Read-only collector · standalone or SaaS daemon

Identity Security Audits for
Active Directory and Entra ID

Run fact-based audits for on-prem and cloud identity from the same workflow.
275 Active Directory detections and 144 Entra ID detections. Keep data local in standalone mode, or connect a SaaS daemon for centralized follow-up.

Start Your Audit Explore ETC Collector

275 AD + 144 Entra detections

Standalone + SaaS daemon

Read-only collector · API + GUI

Live Analysis

GOOD

Security Posture

Findings

178

Types

592

Users

686

Computers

345

Groups

Critical1

High4

Medium15

Low22

Generated in 6s

|etcsec.com|AD + Entra ID audit

Read-only audits for Active Directory and Entra ID with structured output, repeatable workflows, and deployment modes that match local-only or centrally managed teams.

EtcSec

—

Open-source collector and SaaS workflow

419

Pro / Full detections

28+

MITRE techniques

<8s

Benchmark scan time

Operating modes

Supported operating systems

Aligned with industry frameworks

NIST

GDPR

MITRE ATT&CK

CIS

ANSSI

Why teams use EtcSec

Audit what exists today, keep the collector close to the environment, and make the results usable for remediation and follow-up.

Read-only by design

Collect from Active Directory over LDAP/LDAPS and SYSVOL, and from Entra ID over Microsoft Graph, without deploying an agent on domain controllers.

Fast, repeatable runs

Benchmark runs complete in seconds, which makes recurring audits practical after every remediation or privilege change.

MITRE ATT&CK context

Map findings to attacker techniques so teams can explain why a control matters, not just that it failed.

Structured remediation workflow

Move from raw detections to prioritized fixes, exports, and follow-up reviews without rebuilding the audit from scratch.

How It Works

A repeatable workflow for AD and Entra ID audits

STEP 01

Deploy the Collector

Install ETC Collector on Linux, macOS, Windows or Docker with the published installer or package guides, then configure the Active Directory and Entra ID providers.

STEP 02

Run the Audit

Run the audit in standalone mode or through the SaaS daemon. The engine checks named detections across AD and Entra ID.

STEP 03

Get Actionable Report

Review prioritized findings, MITRE ATT&CK mapping, exports and remediation guidance from the same workflow.

etcsec.com

Auto-replay

Air-gapped environment?

For isolated networks, keep the standalone server local or export JSON results for downstream review without exposing the collector to the public internet.

Open-source collector

ETC CollectorStandalone or SaaS daemon

A cross-platform Go collector for Active Directory and Entra ID. Community covers 264 AD and 134 Entra detections. Pro / Full covers 275 AD and 144 Entra detections, with broader ADCS, attack-path and advanced operating workflows.

Read-only collection

Collects AD data over LDAP/LDAPS and SYSVOL, and Entra ID data over Microsoft Graph, then emits structured JSON for the local GUI, API or downstream automation.

Two operating modes

Use a fully local standalone server with embedded GUI and REST API, or enroll a SaaS daemon for centrally managed recurring audits.

Cross-platform and lightweight

Single static binary for Linux, macOS and Windows, around 20 MB with zero runtime dependencies, plus Docker and service-install workflows.

Learn More GitHub

One-line install

curl -fsSL https://get.etcsec.com/install.sh | sudo bash

One-line install for Linux, plus macOS, Windows and Docker guides

Embedded REST API and local web GUI on port 8443

Community: 264 AD + 134 Entra detections. Pro / Full: 275 AD + 144 Entra detections

Free for personal, educational, and non-commercial use. Commercial use requires a license — [email protected]

264+134

Community edition

Operating modes

OS targets

~20MB

Static binary

Comprehensive Coverage

What the platform looks for in AD and Entra ID

From password exposure and Kerberos abuse to Conditional Access drift, PIM, app permissions and guest exposure, the detections stay tied to named findings.

CRITICAL

Password and credential exposure

Weak password policy, reversible encryption, password-not-required flags and cleartext attributes.

CRITICAL

Kerberos and delegation abuse

AS-REP roasting, Kerberoasting, unconstrained delegation and protocol transition risk.

HIGH

ADCS and certificate services

ADCS ESC paths, weak certificate mapping and web enrollment exposure.

HIGH

Dangerous ACLs and DCSync

GenericAll, WriteDACL, AdminSDHolder backdoors, replication rights and RBCD paths.

HIGH

Conditional Access gaps

Missing MFA, legacy auth drift and policy exclusions that weaken tenant protection.

HIGH

Privileged access drift

PIM configuration, excessive admin roles, foreign principals and stale privileged accounts.

HIGH

Apps and external identities

Service principal permissions, stale credentials, multi-tenant apps and guest user exposure.

FULL CATALOGUE

Explore the full detection catalogue

Browse the public catalogue and the detailed AD and Entra coverage pages.

Browse all checks

Start Your Audit

Read-only collector, standalone mode, SaaS daemon workflow, and detailed coverage pages linked below.

Industry Standard Framework

MITRE ATT&CKCoverage Built-In

Mapped to 28+ MITRE ATT&CK techniques across Credential Access, Persistence, Privilege Escalation and Lateral Movement.

6Credential Access techniques detected

5Persistence techniques detected

4Privilege Escalation techniques detected

3Lateral Movement techniques detected

Learn about MITRE ATT&CK

Sample Findings with ATT&CK Mapping

Kerberoastable Accounts

Credential Access

T1558.003

AS-REP Roastable Users

Credential Access

T1558.004

DCSync Rights

Credential Access

T1003.006

Unconstrained Delegation

Credential Access

T1558.001

Dangerous GPO Permissions

Persistence

T1484.001

SID History and Trust Abuse

Persistence

T1134.005

Click technique IDs to view details on MITRE ATT&CK

Comparative benchmarks

Published methods, results, and full side-by-side detail

Review the documented coverage, runtime, and test conditions for PingCastle and Purple Knight on the dedicated comparison pages.

PingCastle alternative

ETC Collector covered most PingCastle rules on the same AD test domain while adding ADCS, attack paths and Entra ID coverage.

59 of the 61 published PingCastle risk rules covered in the documented run
876/896 PingCastle risk points mapped
6.58s vs ~41s with network probes

Open the PingCastle comparison

Purple Knight alternative

ETC Collector matched the failing Purple Knight signals that mattered and finished much faster, while staying cross-platform and CLI-friendly.

115/119 indicators covered
49/49 FAIL indicators covered
7.99s vs ~3 min on the same domain

Open the Purple Knight comparison

Benchmark notes

Both comparisons were run on the same 546-user, 100-computer AD test domain in February 2026.
ETC Collector was executed with network probes enabled when the methodology required it.
Detailed caveats, uncovered edge cases and screenshots stay on the dedicated comparison pages.
The dedicated comparison pages include the full rule breakdown, screenshots, and remaining gaps from the documented runs.

Available today

Today the live audit providers are Active Directory and Microsoft Entra ID. Both run through the same collector workflow, local GUI/API, and recurring audit model.

AVAILABLE