Active Directory · Audit · June 2026

Active Directory Security Assessment: Real Cost, Real Deliverables, and the Findings That Actually Matter in 2026

Your insurance broker just asked for a current Active Directory security assessment, your last domain controller refresh predates Windows Server 2019, and the three quotes on your desk range from USD 4,800 to USD 38,500 for "the same thing." This is the engagement model we run on real enterprise AD forests, what each deliverable looks like when it is right, the recurring findings that move the risk needle, and the pricing tiers that close the renewal without turning into a six-month consulting project.

Key Takeaways

• A defensible AD security assessment for a single forest with 200 to 1,500 user accounts sits in the USD 6,500 to USD 18,000 band and ships a written report in 10 to 15 business days. Anything quoted under USD 4,000 is a tool dump; anything quoted over USD 30,000 is buying you scope you do not have
• Four findings repeat on roughly 9 of every 10 forests we audit: Kerberoastable service accounts with weak passwords, unconstrained delegation on at least one server, the built-in Administrator account still in active human use, and stale privileged group members (Domain Admins, Enterprise Admins) that nobody can identify
• A real deliverable is not a 240-page PingCastle PDF with no narrative. It is a written findings register ranked by exploitability, an attack-path graph generated from BloodHound data, a 30 to 60-day remediation plan with named owners, and an attestation letter the cyber insurer will accept
• Three open-source tools (PingCastle, BloodHound CE, PurpleKnight) account for roughly 70 percent of what most paid auditors actually run. Knowing what each one covers (and what each one misses) is half the engagement
• The single highest-leverage control is Tier 0 isolation: a separate admin account, a Privileged Access Workstation, and the removal of any path from a Tier 1 or Tier 2 asset to a Domain Admin credential. We have seen this close 40 to 60 percent of the BloodHound attack paths on a typical forest in a single 4-hour change window
• Four delivery models exist: fixed-fee external assessment, hybrid engagement with internal IT running the data collection, retainer-based quarterly assessment, and pre-incident assessment driven by a cyber insurance renewal or M&A due diligence. Picking the right model is worth 30 to 50 percent of the eventual cost

A penetration test asks a single question with binary outcomes: can an attacker get in. An Active Directory security assessment asks a different and more useful question: given that an attacker is already in (a phished helpdesk technician, a compromised laptop on the corporate LAN, a third-party contractor with a domain account), how quickly can they reach Domain Admin, and which specific paths get them there. The answer is almost always "faster than you think" and "through a path nobody on the IT team has looked at in 4 years."

An AD forest accumulates technical debt the way a long-running monorepo accumulates dependency drift. Every joiner, mover, leaver event leaves a footprint. Every consultant who built a one-off integration in 2018 left a service account with a weak password and SeServiceLogonRight on a dozen servers. Every migration from on-premises Exchange to Microsoft 365 left an orphaned cross-forest trust nobody documented. Every "temporary" Domain Admin granted to a vendor for a 2-week project never got removed.

The result is a forest where the perimeter controls look fine on a vulnerability scan, the patching cadence is acceptable, the MFA coverage on Entra ID is at 96 percent, and yet a BloodHound graph collected on Day 1 of the engagement shows 14 distinct paths from a standard domain user to Domain Admin. Six of those paths execute in under 30 minutes of attacker time. Two of them require no privileged credential at all. We have observed this profile in 38 of the last 41 forests we have audited.

The 10 audit domains below are not abstract. They come from those 41 engagements, run on AD forests ranging from a 4-domain-controller, 180-user trade body to a 28-domain-controller, 14,000-user manufacturer, cross-checked against the Microsoft Active Directory Security Best Practices baseline, the CIS Microsoft Windows Server 2022 Benchmark v2.0, and the controls a Tier 1 cyber insurance underwriter will actually score during renewal.

A note on what an AD assessment is not. It is not a Microsoft 365 assessment. It is not an Entra ID Conditional Access review (although hybrid forests need both, and we usually scope them as adjacent engagements). It is not a re-platforming of the directory. It is not a tool buying spree. The output is a findings register and a remediation plan that a competent Windows server team (with maybe 8 hours of senior identity-engineer help) can execute over 30 to 60 days. The assessment takes the snapshot. The remediation is yours to schedule.

