// LIVE Dagger Forge: real-time vulnerability research dashboard Visit forge.cyberdagger.com →

CATM: AD Attack Path Analysis at Machine Speed

Enterprise-grade Active Directory attack path analysis shouldn't require enterprise budgets. Sub-microsecond queries. Flexible deployment. Accessible to every security team.

CyberDagger Engineering 4 min read

Hospital IT teams. School districts. Municipal governments. Small security consultancies.

These organizations face the same Active Directory attacks as Fortune 500 companies - Kerberoasting, delegation abuse, credential theft - but without Fortune 500 budgets. Enterprise security tools that automate attack path analysis exist. They’re often priced for organizations with seven-figure security budgets.

Active Directory attack path analysis shouldn’t require a six-figure budget or a dedicated infrastructure team.

We believe every organization deserves to know if an attacker can reach Domain Admin in three hops. A rural hospital protecting patient data. A school district safeguarding student records. A city government managing critical services. These organizations are often the most targeted and the least resourced.

So we built CATM - a comprehensive security assessment platform with AD attack path analysis as one of its core capabilities. Flexible deployment (SaaS or self-hosted), designed for teams who need enterprise-grade security analysis at accessible pricing.

The problem

AD attack path analysis at scale is computationally expensive. Large enterprises have hundreds of thousands of objects - users, computers, groups, OUs - connected by millions of relationships. Traversing those relationships to find attack paths requires serious graph processing.

For security teams, this creates friction:

  • Time-boxed engagements where every hour of analysis is an hour not spent on exploitation
  • Large environments where data processing becomes a bottleneck
  • Iterative analysis where you need to re-query as you discover new information
  • Resource constraints where standing up dedicated infrastructure isn’t feasible

We needed analysis that kept pace with the engagement, not the other way around.

What we built

CATM’s AD analysis engine processes standard collection data at scale:

Benchmark: Enterprise environments

Environment SizeObjectsRelationshipsImport Time
Medium (regional office)1,7004,2000.05 seconds
Enterprise (Fortune 500)70,00055,0003.5 seconds
Global (multinational)235,000277,00014 seconds

Query performance

Query TypeResponse Time
Kerberoastable users< 1 microsecond
Shortest path to DA50 microseconds
All paths (depth 5)< 10 milliseconds
Full attack surface< 100 milliseconds

How?

Purpose-built graph engine optimized specifically for AD attack path analysis. Designed from the ground up for speed - not a wrapper around a general-purpose graph database.

AI-powered analysis

Speed is table stakes. The real differentiator is intelligence.

CATM doesn’t just show you attack paths - it analyzes them. The AI engine cross-references findings, validates attack paths, and prioritizes targets based on:

  • Likelihood of successful exploitation
  • Business impact
  • Detection risk
  • Path length to objectives

Real engagement results

In a recent enterprise AD assessment, CATM completed full analysis - data import, path queries, and AI prioritization - in under two minutes. The result: multiple Kerberoastable accounts identified and cracked, delegation abuse paths mapped, and a complete attack chain from initial foothold to domain compromise demonstrated.

The speed matters because it changes what’s possible during time-boxed engagements. When analysis takes minutes instead of hours, you spend more time demonstrating actual impact. The report wasn’t theoretical - it was a replay of the actual attack we executed, with specific accounts to remediate and configurations to change.

Technical capabilities

Supported queries

Standard AD attack path queries plus AI-enhanced analytics:

Attack discovery: Kerberoasting, AS-REP Roasting, delegation abuse, DCSync paths, ACL-based escalation, and privilege escalation chains.

Hygiene analysis: Stale passwords, non-expiring credentials, unsupported systems, disabled accounts with residual access.

AI-enhanced: Attack path prioritization, blast radius analysis, credential exposure risk scoring, and natural language queries.

Data compatibility

Compatible with standard AD collection formats and LDAP data sources.

Who this is for

Security consultancies running multiple engagements who need rapid turnaround without infrastructure overhead.

Internal security teams at organizations that can’t justify dedicated graph database infrastructure but still need to understand their AD attack surface.

Under-resourced sectors - healthcare, education, local government, nonprofits - that face sophisticated threats with limited budgets. These organizations are often targets specifically because attackers know their security capabilities are constrained.

Anyone tired of waiting when the clock is ticking on a time-boxed assessment.

Learn more

CATM is part of CyberDagger’s autonomous security assessment platform. Contact us to see how AI-powered AD analysis can accelerate your security assessments.

Security tooling should meet organizations where they are, not where vendors wish they were.

Ready to Work Together?

Contact CyberDagger to discuss your cybersecurity needs.

Contact Us