Active Directory Security is the latest addition to the Holm Security platform, joining our existing coverage for System & Network Security. From today, every Holm Security customer running authenticated network assessments against a Domain Controller will start seeing Active Directory findings appear in Security Center automatically.
The release lands at a moment when European organizations are facing significant new regulatory pressure on identity hygiene under directives like NIS2 and DORA. More recently, the European Commission unveiled its Technological Sovereignty Package, formalizing how public sector buyers should evaluate cloud and digital suppliers against sovereignty criteria. As Executive Vice-President Virkkunen put it, Europe wants to "make its own choices, avoiding dependence on single dominant suppliers."
The Holm Security platform is developed and hosted entirely in the European Union, and we recently received the Cybersecurity Made in Europe and Software Hosted in Europe labels for that reason. Active Directory hardening is shifting from a hygiene practice to a compliance requirement, and we wanted every customer to have visibility into that surface.
Active Directory findings appear in the same vulnerability database as everything else the platform finds, with the same severity ratings, the same workflows, and the same remediation paths. Each finding identifies the specific objects in your environment that triggered the rule: affected accounts, Domain Controllers, Group Policy Objects, certificate templates, and DNS zones.
For most organizations, Active Directory is the system that decides who can access what. Every user account, every group policy, every device access rule lives there. Even teams that have moved to Microsoft 365 typically sync identity from on-premises Active Directory through Entra Connect, meaning what happens on-prem can reach into the cloud. Active Directory is also one of the oldest pieces of corporate infrastructure most companies still run: quietly central to the business, and rarely scrutinized at the same depth as newer cloud systems.
A compromised on-premises domain administrator account doesn't give a cybercriminal access to one system. It gives them control over everything Active Directory manages. The weaknesses cybercriminals routinely exploit - Kerberos misconfiguration, dangerous delegation, certificate service abuse, exposed credentials in Group Policy - live on-premises, can't be patched, and in most organizations go unmeasured between audits.
How Active Directory Security maps to MITRE ATT&CK and CIS
Active Directory Security spans 187 individual checks across nine MITRE ATT&CK tactics. The largest concentration is in Credential Access (54 checks), the category where attackers most often establish a foothold. The checks address the techniques cybercriminals most commonly use against on-premises Active Directory, including:
Of the 187 checks, 33 carry Critical or High severity.
Active Directory Security pairs with our existing Entra ID coverage. Together they give customers visibility across both halves of hybrid identity, the on-premises directory and the cloud-based layer it typically syncs to, covering the setup most organizations actually run. It's also the first step in a broader expansion of coverage planned through 2026.
If you're an existing customer and want a walkthrough of how to interpret the new findings, your account manager can help schedule one. If you're not a customer yet, get in touch - we'll show you what the platform sees in a typical Active Directory environment.