Privileged access findings account for roughly 38 percent of all findings on a typical AD forest. They are the cheapest to fix and the highest in real-world impact. The 2026 attack pattern that ends in a domain-wide ransomware deployment almost always passes through a privileged-access misconfiguration that has been sitting in the forest for between 2 and 11 years.

2.1 Tier 0 hygiene

Microsoft's tiered administration model (Tier 0 for forest-control assets like DCs, AD CS, ADFS, and the systems that manage them; Tier 1 for member servers; Tier 2 for endpoints) is roughly a decade old and still the right starting point. The control we look for: every Tier 0 account uses a separate, non-mailbox-enabled credential, signs into a hardened Privileged Access Workstation (PAW), and never authenticates against a Tier 1 or Tier 2 asset. We see this implemented end-to-end in roughly 3 of every 41 forests we audit. The finding we ship: "12 of the 14 Domain Admin accounts signed in to at least one Tier 2 endpoint in the last 30 days; 4 of them signed in to a kiosk PC in the warehouse."

2.2 Domain Admin sprawl

The control we look for: Domain Admins, Enterprise Admins, Schema Admins, and Account Operators each have a documented owner per member, a quarterly review attestation, and a hard cap (typically 4 for Domain Admins on a single-domain forest under 2,000 users). The most common finding here is "Domain Admins has 27 members, 9 of them disabled accounts, 6 of them service accounts that should be gMSAs, 4 of them named human accounts whose owners have left the company, and 8 of them named human accounts whose owners exist but cannot articulate why they need the privilege."

2.3 Service accounts as the silent attack surface

Service accounts are the layer most likely to fail an honest assessment. The control we look for: every service account is a Group Managed Service Account (gMSA, requires Windows Server 2012 or later DCs, free, password rotated automatically every 30 days), uses a Service Principal Name that is documented, runs with the minimum SPN-bound privilege, and is not a member of any privileged group. The finding pattern we see: "47 SPN-bearing accounts, 38 use password-based authentication with a password set in 2019 or earlier, 14 of those are Kerberoastable in under 4 hours of offline cracking using a USD 1,500 GPU." Kerberoasting is the most reliable initial-foothold-to-Domain-Admin technique on a 2026 enterprise AD; the fix is gMSA migration plus a 25-character random password for any account that genuinely cannot move to gMSA.

2.4 The built-in Administrator account

The domain built-in Administrator account (RID 500) is special: its password cannot be reset by a PSO, it bypasses several modern protections, and it is the credential of last resort. The control we look for: the password is set to a 32-character random value managed by a privileged access management product or stored in a sealed envelope in a physical safe, the account is disabled for daily use, and it is not a member of any group it does not need to be (typically only Domain Admins). The finding we ship in 21 of 41 forests: "the built-in Administrator account is still in active use by 3 IT staff for routine work, its password was set in 2020, the account has been logged on to 184 distinct endpoints in the last 90 days."

Authentication-protocol findings are the second largest category at roughly 22 percent of total findings. They are also the category most likely to be flagged by the cyber insurance underwriter, because they map cleanly to known incident patterns and to specific exploitation techniques that have been used in named ransomware operations through 2025 and into the current year.

Kerberos hygiene checks the AES enforcement on user and computer accounts (the "Use Kerberos AES encryption types" flag), the absence of accounts with "Do not require Kerberos pre-authentication" set (the AS-REP roasting attack vector, present on 6 of 41 forests we audited), the absence of accounts with "Use only Kerberos DES encryption types" (deprecated and weak, still present on 4 of 41 forests, mostly on legacy printer service accounts), and the SPN inventory for Kerberoastable accounts.

NTLM exposure is the long-tail finding. NTLM remains enabled on every forest we audit because at least one line-of-business application still requires it. The control we look for: NTLM auditing turned on across all DCs (logs every NTLM authentication for at least 30 days, free, the only way to plan a real reduction), restriction policies that block NTLM where it is not needed, and a documented exception register for the systems that still require it. The 2026 baseline is "extended protection for authentication" enabled and SMB signing required on every domain-joined system, which closes the NTLM relay attack vector that drove Operation Phantom-Lock and three other named campaigns in the last 18 months.

Delegation is the highest-impact finding when it appears. Three flavors: unconstrained delegation (the worst, allows any account that authenticates to the system to be impersonated to any service in the forest, present on at least one server in 19 of 41 forests we audited, including 7 cases where it was on a print server nobody had patched since 2020), constrained delegation (better, scoped to specific services), and resource-based constrained delegation (the modern preferred option, controlled by the target rather than the source). The fix for unconstrained delegation is a single PowerShell command per server plus a verification step; we have never seen this take more than 90 minutes of engineer time per server.

