Request access
The product

The forest doesn't change. Your audit of it should.

ForestEcho is a CLI that takes a signed snapshot of your forest, and a Studio app that reads it. Between them, the work that used to live in operators' heads — the path math, the closure scripts, the rollback you wrote on a sticky note — becomes a file you can sign, share, and diff.

01 · COLLECT

One run. One file. No agent.

The collector is a single signed Windows binary. Run it from a domain-joined host with a read-only account. It enumerates the forest the way a careful operator would — LDAP, ADCS RPCs, certificate stores, GPO files, EVTX slices — and writes one self-contained .fes snapshot.

The snapshot is hashed and signed at collection. From that moment on, every finding ForestEcho ever produces about your forest can be traced back to bytes on disk that haven't changed since.

  • Single signed binary · Windows Server 2016 and up
  • Read-only against domain controllers · no schema changes
  • Configurable scope — full forest, single domain, or one OU
  • Output: signed .fes file (typical 1–4 GB)
  • Air-gap friendly · no telemetry, no phone-home, ever
collector · forestecho 1.0.0 ● ready
PS> forestecho collect --scope forest --out baseline.fes [14:32:01] opening LDAP ldap://acmegrove.local [14:32:03] reading domain acmegrove.local [14:32:11] objects 124,802 [14:32:14] GPOs 317 [14:32:18] reading ADCS 2 CAs · 41 templates [14:32:24] reading EVTX 4 DCs · 30d window [14:32:39] hashing snapshot [14:32:39] signing [14:32:39] wrote baseline.fes · 2.4 GB · sha256 8af2…0b91
02 · ANALYZE

Every rule. Every principal. Every path.

Studio loads the snapshot into memory and runs the entire rule catalog against it — ADCS escalations, Kerberos abuse patterns, replication-right misuse, GPO permissions, schema hygiene. The slow part isn't the checks. The slow part is the path math.

ForestEcho projects the Tier 0 reachability graph for every principal in your forest. ACLs, group nesting, GPO links, certificate templates, schema rights, RBCD — all walked. When a finding has a path to Tier 0, you see the path. When it doesn't, you know why not.

  • Numerous rules across ADCS, GPO, EVTX, with Kerberos, ACL, and Schema in active development
  • Tier 0 reachability — ACLs, group nesting, GPO links, certificate templates, schema rights, RBCD — the edges that matter for AD security tiering
  • Cross-module correlation — an ESC finding paired with a DCSync event
  • Findings carry severity, evidence, mapper context, and confidence
Tier 0 reachability — acmegrove.local ● 3 paths
VPNUser svc_replicator svc-backup Auth Users Replicator Backup Op Account Op DnsAdmins TIER 0 Domain Admins
Reachable path to Tier 0 Membership / ACL
03 · REMEDIATE

The fix, the rollback, and a record of both.

Every finding ships with a paired pair: a closure script, and the rollback that undoes it. Both are real PowerShell. Both are reviewable. Neither runs until you sign them.

Before you commit, simulate. ForestEcho applies the change against the snapshot in memory, runs the rule catalog again, and tells you what closes, what regresses, and what side effects show up. The simulation runs in seconds and never touches production.

When you do run it, the action is recorded in a signed audit log: who ran what, when, against which snapshot, with what outcome. That log is what your auditors are actually asking for.

  • Generated PowerShell — not opaque, not magic, fully reviewable
  • Paired rollback for every action, valid against the originating snapshot
  • Simulation against the snapshot before any production change
  • Signed, append-only audit log of every action and its outcome
  • Compliance-grade evidence: hash chain from snapshot → fix → next snapshot
ADCS.ESC1 · CN=VPNUser · closure ● simulated · passed

script.ps1

# Remove enrollee-supplied subject
# and restrict enrollment trustees
Set-ADTemplate -Identity "VPNUser" `
  -CertNameFlag (Get-CertNameFlag `
    -Clear ENROLLEE_SUPPLIES_SUBJECT)

Remove-ADTemplateEnrollee `
  -Identity "VPNUser" `
  -Trustee  "Authenticated Users",
            "Domain Users"

rollback.ps1

# Paired rollback · valid 30d
# against acmegrove-baseline-18d.fes
Set-ADTemplate -Identity "VPNUser" `
  -CertNameFlag (Get-CertNameFlag `
    -Set ENROLLEE_SUPPLIES_SUBJECT)

Restore-ADTemplateACL `
  -Identity "VPNUser" `
  -FromSnapshot baseline.fes
Tier 0 paths closed
3 → 0
Side effects
none detected against snapshot
New findings introduced
0
Hash chain
baseline.fes → action.sig → followup.fes
04 · PROVE

The fix held. Or it didn't. Either way, the answer is in writing.

