It reads and reports — offensive write capability is absent, not disabled.
It detects conditions; it never exploits them. It flags a Kerberoastable account without requesting the ticket, detects ESC1 without enrolling the cert. The tool ships zero offensive capability.
No credential material is ever collected — no hashes, no keys, no DCSync. Config, ACLs, delegation, Kerberos metadata, and object attributes only. Nothing secret to leak.
The collector runs as an unprivileged authenticated domain reader. ACLs and config are world-readable to authenticated users by default — no elevated rights to see what it needs.
One outbound port. No inbound firewall holes, no DC on the edge. Snapshots are crown-jewel data — encrypted at rest with the key held separately, tenant-isolated, retention-bounded, never logged in the clear. Air-gapped engagements keep the whole map inside the boundary.
Offense-informed analyzers run over the in-memory graph and name the technique — every finding carries its ATT&CK / ESC id, its edge chain, and its remediation.
Kerberoasting and AS-REP roasting exposure, ADCS certificate-template abuse, delegation, DCSync rights, and dangerous ACLs — the paths red teams actually walk to Tier 0.
Every finding is scored by its exposure to Tier 0 — distance in the graph, presence on a Domain Admin path, reachability from an assumed-breach foothold. The reachability_basis is surfaced so the priority is always explainable. Honest by design: if it can't be computed, it's null — never faked.
Continuous collection makes drift a first-class view: new paths, resolved paths, and time-to-remediate across repeat engagements — so you watch the attack surface shrink, not re-audit from zero.
Pivot the entire attack graph interactively — search a principal, expand its edges, and trace the shortest foothold → capability → Tier-0 chain. Hand a client the same picture as a single self-contained HTML report, air-gapped-safe.
A lightweight, read-only internal agent — like SharpHound or PingCastle, but continuous and safe by default. Deploy it inside your network, point it at a DC over private LDAPS, and let it egress a single outbound 443 (or nothing at all, air-gapped). Paged, throttled, and schedulable so a 50k-object collection never stresses a Domain Controller.
Default posture is pure-LDAP, read-only, DC-safe. The invasive session/host module (SMB/RPC) stays off and consent-gated.
Sign in with Ferrum ID and see the paths that matter first.