Independent Consultant | Cybersecurity Architect & vCISO

Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist

Active Directory
Security Assessment

A focused review of the directory that holds your identities, admin rights, and access.
Most of the issues ransomware relies on sit in a handful of well-known Active Directory misconfigurations - this finds the critical ones fast.

Read-only access · prioritised hardening report · fixed scope · from €1,900

This assessment is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.

The Challenge

Why Active Directory drifts

Stale admin accounts, weak service accounts, legacy authentication, risky delegation, and over-broad permissions build up quietly in Active Directory. These are the exact paths ransomware uses to move from one machine to the whole domain. A short, focused assessment surfaces around 80% of the critical issues in roughly 20% of the time a full project would take.

Phase 1

Never Reviewed

Identity and access have never been checked. Misconfigurations accumulate and stay invisible until an incident exposes them.

Phase 2

One-Off Snapshot

A single assessment names the issues, but it does not fix them. Remediation takes real work over time, and the environment keeps drifting as accounts, devices, and policies change.

Phase 3

Scheduled in a Retainer

The assessment repeats on a sensible cadence inside a retainer, so identity hygiene keeps pace with the business.

Scope

What's in scope

A configuration-and-exposure assessment of Active Directory - not a full internal network penetration test.

  • Privileged account hygiene and admin sprawl
  • Weak, stale, and over-privileged service accounts
  • Legacy authentication and outdated protocols
  • Kerberos exposure and risky delegation
  • Trust relationships across domains and forests
  • Group policy weaknesses and insecure settings
  • Password policy and credential exposure
  • Stale objects, inactive accounts, and clean-up debt

Microsoft 365 / Entra ID hardening is handled as ongoing consultation rather than a fixed-scope audit - see the Retained Security Partner retainer.

Requirements

Access and accounts I need

Required inputs
  • One read-only domain account, or a domain-joined machine I can run the assessment from.
  • A short scoping call to confirm domain size, access method, and scheduling.
  • One technical contact available for the debrief.

Pricing

Indicative pricing

Starting from
from €1,900
fixed AD assessment scope
Always included
Full Active Directory configuration & exposure assessment
Findings prioritised by real-world risk
Executive summary for management
Technical hardening report with concrete steps
Ransomware-relevant risk highlighted
Debrief call with your technical contact

What affects the final price

Environment Size

The number of domains and forests in scope. A single domain is quicker to assess than a multi-forest estate with several trusts.

Documentation & Access

Existing network diagrams, an asset register, and ready access to a privileged read account let the assessment start faster and go deeper.

Lead Time saves money

Booking at least 3 weeks ahead allows proper preparation and is reflected in the quote. Urgent engagements carry a premium.

Process

How We Collaborate

01
Scoping call

We confirm the size of your environment, how I will access it, and the schedule. Usually 30 minutes.

02
Assessment

I run the assessment across Active Directory and collect the configuration and exposure data.

03
Analysis & report

I prioritise the findings by real-world risk and write a hardening report with concrete, ordered steps.

04
Debrief

We walk through the findings together, focus on what reduces ransomware risk first, and agree the next steps.

A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so identity hygiene keeps pace with how your business changes.

2027 waitlist

Scope an assessment

Start with a free 30-minute scoping call. I'll tell you what I need, what I'll check, and what it will cost - before you commit to anything.
Currently fully booked - onboarding new engagements from early 2027. Join the waitlist and I'll be in touch as slots open.

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.