Validated chain
Tier-2 user → ADCS ESC1 → DA
Phish→workstation→cert template enumeration→ESC1 abuse→Domain Admin
Business impact
Tier-0 reach proven; ransomware blast radius modelled
Discover · Internal Attack Surface
Validate lateral movement and Tier-0 reach from assumed breach
Walk the same paths an attacker would once they have a foothold — Active Directory, Entra ID, Linux estates and segmented networks — production-safe and evidence-backed.
- Assumed-breach default
- ADCS ESC1–ESC11 coverage
- Hybrid identity chains
- Production-safe Kerberos tradecraft
LiveInternal Surface · Live
ValidatedThe problem
Most environments never test the path from Tier-2 to Tier-0
Annual pentests sample. Tier-0 assumptions go unchecked for months. Service accounts accumulate privilege; ADCS templates drift; jump-host hygiene erodes. None of it surfaces until ransomware finds the path.
The gap is not detection. It is validation that the controls actually break the chain.
The KeenSafe approach
Continuous internal validation, assumed-breach by default
KeenSafe internal agents operate from a low-privileged starting point and reason about lateral movement, credential abuse and privilege escalation against your real environment.
Every validated chain ships with full reproducibility — exact technique, exact path, exact evidence.
Capabilities
What ships in this engagement
AD Tier Model Validation
Tier-0 / Tier-1 / Tier-2 boundaries tested in practice — domain controllers, service accounts, jump hosts, admin tier crossings.
Lateral Movement
NTLM relay, Kerberos delegation, SMB / RPC / WinRM hopping, jump-host abuse — chained end-to-end.
Privilege Escalation
Local-to-DA chains. Kerberoasting, AS-REP roasting, ADCS ESC1–ESC11, golden-ticket validation.
Hybrid Identity
Cloud-to-on-prem trust paths, Conditional Access bypass, federated identity abuse, OAuth permission elevation.
Linux Estate
SSH key reuse, sudo misconfig, capabilities abuse, container escape, LDAP-bound user enumeration.
Segmentation Validation
East-west segmentation tested with real exploitation — VLAN hopping, ACL bypass, microsegmentation evasion.
Attack path
How attackers actually move
Internal attack paths nearly always abuse identity. The interesting question is which combination of cred reuse, delegation abuse, ADCS misconfig and trust crossing chains end-to-end in your environment, today.
Validated chain
Linux estate → AD federation
SSH key reuse→sudo misconfig→Kerberos cred extraction→cross→trust abuse
Business impact
Linux foothold reaches Windows DC via federated identity
Outcomes
Measurable, evidence-backed
Tier-0
Reach validated
Most environments find at least one Tier-0 path on first run.
6 modules
Internal estate
AD, Entra ID, Linux, segmentation, jump-host hygiene, ADCS.
Production-safe
Throttled execution
Kerberoasting and AS-REP roasting under detection thresholds.
Per-finding
Reproducible evidence
Every chain replay-deterministic.
For the board
For the executive: end the Tier-0 assumption
Most enterprises operate a Tier-0 / Tier-1 / Tier-2 model on paper. KeenSafe answers the question every audit committee asks but no one can prove: "Does the model hold?"
Quarterly proof: how many Tier-2-to-Tier-0 paths existed, how many were closed, residual count.
Technical validation
Internal validation methodology
A scope-bounded agent on an approved jump-host walks identity, network and host paths under production-safe constraints. ADCS, Kerberos, NTLM and SMB tradecraft applied with throttling.
- 01Assumed-breach starting point (Tier-2 user, lowest reasonable privilege)
- 02Identity enumeration: groups, ACLs, delegation, ADCS templates
- 03Production-safe Kerberoasting + AS-REP under detection-floor throttling
- 04ADCS ESC1–ESC11 validation with reversible certificate requests
- 05Cross-trust + hybrid-identity chain assembly toward Tier-0
Get Started
Walk a Tier-2 to Tier-0 path against your environment
A guided session shows the shortest validated chain to Domain Admin — and the controls that should have broken it.