EN ID TH
Penetration Testing → Active Directory

Active Directory Penetration Testing

CREST-accredited Active Directory penetration testing, exposing privilege escalation paths, credential weaknesses, and configuration flaws across enterprise domain environments.

Active Directory is still the identity backbone of most regional enterprises. It is also the single most consistent weak point in real-world breaches, the place where a phished workstation becomes domain admin in hours, not weeks. Active Directory penetration testing measures how short that path actually is in your environment.

Engagements run as authenticated assumed-breach tests from a standard domain user position. From there, our consultants enumerate the domain, map privilege escalation paths, and exercise the attack chains that real adversaries use, Kerberoasting, ACL abuse, ADCS misconfiguration, delegation flaws, and credential reuse.

Hybrid identity is increasingly part of scope. Where your environment federates on-prem AD with Azure AD / Entra ID, engagements can cover the cross-environment trust paths that real attacks now exploit.

Why it matters

What's at stake.

Domain compromise is operational impact

Once an attacker holds domain admin, every workstation, every file server, every line-of-business system that authenticates against AD is owned. There is no remediation short of recovery.

Most paths to DA are years old and undetected

ACL flaws, service-account password reuse, and ADCS misconfigurations have existed in most environments since they were deployed. They have never failed because they have never been tested.

Hybrid identity multiplies the surface

Federating AD with Azure AD / Entra adds new attack paths, token theft, consent phishing, federated escalation, that traditional AD testing alone does not cover.

Scope & Coverage

What we test.

Credentials & authentication

  • Password policy weaknesses
  • Kerberoasting and AS-REP roasting
  • Service account abuse
  • NTLM relay and downgrade attacks
  • Pass-the-hash and pass-the-ticket
  • LAPS coverage and gaps

Domain, policy & hybrid

  • ACL flaws and BloodHound-style attack paths
  • Unprotected admin groups and Tier-0 boundaries
  • GPO misconfigurations
  • Active Directory Certificate Services (ESC1–ESC11)
  • Domain and forest trust relationships
  • Azure AD / Entra hybrid identity (where in scope)
  • Logging and monitoring gaps
What we typically find

The flaws engagements like this consistently surface.

Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.

Path to domain admin in hours

Domain user to DA via Kerberoasting on a weak service-account password; ACL abuse on a Tier-0 group; ADCS ESC1 template still enabled.

Credential reuse and exposure

Local admin password identical across thousands of endpoints, service-account credentials in GPP, cleartext credentials in scripts on file shares.

Tier-0 boundary erosion

Domain admins logging into workstations for daily work, helpdesk accounts with DA-equivalent ACLs, service accounts running as DA "temporarily".

ADCS misconfiguration

Vulnerable certificate templates (ESC1 / ESC4 / ESC8), CA configured with NTLM-enabled HTTP endpoints, EDITF_ATTRIBUTESUBJECTALTNAME2 still set.

Detection blind spots

Kerberoast not alerted on, AdminSDHolder modification not monitored, DCSync attempts not flagged, golden-ticket use undetected.

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

MITRE ATT&CK
Microsoft Securing Privileged Access
NIST SP 800-53
CIS Microsoft Active Directory
Frequently Asked

Common buyer questions.

What level of access do you need? +

A standard domain user account at minimum, that is the realistic starting point after a phishing compromise. We do not need elevated access provided in advance; demonstrating the path from standard user to higher privilege is the point of the exercise.

Is this safe to run in production? +

Yes, with care. AD testing techniques are non-destructive by design; we avoid known-fragile activity. We brief detection and IR teams on the engagement timeline so internal alerts can be correlated to our activity, not investigated as a real incident.

Do you cover Azure AD / Entra ID and hybrid identity? +

Yes, increasingly the bigger source of findings. Hybrid identity engagements cover federation paths, conditional access bypass, token theft, and consent-phishing surfaces in addition to on-prem AD.

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert