Active Directory Security

See your AD the way
attackers do.

Most AD tools dump a list of findings and leave the real work to you. Insight Recon shows you how each weakness gets exploited, what to fix first, and the exact commands to fix it. It runs read-only from a single Windows machine. Launching soon.

A quick confirmation, then one email when founding access opens. Founding pricing goes to the list first. No spam, and we never share your address.

You're on the list. Check your inbox for a quick confirmation. We'll be in touch the moment founding pricing opens.
Read-only scan Report in minutes No production impact
app.insightrecon.com / report / company-2026-05
Insight Recon
SECURITY ASSESSMENT
DOMAIN company.local
GENERATED Jun 15, 2026
Active Directory Security Assessment
Defensible identity
security decisions.
Where your risk is, which controls are weak, and what to remediate first.
77OF 100
C · Moderate Risk
Higher score means a stronger AD posture.
Critical
1Immediate attention
High
9Priority remediation
Moderate
8Hardening needed
Low
8Hygiene items
Top PrioritiesRanked by exploitability
CritNon-expiring passwords in Domain Admins2 accounts
HighKerberoastable service accounts6 accounts
HighUnconstrained delegation on a server1 host
ModLAPS not deployed87 computers
Built by
The team behind Breach Point
Offensive security practitioners
135+ AD checks
Mapped to MITRE, NIST, CIS, STIG
How it works

Point, click, scan.
No console. No scripts.

A Windows app runs the assessment read-only against a domain controller, on demand or on a schedule, then publishes the report to your portal.

1

Install and point it at your domain

Run the app, sign in, and pick the domain to assess. Setup takes about five minutes. Nothing goes on your domain controllers or endpoints.

2

Scan read-only, on demand or scheduled

It collects configuration read-only from Active Directory and related services in a few minutes, and changes nothing. Run it whenever you want, or set a schedule and let it watch for drift between assessments.

3

Open the report in your portal

Findings land in a web report you can share. Prioritized, with attacker context, fix steps, and a posture score that trends over time. Hand it to leadership or a client as is.

Insight Recon · Active Directory Scanner
Scanning company.local
Analyzing access control and delegation rights
64%
Connecting to domain controllerdone
Enumerating users, groups, computers312 users
Analyzing ACLs and delegationworking
Reviewing certificate templates (ADCS)pending
Checking Group Policy and password policypending
Read-only. We only look. Nothing on your network is changed.
What it does

Findings you can actually act on.

Other tools give you scores and rule codes. We tell you how each weakness gets used, where it leads, what to fix first, and how to fix it.

01 · ENUMERATION

Full AD coverage

Users, groups, computers, ACLs, Group Policy, certificate services, trusts, and privileged group membership. Every object, and how they connect.

02 · ATTACKER CONTEXT

How each finding gets used

Every finding carries a Hacker Insight: the technique, the tooling, and where it leads. You see how a writable certificate template becomes Domain Admin.

03 · PRIORITY

Ranked by exploitability

Findings are ordered by real attacker impact, not a generic score. The Quick Wins list shows where two hours of work cuts the most risk.

04 · REMEDIATION

Fix steps you can run

Specific guidance and PowerShell tied to the finding and your domain, with a remediation-effort rating so you can plan the work.

05 · COMPLIANCE

Framework mappings

Findings map to MITRE ATT&CK, NIST CSF, CIS Controls, STIG, and Microsoft baselines where they apply. Handy when you report upward.

06 · TREND

Posture over time

Watch your score move and findings go from New to Remediated across scans. Built to show progress between engagements.

Coverage

135+ checks. All signal, no noise.

We add checks all the time, and we only add one when a real attacker would care. You get the misconfigurations that actually get domains popped, without a pile of cosmetic findings you would just suppress. A sample of what we look for:

ESC1-16ADCS

The full AD Certificate Services attack surface

Vulnerable templates, dangerous enrollment rights, EDITF_ATTRIBUTESUBJECTALTNAME, enrollment-agent abuse, weak DC certificate mappings, and CA access-control gaps. Certificate attacks are how a lot of domains fall, so we cover the whole ESC family, not just the famous one.

AAA

Authentication & Authorization

Kerberoasting AS-REP roasting NTLMv1 / LM RC4 / DES enabled Reversible passwords No-password accounts Weak cert mappings
PAM

Privileged Access Management

DCSync rights AdminSDHolder abuse Dangerous ACLs Unconstrained delegation Constrained delegation RBCD Shadow credentials SID history abuse Stale admins
DSI

Directory Services

LAPS coverage gMSA exposure DC backups SMB signing LDAP signing Print Spooler on DC Legacy OS on DC SMBv1
PCM

Policy & Configuration

Password & lockout policy Passwords in GPOs Anonymous AD access LLMNR Trust encryption Dangerous trust attributes Functional level
Inside the report

Every finding tells the full story.

A severity badge and a name is where other tools stop. This is one finding from a real report, exactly as it renders.

