Horizon3.ai, which makes offensive security solutions that safely attack your environment to uncover what’s actually exploitable, has announced the availability of Active Directory (AD) Tripwires, a major enhancement to its NodeZero Offensive Security Platform. AD Tripwires now provides defenders with a powerful map and compass to catch attackers in the act of attempting privilege escalation to solve one of the most difficult and persistent challenges in deception – knowing where to put the decoys.
“Active Directory compromise is the beginning of total compromise,” said Snehal Antani, CEO and Co-founder of Horizon3.ai. “Once an attacker controls AD, they control your identity layer – the crown jewels that govern access to every system, cloud service, and application. That’s why ransomware operators, APTs, and insiders all go after it. Traditional defenses either flood analysts with noise or miss the subtle reconnaissance activity that happens right before the big move. Catching that early reconnaissance phase is the difference between an attempted breach and a headline.”
Attackers target AD because it sits at the centre of enterprise identity, with an estimated 90% of Global 1000 organizations relying on it for identity access management today. While CVEs might open the first door, privilege escalation almost always happens through identity-driven techniques like cached tokens, Kerberos ticket reuse, weak trust relationships or misconfigurations. Traditional tools miss these moves because they blend into normal logs, leaving defenders blind until it’s too late. As recently noted in the NSA’s jointly released guidance for Mitigating Active Directory Compromises, taking steps to properly gain control over AD remains a powerful way for enterprises to protect their most sensitive data from persistent attackers and stop breaches before they can cause reputational and financial damage.
“With today’s news, our customers now have an attacker-informed early warning system – the equivalent of installing security cameras while breaking into your own house,” Antani said. “We’re proud to be empowering more global defenders to go on the offensive, and, armed with an attacker’s-eye view of their security posture, stop more breaches before they happen.”
Antani thinks this offering is extremely important. Research shows nearly half of organizations have experienced AD attacks, with more than 40% resulting in compromise. A common example is Kerberos ticket abuse, with attackers quietly requesting tickets to crack and escalate privileges. AD Tripwires detects these actions immediately.
“I’m really excited to announce Active Directory Tripwires,” he stated. “NodeZero can now auto-deploy honeytokens throughout your Active Directory environment, making it easier to quickly detect bad guys that are poking around. The challenge with using deception tools like honeytokens is where to put them in your network. You need to pick spots that are likely to be accessed by attackers, and name them in ways likely to deceive those attackers.
“NodeZero Tripwires completely changes that paradigm,” Antani emphasized. “While running a pentest, NodeZero will auto-deploy fake AWS Credentials, fake Azure Tokens, fake SQL Dump files, and other types of honeytokens onto hosts and data shares compromised during a pentest. Think of this as installing “ring cameras” while breaking into your house. When attackers interact with these honeytokens, alerts are sent directly to your SOC, including the context of the attack paths possible from that compromised host, which accelerates your incident response process.”
Antani also noted that with the launch of AD Tripwires, users can now deploy honeytokens directly into their active directory environments too. AD is the prime target for attackers, so this dramatically improve your detection and response.
“AD Tripwires creates three main types of decoy accounts tailored to common AD attack techniques, including domain user scraping, Kerberoasting, and AS-REP roasting,” Antani said. “These accounts are provisioned using standard AD tools and can be disguised with non-privileged attributes (e.g., via Group Policy Objects) to blend in with real users, making them less suspicious.
“Legitimate users or applications have no reason to interact with these decoys, so any access triggers real AD events on Domain Controllers, generating log entries in Windows Security Event Logs,” he added. “This enables targeted monitoring without broad surveillance. Tripwires remain silent and lightweight until triggered, then send immediate alerts via the NodeZero portal, email, or integrations like Microsoft Sentinel. Configuration involves running a PowerShell utility on a domain-joined machine with appropriate permissions to provision accounts and install an AD Agent. Users can enable/disable monitoring, add multiple domains, and test tripwires end-to-end, which simulates real authentication attempts. Accounts use long, random passwords resistant to cracking.”
This means that with AD Tripwires, defenders can now reduce attacker dwell time from weeks to minutes, catch attempts to steal credentials or escalate privileges at the identity layer before attackers achieve domain admin, detect stealthy identity attacks that bypass traditional monitoring tools, and prove identity defenses are working in production.
NodeZero has already proven in benchmarks like Game of Active Directory (GOAD) that AD can be compromised in minutes. AD Tripwires give defenders the ability to detect those types of identity attacks as they happen in production. In addition, AD Tripwires integrates seamlessly into SOC workflows, feeding directly into existing detection and alerting tools. Each alert includes the compromised identity, the attack path that led there and how the adversary attempted to use it, enabling faster and more precise incident response.
AD Tripwires is available now to all NodeZero Tripwires customers worldwide.