Last updated: April 29, 2026
BloodHound changed offensive AD. Before BloodHound (2016, by SpecterOps), attack paths were discovered manually by experienced operators. After BloodHound, any pentester with domain user credentials runs a data collection + GUI query and has the shortest path to Domain Admin visualized in minutes. This module explains why BloodHound works — graph theory applied to AD’s inherent relationships — and why the visualization is often more valuable than the exploitation.
Why this matters
AD is a graph. Users are in groups. Groups contain other groups. Computers are owned by principals. Principals have ACL rights on objects. Delegation exists between principals and SPNs. Trusts connect forests. Every object has a permission (ACL) relationship with every other.
Before BloodHound, most defenders assumed their domain was a forest of trees: users → groups → rights. But AD has thousands of ACL-based edges. WriteDacl, GenericAll, GenericWrite, WriteOwner — any of these on a sensitive target is a privilege escalation path. Graph theory finds paths across these edges in milliseconds.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.