Active Directory Security

See your AD the way
attackers do.

Most AD tools hand you a list of findings and leave the hard work to you. Insight Recon shows you the actual paths attackers would take, tells you which ones matter, and gives you the exact steps to close them. Launching soon.

A quick confirmation, then one email when founding access opens. Founding pricing goes to the list first. No spam, no sharing your address.

✓

You're on the list. Check your inbox for a quick confirmation. We'll be back in touch the moment founding pricing opens.

No agents required Read-only scan Reports in minutes No production impact

app.insightrecon.com / report / company-2026-05

Active Directory Security Assessment

Security Assessment Results

company.local

Risk Posture Score

73 C

Higher is better. Down 4 points since last scan.

Critical

7 — vs last scan

High

17 ↑ 3

Moderate

15 ↓ 1

Low

9 ↑ 1

Environment

Environment Overview

Snapshot of the Active Directory tenant scanned.

Domain Controllers

User Accounts

312

Computers

LAPS Enabled

Last Backup

307d

Built by

Offensive security practitioners

People who find these paths for a living

PNPT · OSCP · CISSP certified

MITRE · NIST · CIS · STIG mapped

What it does

Attack path discovery.
Not a list of things to worry about.

Other tools give you scores and rule codes. We show you the full chain from a low-privilege account to Domain Admin, and tell you what to actually do about it.

01 — ENUMERATION

Full AD coverage

Users, groups, computers, ACLs, Group Policy, ADCS templates, and privileged group membership. Every object and every relationship between them, laid out clearly.

02 — PATHS

Attack path context

Shows how individual findings relate and which combinations create the most dangerous escalation paths. Every finding includes attacker insight explaining exactly how it gets weaponized.

03 — PRIORITY

Prioritized by exploitability

Findings ranked by actual attacker impact, not a generic score. The Quick Wins list tells you where to spend your next two hours.

04 — REMEDIATION

PowerShell-level guidance

Not generic advice. Specific PowerShell commands for your environment, ready to run. Specific to the finding and your domain.

05 — COMPLIANCE

Framework mappings

Every finding maps to MITRE ATT&CK, NIST CSF, CIS Controls, STIG, and Microsoft Security Baselines where applicable. Useful when you need to report upward.

06 — TREND

Risk posture over time

Track your score across scans and watch it improve as you close findings. Useful for showing progress to leadership or clients over time.

Inside the report

Every finding tells the full story.

A severity badge and a name is where other tools stop. Here is what an actual finding looks like in Insight Recon.

Unrestricted certificate template modification rights in ADCS (ESC4)

1 template affected Critical New

Description

Certificate templates with over-permissioned write settings allow low-level users to modify template properties that can make them vulnerable to various privilege escalation attacks. This misuse could allow an attacker to create a certificate for any user, effectively impersonating them within the network and gaining unauthorized access.

Finding Overview

Critical

Severity

Easy

Remediation Effort

Affected Item

Apr 20, 2026

First Seen

Hacker Insight

Attackers typically exploit this to modify permissions on certificate templates to make them vulnerable to ESC1, allowing privilege escalation to domain administrator. This method is stealthy — certificate-based authentication blends into normal operations, giving attackers a hidden and resilient path for persistence.

Recommendation

View Guide

Restrict write permissions on certificate templates to CA Administrators and Enterprise Admins only. Audit all templates where Domain Users or Authenticated Users have write access.

# Audit templates with dangerous permissions

                Get-ADObject -SearchBase "CN=Certificate Templates,..." -Filter * -Properties nTSecurityDescriptor

Compliance Mapping

MITRE ATT&CK

T1649

NIST CSF

PR.AC-4

CIS Control

5.4

You've seen what other tools produce.
Here's what ours looks like.

Same environment, completely different output. If you've run other AD assessments before, you'll know what you're looking at.

Other AD Scanners Typical output

✕Rule codes and numeric scores with no context on what they mean together

✕No visibility into how findings connect or which ones actually create risk

✕Generic remediation advice that your team still has to figure out how to apply

✕No explanation of how an attacker would actually use a finding

✕No way to track whether things are getting better or worse over time

Insight Recon Insight Recon

✓Full relationship mapping across identities, ACLs, PKI, and Group Policy

✓Attack path discovery that shows the full chain, not just individual findings

✓Specific PowerShell commands and ADUC steps for your environment

✓Attacker context per finding, including tooling and how the technique works

✓Risk posture score that tracks across scans so you can see improvement over time

Pricing

Transparent pricing.
Founding 50 locks in for life.

The first 50 customers lock in their rate for as long as they stay subscribed. The waitlist hears first when the buy flow opens.

Founding 50 pricing — first access goes to this waitlist

Standard

$1,500/yr founding$2,995

1 domain · 1 user

All findings, unlimited

Attacker insight per finding

PowerShell remediation steps

MITRE + compliance mappings

Report history (add-on)

Auditor

$4,995/yr founding$9,995

50 domains · 3 users

Everything in Standard

50 domains included

3 user seats

Report history included

Domain overage +$500/25 domains

Enterprise

Custom pricing

Unlimited domains + users

Everything in Auditor

Unlimited domains and users

SSO / SAML + RBAC

Offline / air-gapped mode

API access

Why we built this

Every tool we tried left the hard part to us.

Heath Adams

Co-Founder, Breach Point

We built Insight Recon because we kept running AD assessments, getting a wall of findings from existing tools, and then spending half the engagement doing the analysis work the tool should have done. Figuring out which findings actually matter, how they connect, and how to explain the risk to someone who isn't a security practitioner. We put that work inside the report.

Get early access

Get notified when
we launch.

The first 50 customers lock in their rate for good. Sign up and you'll hear from us the moment founding pricing is available.

✓