Hospital IT teams. School districts. Municipal governments. Small security consultancies.
These organizations face the same Active Directory attacks as Fortune 500 companies - Kerberoasting, delegation abuse, credential theft - but without Fortune 500 budgets. Enterprise security tools that automate attack path analysis exist. They’re often priced for organizations with seven-figure security budgets.
Active Directory attack path analysis shouldn’t require a six-figure budget or a dedicated infrastructure team.
We believe every organization deserves to know if an attacker can reach Domain Admin in three hops. A rural hospital protecting patient data. A school district safeguarding student records. A city government managing critical services. These organizations are often the most targeted and the least resourced.
So we built CATM - a comprehensive security assessment platform with AD attack path analysis as one of its core capabilities. Flexible deployment (SaaS or self-hosted), designed for teams who need enterprise-grade security analysis at accessible pricing.
The problem
AD attack path analysis at scale is computationally expensive. Large enterprises have hundreds of thousands of objects - users, computers, groups, OUs - connected by millions of relationships. Traversing those relationships to find attack paths requires serious graph processing.
For security teams, this creates friction:
- Time-boxed engagements where every hour of analysis is an hour not spent on exploitation
- Large environments where data processing becomes a bottleneck
- Iterative analysis where you need to re-query as you discover new information
- Resource constraints where standing up dedicated infrastructure isn’t feasible
We needed analysis that kept pace with the engagement, not the other way around.
What we built
CATM’s AD analysis engine processes standard collection data at scale:
Benchmark: Enterprise environments
| Environment Size | Objects | Relationships | Import Time |
|---|---|---|---|
| Medium (regional office) | 1,700 | 4,200 | 0.05 seconds |
| Enterprise (Fortune 500) | 70,000 | 55,000 | 3.5 seconds |
| Global (multinational) | 235,000 | 277,000 | 14 seconds |
Query performance
| Query Type | Response Time |
|---|---|
| Kerberoastable users | < 1 microsecond |
| Shortest path to DA | 50 microseconds |
| All paths (depth 5) | < 10 milliseconds |
| Full attack surface | < 100 milliseconds |
How?
Purpose-built graph engine optimized specifically for AD attack path analysis. Designed from the ground up for speed - not a wrapper around a general-purpose graph database.
AI-powered analysis
Speed is table stakes. The real differentiator is intelligence.
CATM doesn’t just show you attack paths - it analyzes them. The AI engine cross-references findings, validates attack paths, and prioritizes targets based on:
- Likelihood of successful exploitation
- Business impact
- Detection risk
- Path length to objectives
Real engagement results
In a recent enterprise AD assessment, CATM completed full analysis - data import, path queries, and AI prioritization - in under two minutes. The result: multiple Kerberoastable accounts identified and cracked, delegation abuse paths mapped, and a complete attack chain from initial foothold to domain compromise demonstrated.
The speed matters because it changes what’s possible during time-boxed engagements. When analysis takes minutes instead of hours, you spend more time demonstrating actual impact. The report wasn’t theoretical - it was a replay of the actual attack we executed, with specific accounts to remediate and configurations to change.
Technical capabilities
Supported queries
Standard AD attack path queries plus AI-enhanced analytics:
Attack discovery: Kerberoasting, AS-REP Roasting, delegation abuse, DCSync paths, ACL-based escalation, and privilege escalation chains.
Hygiene analysis: Stale passwords, non-expiring credentials, unsupported systems, disabled accounts with residual access.
AI-enhanced: Attack path prioritization, blast radius analysis, credential exposure risk scoring, and natural language queries.
Data compatibility
Compatible with standard AD collection formats and LDAP data sources.
Who this is for
Security consultancies running multiple engagements who need rapid turnaround without infrastructure overhead.
Internal security teams at organizations that can’t justify dedicated graph database infrastructure but still need to understand their AD attack surface.
Under-resourced sectors - healthcare, education, local government, nonprofits - that face sophisticated threats with limited budgets. These organizations are often targets specifically because attackers know their security capabilities are constrained.
Anyone tired of waiting when the clock is ticking on a time-boxed assessment.
Learn more
CATM is part of CyberDagger’s autonomous security assessment platform. Contact us to see how AI-powered AD analysis can accelerate your security assessments.
- Website: cyberdagger.com
- Email: [email protected]
Security tooling should meet organizations where they are, not where vendors wish they were.