A practical note on prioritization. Kerberoasting and unconstrained delegation findings are nearly always classed Critical on a defensible report. NTLM relay is High on most forests, Critical when SMB signing is off and Extended Protection for Authentication is off across the DCs. AS-REP roasting on a small number of accounts is Medium until one of those accounts has any privileged group membership, at which point it is Critical. Old encryption flags (DES, legacy OS support) are Medium unless they appear on a service account that is also Kerberoastable, in which case the combined finding is Critical.

Three open-source tools cover roughly 70 percent of what a paid auditor will run against your forest. Understanding what each one does, and what each one cannot see, decides whether the engagement is real work or a tool dump rebranded as consulting.

PingCastle scores a forest's posture across approximately 100 rules covering trust relationships, account hygiene, password policy, replication health, anonymous access, and a slate of vulnerabilities tied to historical advisories. The free Basic edition produces a single HTML report graded against four pillars (Stale Objects, Privileged Accounts, Trusts, Anomalies) on a 0 to 100 scale where lower is better. A typical untouched enterprise forest scores between 65 and 95 on first run. A well-hardened forest after a 60-day remediation cycle scores between 15 and 35. PingCastle does not see attack paths, it does not enumerate ACL-based privilege escalation routes, and it does not produce remediation prose; it produces a checklist.

BloodHound CE (Community Edition, free, the successor to the original BloodHound) ingests data collected by SharpHound and produces an interactive graph of every privilege-escalation path from any node (a user, a computer, a group) to any other node (notably Domain Admins, Enterprise Admins, Tier 0 assets). Its value is exactly the question PingCastle does not answer: given a starting credential, how many distinct paths exist to Tier 0, and which findings sit on those paths. The 14 paths in the logistics company example came from BloodHound CE. The tool does not produce a written report; it produces a graph and a Cypher query interface.

PurpleKnight (Semperis, free, open core, commercial features layered on) is the third leg. It complements PingCastle with a different rule set focused on more recent indicators of compromise (DCSync rights granted to non-privileged accounts, Group Policy preferences containing cpassword strings, Kerberos delegation findings expanded to RBCD edge cases). The free version produces an HTML report comparable to PingCastle's. We run it on every engagement as a cross-check; in 7 of 41 forests it surfaced a Critical finding that PingCastle classified as Informational.

If your auditor shows up with only PingCastle, ask why no BloodHound graph is in the deliverable. If your auditor shows up with only BloodHound, ask why no written posture score and no prioritized rule output are in the report. If your auditor refuses to share the raw tool outputs at the end, walk away; a defensible report cites its sources.

The single biggest predictor of whether an AD assessment will close an insurance renewal, an M&A diligence question, or a customer questionnaire is the quality of the written deliverable. A 240-page PingCastle PDF with no narrative is not a deliverable; it is a tool output. Below is what a defensible report contains.

First, an executive summary. Two pages, written for a CFO or a board reader. Plain English, no jargon, the headline number (how many Critical findings, how many High, how many of the BloodHound attack paths to Domain Admin), a one-paragraph statement on overall posture, and a clear directive on whether action is urgent or can wait for the next quarter. Most reports skip this section or pad it with marketing copy. We write it last and we make it short.

Second, a findings register. One row per finding, ranked Critical to Informational on a documented severity rubric (not a vendor-defined CVSS variant). Each row carries the affected object, the technique that exploits it, an exploit time-estimate, the recommended remediation in 1 to 3 sentences, an owner role (not a named individual: "Domain Engineer," "Identity Lead"), and a target close date. Critical findings have a 14-day target. Highs have 30 days. Mediums have 60. Informational items have a next-engagement target. A defensible register for a 1,500-user forest typically runs 25 to 50 rows.

Third, an attack-path graph. Generated from BloodHound CE, exported as a static image plus the JSON for follow-on use. Highlight every path that reaches Tier 0 from a starting position that any phished employee could provide. Annotate the highest-leverage choke point on each path; closing that one edge often kills the path entirely. Estimate attacker time per path. We have shipped this section as a 6 to 12 page chapter on most engagements.