Non-Expiring Passwords in Domain Admins Group

Non-expiring passwords in the Domain Admins group pose a risk, as these static credentials can be easily targeted by attackers with credential-based attacks. Passwords that are not rotated for long periods of time increase the likelihood for compromise and persistence.

Finding Overview
High
Severity
Moderate
Remediation Effort
2
Affected items
Jun 15, 2026
First Seen
Hacker Insight

Once attackers obtain password hashes, they use password lists and rulesets to crack them. Non-expiring passwords are especially risky, as modern graphics cards provide the computational power to crack hashes more easily.

Recommendation
View Remediation Guide

Remove non-expiring password settings from Domain Admin accounts, rotate affected credentials, and document any approved break-glass exception.

Items Affected (2)Export CSV
Account Display Name Enabled Created Last Logon Password Set
svc-admin Service Admin Yes Feb 13, 2026 Feb 12, 2026 Feb 12, 2026
Administrator Administrator No Feb 26, 2002 Never Apr 17, 2025
Compliance Mapping
MITRE ATT&CKT1078.002 – Valid Accounts: Domain Accounts
MITRE MitigationsM1017 – User Training, M1018 – User Account Management, M1026 – Privileged Account Management, M1027 – Password Policies, M1032 – Multi-factor Authentication
CIS Controls4.4.1 – Establish and Maintain a Secure Configuration Process
STIGV-243474
References
Microsoft - Password policy recommendations for Microsoft 365 NIST - SP 800-63B Digital Identity Guidelines: authentication and authenticator management CIS - CIS Password Policy Guide

Real finding from a live assessment. Report layout exactly as delivered.

Trends

Prove you're actually getting better.

Most scanners hand you a snapshot and forget the last one. Insight Recon remembers every scan, so you can watch your score climb, catch anything new, and show leadership or a client that findings really did get fixed.

Risk Posture Score
79↑ 16
New
2
Remediated
9
Modified
1
Unchanged
38

Risk Posture Score over time

1007550250 Jun 1, 9:02 AMJun 22, 7:17 PM

Fixed since last scan

Print Spooler enabled on a domain controller
Remediated Jun 22, 2026
SMBv1 enabled on a domain controller
Remediated Jun 22, 2026
Guest account enabled
Remediated Jun 22, 2026

Trends & Changes view. Every scan is tracked, so progress is measurable.

Why it's different

You've seen what other tools produce.
Here's ours.

Same environment, very different output. If you've run AD assessments before, you'll recognize the difference right away.

Other AD ScannersTypical output
Rule codes and numeric scores with no context on what they mean
No explanation of how an attacker would actually use a finding
Generic remediation advice your team still has to translate
A flat list, so you guess what to fix first
No way to see whether posture is getting better or worse
Insight ReconInsight Recon
Coverage across identities, ACLs, certificate services, trusts, and Group Policy
Attacker context on every finding: the technique, the tooling, where it leads
PowerShell and ADUC fix steps written for your environment
Ranked by exploitability, with a Quick Wins list for the fastest risk cuts
A posture score that trends across scans so you can prove improvement
Questions

The things people ask first.

Is it safe to run in production?

Yes. The scan is read-only. It queries Active Directory and related Windows services (LDAP, SMB, RPC, and HTTPS) to read configuration, writes nothing, deploys nothing to your endpoints, and has no production impact.

Will there be a Microsoft 365 version?

Active Directory is first. A Microsoft 365 and Entra ID version is in the works on the same platform. Join the waitlist and we'll let you know the moment it's ready.

What does it need to run?

A Windows machine that can reach a domain controller, and accounts to read with. Integrated auth or dedicated read-only accounts both work.

How long does a scan take?

Minutes for a typical domain. Run it on demand, or on a schedule to catch configuration drift between assessments.

Who is it for?

Internal IT and security teams who want a real assessment without hiring it out, plus the consultants and MSPs who run AD assessments and want the analysis and reporting handled for them.

Does this replace a penetration test?

No. It's a fast, repeatable posture assessment you run yourself. It finds and prioritizes the misconfigurations attackers abuse. A skilled human attacker is still a skilled human attacker, and this complements that work rather than replacing it.

Why we built this

Every tool we tried left the hard part to us.

We kept running AD assessments, getting a wall of findings from existing tools, then spending half the engagement doing the analysis the tool should have done. Figuring out which findings actually matter, how they connect, and how to explain the risk to someone who isn't a security person. So we put that work inside the report.

Heath Adams
Heath Adams
Co-Founder, Breach Point
Brad Thornton
Brad Thornton
Co-Founder, Breach Point
Get early access

Get notified when
we launch.

The first 50 customers lock in their rate for good. Sign up and you'll hear from us the moment founding pricing is available.

You're on the list. Check your inbox for a quick confirmation. We'll be in touch the moment founding pricing opens.

A quick confirmation, then one email when founding access opens. No spam.