Internal Active Directory environments are the most consistently exploitable surface in Indian enterprises. Across 200+ engagements at Macksofy, we have escalated to Domain Admin in over 80% of in-scope environments — usually within the first 48 hours. This guide explains what a serious AD pentest looks like in 2026, what to scope, what to expect in the report, and how to pick a vendor that delivers depth instead of a Nessus PDF.
Why AD-specific testing matters in India
RBI's Cyber Security Framework, SEBI's CSCRF, and CERT-In's audit guidelines all require organizations to test their internal network — not only the perimeter. AD is the centre of every Windows-based corporate network. Cooperative banks, NBFCs, listed manufacturers, government departments and mid-market SaaS companies in India almost universally run AD as the identity foundation. A perimeter-only test misses the actual breach pattern: phishing → workstation foothold → AD compromise → data theft → ransomware.
What 'in scope' should mean
- All in-scope domain controllers and tier-0 systems
- All standard user-tier workstations (sample) for assumed-breach perspective
- AD Certificate Services, Federation Services, MS Exchange (where present)
- Azure AD / Entra ID where there is hybrid sync
- Sensitive shares (SYSVOL, NETLOGON, app shares)
- Group Policy Objects and their permissions
Methodology — what we actually do
| Day | Activity | Output |
|---|---|---|
| 1 | Recon, BloodHound collection, DC enumeration | Domain map, user list |
| 2 | Kerberoast, AS-REP, weak password identification | Cracked credentials |
| 3 | ACL abuse, GPO abuse, ADCS attacks | Lateral movement paths |
| 4 | Lateral movement, local privilege escalation | Tier-1 admin access |
| 5 | Domain Admin escalation, krbtgt extraction (proof only) | DA confirmation |
| 6 | Sensitive data discovery, exfil simulation | Data sensitivity findings |
| 7 | Cleanup, debrief, draft report | Engagement closeout |
Typical 7-day AD engagement schedule
Tooling we use
| Category | Tools |
|---|---|
| Recon | BloodHound, SharpHound, PowerView, ldapsearch |
| Kerberos abuse | Rubeus, impacket-GetUserSPNs, kerbrute |
| ACL abuse | PowerView, BloodyAD, certipy |
| ADCS attacks | certipy, Certify |
| Lateral movement | impacket, evil-winrm, RemotePotato0, NoPac |
| Cracking | hashcat (RTX 4090 cluster) |
| Reporting | GhostWriter, Macksofy templates |
What a serious AD report contains
- Executive summary with risk-on-business framing (board-ready, 2-3 pages)
- Findings register: severity, CVSS, business impact, remediation effort
- Attack-chain narrative — every DA path documented as a kill-chain
- Proof-of-concept screenshots and command logs for each finding
- MITRE ATT&CK mapping for every TTP used
- Developer- / sysadmin-friendly remediation steps with config examples
- 30-day free retest commitment
- CERT-In format compliance for regulated entities
Pricing in India (2026)
| Scope | Effort | Indicative price |
|---|---|---|
| Single domain, <200 users | 5 working days | ₹3.5–6 lakh |
| Single forest, <2000 users | 7-10 working days | ₹6–12 lakh |
| Multi-forest, hybrid Entra ID | 10-15 working days | ₹12–22 lakh |
| Annual retainer (4 engagements) | Per cycle | ₹40–70 lakh |
How to evaluate a vendor
- CERT-In empanelled? (Mandatory for RBI / SEBI / UIDAI entities)
- Show me a sanitized AD pentest report — does it have attack-chain narratives?
- What's the OSCP / OSEP / CRTO concentration on the team?
- Will the same consultants run my engagement, or is it offshored to L1 staff?
- Free retest within 30 days included?
- Will you walk my admins through every finding personally?
Our Active Directory engagement is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.