Request access
In private beta · v1.0

A signed snapshot of your forest. Every Tier 0 path walked. Every fix scripted.

Take a signed, offline snapshot of your forest. Get back the work your team would do by hand: which templates can be misissued, which principals reach Tier 0, and the script that closes each one.

Request early access See the product Windows-native · runs offline · snapshot signed at collection
acmegrove-baseline-18d.fes — Findings
Critical findings2 open
The problem

Active Directory is the most attacked system on earth — and the hardest one to audit honestly.

Findings live in spreadsheets. Paths get traced on whiteboards. Remediation lands six months late, if it lands at all. And when leadership asks whether the fix actually held, there's nothing to point at.

9 in 10
Enterprises run an AD forest first commissioned more than a decade ago.
— Microsoft Digital Defense Report
72%
Of breached environments had at least one ADCS misconfiguration leading directly to Domain Admin.
— SpecterOps research, 2024
180d
Median dwell time for credential-based intrusions in identity-rich environments.
— Mandiant M-Trends
How it works

Snapshot in. Closed findings out.

ForestEcho doesn't watch your network. It reads a single signed snapshot — taken once, taken offline, taken on your terms — and walks the work an operator would do by hand, end to end.

01 · COLLECT

Take a snapshot.

One CLI run captures AD objects, ADCS configuration, certificate stores, GPOs, and event-log slices. Output is a single signed .fes file. No agent. No phone-home.

02 · ANALYZE

Run the catalog.

ADCS escalations (ESC1–ESC15), Kerberos abuse, replication-right misuse, key-credential tampering, weak mappings — projected through the Tier 0 reachability graph for every principal it touches.

03 · REMEDIATE

Get the fix, and a way to undo it.

Every finding emits a reviewable PowerShell action with a paired rollback. Simulate against the snapshot before touching production. Sign, run, and keep the audit log.

04 · PROVE

Diff the next snapshot.

Take another snapshot a day later. ForestEcho diffs the two and shows what closed, what regressed, and what's new — so the report you hand leadership says exactly what changed and when.

Live preview

Click around. This is what you see when something's broken.

Pick a finding from the tree. Read the evidence. Switch to the Remediation tab to see the script ForestEcho generated, the simulated outcome, and the rollback that pairs with it.

acmegrove-baseline-18d.fes · Findings
Findings8 critical
Evidence

A signed chain from snapshot to fix to follow-up.

Compliance teams ask the same question every audit: what changed, who changed it, and how do I know the change held? ForestEcho answers that question with cryptography, not screenshots.

Step 1

Snapshot signed at collection.

Ed25519 signature over the full .fes payload. Content-addressed ID; same input always produces the same hash.

baseline.fes · sha256 8af2…0b91 · ed25519 sig
Step 2

Action signed at remediation.

The closure script and its rollback are signed before they run. The signed action references the originating snapshot's hash.

action.sig · refs baseline.fes · operator + timestamp
Step 3

Follow-up snapshot signed and diffed.

The next snapshot is collected, signed, and diffed against the baseline. The diff inherits both signatures and links each closed finding to the action that closed it.

followup.fes · diff refs action.sig + baseline.fes

What this gives your auditor

A reproducible, signed evidence chain — snapshot  →  signed action  →  follow-up snapshot — that maps cleanly to SOC 2 CC7.2, ISO 27001 A.12.6, and the change-management controls every internal audit framework expects. The chain is verifiable offline; the keys are yours.

  • Ed25519 signatures on every artefact
  • Content-addressed snapshot and action IDs
  • Append-only audit log of every signed action
  • Offline-verifiable — no ForestEcho service required to validate the chain
What's inside

The checks, the path math, and the writeup — in one tool.

A single Windows binary. No agent. No telemetry. No cloud dependency. Faithful implementations of SpecterOps' ESC series and Microsoft Tier 0 guidance, paired with original ADCS, schema, and replication research.

Signed, airgap-friendly snapshots

Single signed binary. Runs offline against domain controllers. Every .fes is hashed and signed at collection. No telemetry, no phone-home, ever.

Tier 0 path explorer

Every principal, mapped to every Tier 0 asset it can reach. ACLs, group nesting, GPO links, certificate templates — the edges that matter for AD security tiering.

ADCS coverage

The published ESC patterns plus the schema and CRL hygiene rules that don't get codified elsewhere. CA-aware, not just template-aware.

Event-log analytics

EVTX slices analyzed alongside live state. DCSync, AS-REP roasting, key-credential writes, suspicious UAC flips — correlated to objects.

Snapshot diff

Compare two snapshots. See what was opened, what closed, and what regressed. The fix held — or it didn't, and you'll know which.

Generated remediation

Every finding emits a reviewable PowerShell action. Simulate the fix against the snapshot before touching production.

Private beta

Get on the waitlist.

We're onboarding a small number of identity and detection-engineering teams each month. Tell us about your forest and we'll be in touch.

SOC 2 Type I in progress · No data leaves your environment · Snapshots stay yours