For the best web experience, please use IE11+, Chrome, Firefox, or Safari

SpecterOps BloodHound Enterprise

Minimize attack paths and secure Active Directory and Azure from every angle. Attack path management is a critical component of defending Active Directory (AD) and Microsoft 365 environments from attacks. When you consider that Microsoft reported more than 25 billion attempted attacks on enterprise accounts in 2021 alone, securing attack paths is essential. SpecterOps BloodHound Enterprise greatly simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.
How to identify Active Directory attack paths before cyberattackers do 02:44
Traditionally, attack path management has been challenging. Why? Because as a security practitioner, you’re often conditioned to think in terms of lists – checking thousands of generic configuration issues. Attackers, on the other hand, think in graphs. This outlook makes it easier for them to find effective attack routes. SpecterOps BloodHound Enterprise helps you reduce the risk of attacks significantly  by arming you with a graphical mapping of all AD and Azure attack paths, enabling you to easily identify, prioritize and eliminate the most vital avenues that attackers can exploit. 

Key benefits

Continuous attack path mapping

Visualize every relationship and connection in AD and Azure, making it easy to identify new and existing attack paths.

Choke point prioritization

Measure the impact of any point in an attack path and identify optimal locations to block the largest number of pathways.

Critical asset protection

Identify all critical Tier Zero assets and through integration with On Demand Audit automatically monitor them for any suspicious activity indicating they’ve been compromised.

Practical remediation guidance

Get practical remediation guidance, with clear instructions, without having to make drastic changes to AD.

Comprehensive remediation analysis

Leverage On Demand Audit’s detailed user activity history to inspect attack path edges prior to removing access to the path – ensuring there are no unexpected consequences to the remediation.

AD security posture measurement

Establish a continuous baseline of AD and Azure, to monitor and measure the reduced risk as attack paths are removed.

Unprecedented visibility into Azure AD

Azure uses different technologies to manage identities and access, but is vulnerable to the same types of identity attack paths as AD.


Top down view of critical assets

SpecterOps BloodHound Enterprise greatly supports attack path management by showing you a superset of your critical assets in AD and Azure (Azure AD and Azure Resource Manager) – the crown jewels that would mean game over if a cyber attacker got control of them. It then maps every attack path down from that view. As a defender, securing attack paths requires that you understand every possible route, and SpecterOps BloodHound Enterprise identifies every single relationship throughout your hybrid environment and articulates how attackers could abuse any set of principals to gain access to these vital assets.

Identify and quantify exposure choke points

Mapping critical assets and paths is only part of attack path management, however. SpecterOps BloodHound Enterprise takes it further by quantifying those choke points. For example, it can tell you that 92% of all your Active Directory users and computers have the ability to compromise the domain through this one ACL applied to this one domain controller. It gets extremely specific on the risk involved in this, as well as the specific permissions or privileges that you need to address to remediate the attack path and mitigate downstream misconfigurations. 

Quantify impact to security posture

Because SpecterOps BloodHound Enterprise measures every risk, you’ll see the overall risk your organization is carrying in your hybrid AD environment. But as you improve attack path management by eliminating the choke points, you’ll be able to see the effect these changes will have on your overall security posture. For example, by securing attack paths, you could improve your exposure to attacks significantly. Most companies start off with a risk exposure between 70% and 100%. The goal would be to get your organization’s risk exposure below 20%, and SpecterOps BloodHound Enterprise can help you get there. 
Comprehensive risk assessment and threat monitoring in attack path management software

Comprehensive risk assessment and threat protection

Integrate SpecterOps BloodHound Enterprise with On Demand Audit and Change Auditor for a comprehensive risk assessment and threat monitoring solution. Together, you’ll be able to identify all Tier Zero assets and calculate all the attack paths to those assets, then monitor those attack paths for suspicious activity. You’ll be able to detect threats early – including unauthorized domain replication, offline extraction of your AD database, and GPO linking. You’ll even be able block changes to sensitive objects like privileged groups and group policies to prevent privilege escalation attempts and mitigate and avoid costly ransomware attacks. 
Attack path mitigation via securing GPOs

Attack path mitigation via securing GPOs

When you use SpecterOps BloodHound Enterprise with GPOADmin, you’ll be able to improve attack path management by securing GPOs. These solutions allow you to ensure that any changes adhere to change management best practices prior to deployment, a critical step in Active Directory group policy management. Moreover, you’ll be able to continually validate GPOs through automated attestation — a must for any third-party group policy management solution. Furthermore, you’ll be able to quickly revert back to a working GPO in the event that a GPO change has an undesired effect, allowing you to get your environment running smoothly again in seconds.
Risk protection and remediation insurance

Risk protection and remediation insurance

For true risk protection and remediation insurance, combine SpecterOps BloodHound Enterprise with Recovery Manager for Active Directory Disaster Recovery Edition or On Demand Recovery. This product combination gives you comprehensive capabilities when it comes to backing up hybrid Active Directory and quickly recovering from any mistakes, corruption or disaster. Moreover, you’ll be able to highlight any changes since the last backup by comparing the online state of AD with its backup (or multiple backups). Furthermore, you’ll be able to restore any object in AD, including users, attributes, organizational units (OUs), computers, subnets, sites, configurations and Group Policy Objects (GPOs). 


Continuous attack path mapping
Identify choke points
Top-down view of critical assets
Explore complex relationships
Comprehensive threat monitoring
Prioritize remediation
Practical remediation guidance
Mitigate GPO attack paths
Risk protection and insurance
Continuous attack path mapping

Continuous attack path mapping

Visualize every attack path to your critical AD and Azure assets along with all complex relationships and connections.

Tech Specs

SpecterOps BloodHound Enterprise requires installation of the SharpHound Enterprise on-premises agent, a critical element in your deployment that collects and uploads data about your environment to your BloodHound Enterprise instance for processing and analysis. SharpHound Enterprise is generally deployed on a single, domain-joined Windows system per domain, and runs as a domain user account.

The AzureHound Enterprise service collects and uploads data about your Azure environment to your BloodHound Enterprise instance for processing and analysis. AzureHound Enterprise is generally deployed on a single Windows system per Azure tenant, and may run on the same system as your SharpHound Enterprise service account.

  • Windows Server 2012+
  • 16GB RAM
  • 100GB hard disk space
  • .NET 4.5.2+
  • TLS on 443/TCP to your tenant URL (provided by your account team)
  • TLS on 443/TCP to Azure tenant (if applicable)

SharpHound (on-premises Active Directory collection)

  • Service account added to local Administrators group

AzureHound (Azure collection)

  • Directory Reader on Azure AD Tenant
  • Reader on all Azure Subscriptions
  • Directory.Read.All on Microsoft Graph

Active Directory enumeration represents the most basic information required for BloodHound Enterprise. Additionally, SharpHound Enterprise enumerates local groups and sessions on all domain-joined Microsoft systems for ideal visibility.

Collection Type

Service Account Permissions

Service Network Access

Active Directory

Domain user account with rights to read Deleted Objects.

LDAP on 389/TCP to at least one domain controller

Local Groups and User Sessions (Privileged)

Local admin on workstations and servers

SMB on 445/TCPto all domain-joined systems


Directory Reader on Azure AD Tenant, Reader on all Azure Subscriptions, AppRoleAssignment.ReadWrite.All and RoleManagement.Read.All on Microsoft Graph

TLS on 443/TCP to your tenant

Get started now

Comprehensive attack path management.