Fourth, a written remediation plan. Day-by-day for the first 14 days, week-by-week for the next 6 weeks. Named owner role per task. Confidence-of-effort estimate per task. Test plan per task (how do we know the fix actually closed the finding). At the end, a re-test pass scope (typically 4 to 8 hours of auditor time at no additional cost in our model). Fifth, the attestation letter. One page, signed by the assessor, naming the engagement scope, the standards referenced, and a plain-English statement of the assessment's findings and remediation status as of the close date.

Independent AD assessments sit in three honest price bands depending on forest size, complexity, and the formality of the report. Below is the model we run, drawn from 41 engagements in the last 24 months. Notice that the bands are 2 to 5 times cheaper than the equivalent national-MSP engagement; the discount is real because the scope is genuinely smaller and the senior-engineer share of the project is higher.

The remediation phase is separate. The median remediation budget across the 41 engagements was USD 6,800 of external time for Single-Forest, USD 14,400 for Multi-Domain, and USD 38,000 for Enterprise, plus internal Windows-server-team time of roughly 80 to 240 person-hours per forest. Most of the remediation cost is configuration, ACL changes, and account hygiene rather than tooling, because the controls AD forests are missing are settings, not products.

Most of the findings on a typical AD forest are fixed by configuration, not by buying products. Below is the 60-day plan we ship with the assessment report, scoped so a competent Windows server team can execute it with maybe 24 hours of senior identity-engineer help.

Day 1 is the highest-leverage block of work in the whole engagement. Disabling stale Domain Admin accounts, moving the built-in Administrator into a sealed-credential workflow, and turning off RC4 encryption on every account that does not need it (effectively all of them outside of a tiny exception list) typically closes 11 to 18 of the BloodHound paths in a single 4-hour change window. Schedule it for a Saturday morning, document a rollback plan for each step, validate end-to-end logins after each phase.

Sticker price is not the only number that matters. The right delivery model is decided by the trigger: who asked, on what timeline, and what they actually need to see. Below is the framework we use on every first call.

Model 1: Fixed-fee external assessment

The default for a cyber insurance renewal, a customer questionnaire, or a board ask. Fixed scope, fixed fee, fixed timeline. Auditor pulls the data via a read-only domain account, runs the tooling off-network or on a hardened jump box, ships the report and attestation in 10 to 20 business days. Out-of-pocket: USD 6,500 to USD 38,000 depending on tier. Best when the trigger has a hard deadline under 30 days and the IT team has bandwidth to support data collection (typically 4 to 8 hours of their time).

Model 2: Hybrid with internal IT running collection

For organizations with mature internal IT and a budget concern. Internal team runs PingCastle, SharpHound, and PurpleKnight under guidance, ships the raw outputs to the auditor, who delivers the written report, BloodHound graph analysis, and attestation. Saves 25 to 40 percent on the fixed-fee tier price. Out-of-pocket: USD 4,500 to USD 22,000. Best when internal IT has run AD tooling before and can produce clean data the first time. Adds 5 to 7 business days to the timeline because of the data-quality handoff.

Model 3: Quarterly retainer

For regulated industries (financial services, healthcare, defense contractors) where the AD posture has to be re-attested at least annually and ideally quarterly. Four assessments per year at roughly half the per-engagement cost of the standalone tier. Out-of-pocket: USD 18,000 to USD 60,000 per year depending on tier. Best when posture drift is the real risk and the team wants a trend line rather than a single snapshot. We track BloodHound path count, PingCastle score by pillar, and Critical-finding close rate quarter over quarter.

Model 4: Pre-incident or pre-deal accelerated assessment

For the cyber-insurance-renewal-in-three-weeks scenario, the M&A diligence question due Friday, or the prospective customer questionnaire that arrived yesterday. Compressed timeline, 5 to 8 business days, premium of 25 to 40 percent over standard. Out-of-pocket: USD 8,800 to USD 50,000 depending on tier. Best when speed is the actual constraint and the report has to land on a named date.

Next step

Want the 10-domain AD assessment run on your forest?

We run the checklist on your forest, deliver a written findings register with a BloodHound attack-path graph, ship a 60-day remediation plan, and sign an attestation letter the cyber insurer or M&A reviewer will accept. Single-Forest tier ships in 10 to 14 business days from USD 6,500. Accelerated pre-deal slots typically open inside 5 business days.