Horizontal3

Are Attackers Finding Your Active Directory Vulnerabilities — Before You Do?

80% of all cyberattacks exploit Active Directory vulnerabilities (Source: Mandiant Threat Report 2025). Assess your identity infrastructure for:

✅ Privilege escalation (e.g., Kerberoasting, Pass-the-Hash)
✅ Domain takeover (Golden Ticket, DC-Sync)
✅ ADFS misconfigurations (Token Replay, MFA bypass)
✅ Compliance risks (GDPR, BSI KRITIS, ISO 27001)

windows active directory totally not on flames
Talk to an expert
webserver in flames

Warum AD/ADFS-Sicherheit lebenswichtig ist

Active Directory is the Core of Your IT — and the Prime Target for Attackers

  • Ransomware campaigns abuse AD for lateral movement

  • Data breaches occur via insecure group policies and outdated protocols

  • Compliance violations under GDPR Article 32, BSI KRITIS, and NIS2

  • Operational outages triggered by compromised domain controllers

Fact: 9 out of 10 organizations have critical Active Directory vulnerabilities — many remain undetected for years

Our Mission: Enterprise-Grade AD/ADFS Security

We test against AD Security Guidelines, MITRE ATT&CK for Active Directory, and Microsoft Hardening Baselines:

✔ In-depth AD penetration tests (On-Prem, Hybrid, Azure AD)
✔ ADFS security assessments (SAML, OAuth, MFA bypass)
✔ Red Team / Blue Team training with real-world attack scenarios
✔ Audit-ready compliance evidence (GDPR, BSI, KRITIS)

All assessments follow Microsoft AD Security Baselines and MITRE ATT&CK for Active Directory.

For Enterprises: Compliance & Risk Management

The Challenges:

We need an AD pentest for BSI KRITIS / NIS2.”
“Our AD has grown — but no one knows who has which rights.”
“How do I defend against ransomware using AD as an entry point?

How We Help:

Regulatory AD Penetration Testing

  • GDPR Article 32: Security of processing

  • BSI KRITIS: Identity management requirements

  • NIS2: Risk management for critical infrastructure

Comprehensive Test Coverage

  • ~65–90 AD test cases (depending on environment complexity)

  • 25–35 ADFS-specific assessments

Executive Reporting

  • Risk ratings based on CVSS v3.1

  • Prioritized AD hardening roadmap

  • Board-ready presentation: Security ROI made tangible

Outcomes for Your Organization:

✅ Verified compliance (GDPR, BSI, ISO 27001)
✅ Up to 90% reduction in AD attack surface
✅ Ransomware resilience through AD isolation

For IT Administrators & Security Teams

The Challenges:

How can I tell if our AD is already compromised?”
“We have outdated Group Policies — but where do we even start?”
“Our team needs to detect AD attacks — how do we train for that?

How We Help:

AD Security Assessment

  • Automated scans with your IT team (BloodHound, PingCastle, Purple Knight)

  • Manual tests for:
    • Kerberoasting (SPN abuse)
    • Pass-the-Hash / Ticket attacks (lateral movement)
    • ACL misconfigurations (unauthorized permissions)
    • ADFS vulnerabilities (token-signing certs, MFA bypass)

Gamified Red Team / Blue Team Training

  • 2–4 day workshops with real-world attack simulations
    Red Team: Simulate attacks like APT29 (Cozy Bear)
    Blue Team: Detect & respond using SIEM tools (Splunk, Microsoft Sentinel)
    CTF Events: "Capture the Flag" using real AD labs (GoAD, DBCC)

Learning Outcomes:

  • Detect Golden Ticket attacks

  • Defend against DC-Sync and DCSync

  • Secure ADFS & MFA configurations

Practical Hardening Guides
Step-by-step playbooks for:

  • Tiered Admin Model (Tier 0/1/2)

  • LSASS protection (run LSASS as a protected process)

  • ADFS security (SAML signing, Extensible Authentication)

Red Team / Blue Team Training: Learn by Attacking and Defending

Real-world scenarios — no theory!

Red Team Track:

  • Domain takeover in 5 steps

  • Persistence techniques (Golden Ticket, DCShadow)

  • ADFS attacks (Token manipulation)

Blue Team Track:

  • Detection using SIEM (Splunk, Microsoft Sentinel)

  • Incident response to AD compromise

  • Post-attack forensics and analysis

Training Formats:

  • 2–4 day intensive workshops (on-site or remote)

  • CTF events (team competitions with prizes)

  • Quarterly Red Team exercises (for continuous improvement)

Why Our Training?

🔹 Realistic AD environments — not slide decks
🔹 Certificates for participants (e.g., “AD Red Team Practitioner”)
🔹 Customizable to your industry-specific threats (e.g., finance, healthcare)

ad pentest in circles

Escalation Loop: Active Directory Kill Chain & Unified Kill Chain

Our combined methodology is relentless — it tests every AD/ADFS weakness, from reconnaissance to business impact. Perfect for assessing your current security posture and prioritizing next steps.

Talk to an expert about Active Directory

Frequently Asked Questions

For Administrators:

Q: How long does an AD/ADFS penetration test take?
A: 2–4 weeks, depending on the size and complexity of the environment.

Q: What does an AD pentest cost?
A: €12,000–€57,000 — flat rate for standard environments; complex hybrid AD setups priced based on effort.

Q: Can you test Azure AD as well?
A: Absolutely. We assess Hybrid AD, Azure AD Connect, and Conditional Access configurations.

Q: How often should we test Active Directory?
A: At least once per year, plus after major changes (e.g., M&A, cloud migrations).

For Enterprises:

Q: Does the pentest meet regulatory requirements?
A: Yes. Our reports are aligned with relevant compliance standards.

Q: What’s the difference between an AD and an ADFS pentest?
A:

  • AD Pentest: Focus on domain controllers, group policies, and permissions

  • ADFS Pentest: Focus on federation services, SAML/OAuth, and MFA configurations

Q: Can you support our SOC with AD monitoring?
A: Yes — we offer SIEM tuning for accurate AD attack detection.

Why Exploit Labs?

🔹 AD/ADFS experts since 2016 — we know every attack path
🔹 Training led by real-world hackers (OSCP, OSEP, CRTO certified)
🔹 Deep German compliance expertise (GDPR, BSI, KRITIS, ISO 27001 & IT-Grundschutz)

learning_12251733

20+

AD/ADFS-Pentests per year

counter_6134806

6,000+

Cracked passwords per year

physical_burglar

1

One password to rule them all: Start2025!