Active Directory Attack Assessment
Single and multi-forest Active Directory penetration testing using real attacker TTPs, Kerberoasting, BloodHound path analysis, DCSync, delegation abuse, and full Entra ID hybrid identity exploitation. CREST-certified, OSCP/OSEP, CRTE/CRTP. Toronto, Canada.
Active Directory Is the Target. Your Defences Should Know It.
Over 90% of Fortune 1000 enterprises rely on Active Directory for identity and access management. Attackers know it intimately. In every red team engagement we run, the path from a standard domain user account to Domain Admin passes through at least one exploitable AD misconfiguration, often within hours. Our active directory penetration testing methodology treats your environment the way a real threat actor would: systematically mapping trust relationships, enumerating permissions, and chaining weaknesses to full domain compromise.
Arturs Stay, principal consultant at Cyber Security Pentesting Inc., holds the CRTE (Certified Red Team Expert) and CRTP (Certified Red Team Professional) credentials alongside CREST certification and OSCP/OSEP, a combination purpose-built for complex AD environments. Every assessment is delivered by the principal, not delegated to a junior analyst.
The Full Active Directory Attack Surface
We test every technique a motivated adversary would use, mapped to MITRE ATT&CK for Enterprise so your blue team can correlate findings against your detection coverage.
Hybrid Identity Is a New Attack Surface
Most enterprises run a hybrid Active Directory and Entra ID (formerly Azure AD) environment, and the synchronisation boundary between on-premises and cloud is where attackers increasingly focus. Our Entra ID testing covers the full hybrid attack chain, from on-prem compromise that pivots to cloud administrator, to cloud-native attacks that push back into your internal network.
Attacker-Grade Tooling, Responsibly Applied
We use the same tools real adversaries use, because a simulation with sanitised tooling does not reflect your actual exposure. Every tool is operated carefully within agreed scope, with full operational logging to support engagement deconfliction.
AD CS (Active Directory Certificate Services) vulnerabilities, including ESC1 through ESC8 and beyond, are tested where certificate services are deployed. Certipy enables us to identify misconfigured certificate templates, vulnerable CA permissions, and relay attack opportunities that can yield domain compromise via crafted certificate requests. This attack surface is frequently overlooked in traditional AD assessments.
What You Receive After the Assessment
Every Active Directory security assessment produces a structured report designed to drive remediation, not just fill a compliance checkbox.
Assessment Framework & Authoritative Sources
Our Active Directory security assessment methodology is grounded in the most authoritative public research and industry frameworks available.
Extend Your Security Coverage
Active Directory sits at the centre of your identity infrastructure, but attackers rarely stay within a single attack surface. These related services complement your AD assessment.
Active Directory penetration testing is the systematic adversarial assessment of on-premises AD and hybrid Entra ID environments for credential extraction, privilege escalation, lateral movement, and Tier 0 compromise paths. CSPI engagements cover Kerberoasting, AS-REP roasting, DCSync, DCShadow, NTLM relay with coercion (PetitPotam, PrinterBug), ADCS abuse (ESC1-ESC8), delegation chains, GPO abuse, BloodHound path analysis, and Azure AD Connect attack surface. Typical engagement runs 2-3 weeks for a single-forest environment, 3-5 weeks for multi-forest or large hybrid identity estates. Findings map directly to OSFI B-13 identity controls, IIROC Cybersecurity Best Practices Guide, PHIPA technical safeguards, and the MITRE ATT&CK Credential Access, Privilege Escalation, and Lateral Movement tactics. Free remediation re-test included.
- Kerberoasting in 2025: Why It Still Works
- DCSync Attacks: User to All Hashes in 60s
- NTLM Relay Attacks: Coerce & Own the Domain
- ADCS Abuse: ESC1-ESC8 to Domain Admin
- Azure AD: Conditional Access Bypass
- Internal Network Pivoting & Tunnelling
- MFA Bypass & Identity Attacks in 2026
- Network Segmentation Testing & VLAN Escape
AD Pentest vs Vulnerability Scanning vs Defender for Identity
Active Directory security tooling overlaps with manual penetration testing in confusing ways. The comparison:
| Capability | AD Pentest | Vuln Scanning | Defender for Identity |
|---|---|---|---|
| Kerberoasting / AS-REP roasting | Yes (executed) | No | Detection only |
| DCSync (DRSUAPI abuse) | Yes (executed) | No | Detection only (when tuned) |
| NTLM relay with coercion (PetitPotam, PrinterBug) | Yes | No | Limited detection |
| ADCS abuse (ESC1-ESC8) | Yes | No | Limited |
| BloodHound attack path analysis | Yes (full graph) | No | No |
| Tier 0 / Tier 1 / Tier 2 violation discovery | Yes | No | Partial |
| Azure AD Connect compromise paths | Yes | No | Detection only |
| Hybrid AD + Entra ID attack chains | Yes | No | Limited |
| Working proof-of-concept exploits | Yes | No | No |
| Detection rule tuning support | Yes (KQL/SPL queries) | No | Self-tuned |
| Typical engagement time | 2-4 weeks | Days | Continuous |
| Cost (CAD, 2026 typical) | $15K-$40K | $5K-$15K/year | $120/user/year |
Active Directory Findings From Representative Engagement Patterns
Recurring findings in Canadian enterprise Active Directory environments, patterns we identify in nearly every assessment we deliver.
of Canadian enterprise AD environments have non-DC accounts holding DCSync replication privileges (DS-Replication-Get-Changes-All), typically Azure AD Connect MSOL_ accounts, backup service accounts, or legacy DirSync remnants.
of OSC-registered firms tested have at least one MSOL_ (Azure AD Connect) service account hosted on Tier 1 infrastructure rather than Tier 0, inheriting domain compromise risk to any Tier 1 host the AAD Connect admin has logged into.
median time from initial internal network foothold to Domain Admin compromise across CSPI engagements aligned with industry benchmarks. Faster in environments with ADCS misconfiguration; slower with effective tiering.
Statistics reflect representative findings across CSPI penetration testing engagements for Canadian enterprises, aligned with published industry benchmarks (OSFI Cyber Self-Assessment 2023, IPC Ontario annual breach reports, Verizon DBIR 2024, M-Trends 2024). Percentages do not constitute disclosure of specific client engagement data. Numbers represent midpoint of documented industry ranges for each finding category.
Related reading
- Kerberoasting in 2025
- DCSync Attacks Explained
- NTLM Relay Attacks
- AD CS Abuse Paths
- Azure AD / Entra ID Attacks
- Identity Attacks & MFA Bypass in 2026
Explore further
Prefer email? Send a scoping request and we will respond with next steps.