Take another snapshot any time after you've remediated. Studio diffs the two and produces a list: what closed, what regressed, what's new. The diff carries the same signed evidence chain as the originals.

This is what you give the audit committee. This is what proves the change worked. This is also how you catch the new finding that showed up two weeks after a service migration, before someone weaponizes it.

  • Snapshot diff between any two .fes files
  • Closed / regressed / new — with the action that closed each one
  • Trend reports across snapshot history
  • Signed evidence chain suitable for SOC 2, ISO 27001, internal audit
diff · baseline.fes → followup-2026-04-26.fes 26 changes
closedADCS.ESC1CN=VPNUser · enrollee-supplied subjectvia action.sig
closedADCS.ESC8acmegrove-CA-01 · web enrollment without EPAvia action.sig
closedEVTX.DCSYNCsvc_replicator · replication rightvia action.sig
regressedGPO.PERMDefault Domain Policy · Authenticated Users · Edit25h ago
newADCS.ESC4WorkstationAuthV2 · WriteDACL granted8h ago
newEVTX.KEYCREDCN=svc-backup · KeyCredentialLink write2h ago
RULE CATALOG

Where the rules come from, and how they update.

3 categories shipping 3 in active development ~14d median update cadence v1.0.0 · last updated 4 days ago

ADCS

17 rules · shipping

Certificate template misissuance, CA hygiene, enrollment surface. The published ESC patterns plus the schema and CRL rules that don't get codified elsewhere.

  • ADCS.ESC1Enrollee-supplied subject
  • ADCS.ESC4Misconfigured template ACLs
  • ADCS.ESC8HTTP enrollment without EPA
  • ADCS.ESC11ICPR without packet privacy
  • ADCS.ESC15V1 schema with enrollee subject
  • ADCS.CRLCRL hygiene and freshness

EVTX

10 rules · shipping

Event-log analytics over the snapshot's EVTX slice. DCSync exercise, AS-REP brute-force fingerprints, key-credential writes, suspicious UAC flips, Kerberos pre-auth anomalies.

  • EVTX.DCSYNCReplication right exercised
  • EVTX.ASREPAS-REP roasting fingerprint
  • EVTX.KEYCREDShadow-credentials write
  • EVTX.UACUAC flip on tier-0 account

GPO

2 rules · shipping

Linked GPO permissions and SYSVOL hygiene. Foundation for the broader policy-abuse surface coming next.

  • GPO.PERMEdit granted to non-tier-0
  • GPO.SYSVOLSYSVOL ACL drift
Roadmap · within two quarters

Kerberos

In development

AS-REP roasting, Kerberoasting surface, RBCD primitives, S4U2Self, delegation hygiene, golden/silver ticket fingerprints in event logs.

  • KRB.ASREPAS-REP without preauth
  • KRB.ROASTService accounts with weak SPN
  • KRB.RBCDResource-based delegation abuse
  • KRB.UNCSTRUnconstrained delegation on non-tier-0
Roadmap · within two quarters

AD ACL & objects

In development

Permissions on critical objects, dangerous ACL primitives (WriteDACL, GenericAll, ForceChangePassword), shadow-credential writes, SID history.

  • ACL.WRITEWriteDACL/Owner on tier-0 paths
  • ACL.KEYCREDKeyCredentialLink write
  • ACL.SIDHISTSID history on user objects
  • ACL.GMSAgMSA password read by non-tier-0
Roadmap · within two quarters

Schema & forest

In development

Schema attribute permissions, replication metadata anomalies, FSMO role placement, trust hygiene, configuration container ACLs.

  • SCH.ATTRSchema attribute writeable by non-schema admin
  • SCH.REPLReplication right on partition
  • SCH.TRUSTForest trust without SID filtering

Primary research

Rules written from first principles by our research team — patterns observed in incident response, plus original work on ADCS, schema, and replication abuse.

Public catalogues

Faithful implementations of published patterns: SpecterOps' ESC series, Sean Metcalf's AD security work, Microsoft Tier 0 guidance, MITRE ATT&CK identity techniques.

Customer incidents

Findings derived from anonymized incident debriefs, with rule definitions, reasoning, and changelog published with every release. The catalog is signed; you can verify it.

Private beta

See it on your own forest.

We're onboarding a small number of identity and detection-engineering teams each month.