BloodHound Enterprise’s analysis process includes several key steps that work together to surface findings and prioritize risk.
Choke point analysis
BloodHound Enterprise generates one view per environment, such as an Active Directory domain or Azure tenant. The choke point view organizes findings by category and shows the number of exposed principals in each, helping you quickly understand where risk concentrates.Exposure and impact metrics are calculated from this analysis and surfaced with findings.
Relationships and zone boundaries
Attack Path analysis includes both relationship-driven path analysis and principal-level risky configuration findings. BloodHound evaluates how abusable relationships connect principals across privilege boundaries and flags principals with configurations that increase risk. This includes boundaries between Tier Zero and user-defined Privilege Zones. A path that crosses zones can represent a stepping stone into higher-privilege assets, which is why zone-specific findings can differ in severity and priority.Post-processing
BloodHound does not rely only on directly collected relationships. During post-processing, it derives additional relationships that are relevant to Attack Path analysis. One result is a composite edge. A composite edge is a derived relationship between two nodes that represents a group of underlying relationships condensed into a single, meaningful connection. BloodHound uses composite edges to simplify understanding of that complexity and surface Attack Paths that are not visible from any single relationship alone. Some attack techniques require a combination of permissions before they can be abused, so BloodHound models those combined conditions as one simplified relationship. For example, the DCSync edge requires a combination of permissions to create an abusable path. BloodHound models this as a composite edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.Show post-processed edges
Show post-processed edges
BloodHound creates the following edges during post-processing:
ADCSESC1ADCSESC3ADCSESC4ADCSESC6aADCSESC6bADCSESC9aADCSESC9bADCSESC10aADCSESC10bADCSESC13AddMemberAdminToAZAddOwnerAZMGAddMemberAZMGAddOwnerAZMGAddSecretAZMGGrantAppRolesAZMGGrantRoleAZRoleApproverCanPSRemoteCanRDPCoerceAndRelayNTLMToADCSCoerceAndRelayNTLMToLDAPCoerceAndRelayNTLMToLDAPSCoerceAndRelayNTLMToSMBDCSyncEnrollOnBehalfOfEnterpriseCAForExecuteDCOMExtendedByPolicyGoldenCertHasTrustKeysIssuedSignedByOwnsOwnsLimitedRightsProtectAdminGroupsSyncLAPSPasswordSyncedToADUserSyncedToEntraUserTrustedForNTAuthWriteOwnerWriteOwnerLimitedRights
Remediation
After reviewing findings on the Attack Paths page, you can:- Remediate to sever the edges that create the risk and improve your environment’s security posture.
- Accept when risk is known and temporarily tolerated.