Frequently Asked Questions

Forest Guardian is purpose built for small teams, public sector entities and MSPs to manage their AD environments. It continuously uncovers and prioritizes identity risks in Active Directory and hybrid environments. It shows how attackers could move through your environment and highlights the smallest set of changes that remove that risk.

SIEM and EDR focus on logs, alerts, and endpoint activity. ForestGuardian focuses on identity, showing how users, groups, permissions, and misconfigurations combine into real attack chains that those tools do not surface. ForestGuardian is designed to run alongside them.

No. It complements penetration testing. A pentest shows what is exploitable at a point in time, while ForestGuardian tracks how that risk changes over time and helps reduce exposure between tests.

No. ForestGuardian analyzes identity and configuration data to model attack chains. It does not deploy agents across systems or perform live exploitation. This makes it safe for production environments and suitable for organizations with strict change-control or compliance requirements.

ForestGuardian uses a lightweight collector that gathers identity and configuration data and sends it securely for analysis.

No. Most collection works with a standard domain user account. Optional deeper checks, such as full file-share analysis and password auditing, can be enabled with elevated access if needed.

Windows, Linux, and macOS. It can run from both domain-joined and non-domain-joined systems.

No. ForestGuardian is fully read-only and never modifies configurations, accounts, or permissions.

Scans can run on demand or on a schedule. ForestGuardian also tracks changes between scans to highlight drift and newly introduced risk.

ForestGuardian securely processes identity and configuration data required for analysis. We only collect what is necessary to identify risk, and data handling can be aligned to your security, compliance, and regional requirements. ForestGuardian does not require full directory replication or storage of sensitive credentials.

The collector is designed to be low-impact. It reads directory data without placing a significant load on a domain controller’s CPU or affecting normal operations.

Misconfigurations, privilege escalation paths, credential risks, and exposure across users, groups, ACLs, GPOs, trusts, and file shares.

Attack chains show how smaller issues combine into a full compromise path. For example, a standard user with elevated group membership gaining access to a system, pivoting through misconfigured permissions, and obtaining Domain Admin-level access.

A visual map of your environment showing how users, groups, permissions, and trusts connect, with risk overlaid.

ForestGuardian tracks changes such as new privileged accounts, group membership updates, ACL changes, and GPO modifications, so you can see how risk evolves over time.

Yes. It highlights the minimum set of changes that break the most dangerous attack paths so teams can focus on what actually reduces risk.

Yes. Optional checks identify weak passwords, reuse, and potential exposure to known breaches using curated datasets of previously exposed credentials. Passwords do not leave your network, are not stored in clear text, and only risk indicators and findings are retained.

Yes. By default, it shows what a standard user can access. With elevated access, it can analyze all shares to identify sensitive data exposure and over-permissioning.

Yes. It can identify risky files and patterns that may contain credentials or other sensitive data.

Reports include an executive summary, detailed technical findings, attack chain visualizations, and prioritized remediation guidance. Change reports show improvements or regressions over time. Reports can be exported and shared, and findings can be used alongside your existing workflows via integrations such as email and webhooks.

Yes. Findings can be rechecked on demand or during the next scan.

Yes. Findings and alerts can be used alongside existing processes and tooling, including email and webhook-based integrations.

ForestGuardian is designed around security and privacy best practices, including minimal data collection, secure transmission, and read-only operation. We work with customers to meet internal security and compliance requirements and can support security reviews during onboarding.

No. It only reads data from Active Directory and does not perform intrusive actions or any changes to the environment.

Yes. Only the identity and configuration data required for analysis are collected and transmitted securely.

Yes. The collector can run from non-domain-joined systems and across different operating systems.

Yes. It helps small teams quickly identify their highest risk issues and focus on fixes that matter without adding operational overhead.

After setup, teams typically review new attack chains and drift on a regular cadence, focusing only on prioritized fixes.

Yes. Findings include clear remediation guidance so teams can safely fix issues without needing deep specialization.

It identifies identity weaknesses that could bypass those controls, including excessive privileges and hidden attack paths. This lets you enforce least privilege and build a solid foundation before adding more security layers.

Yes. It helps continuously measure and improve identity security posture and track progress over time.

Yes. It is designed for large and hybrid environments with evolving identity relationships and infrastructure.

Yes. It supports multi-tenant environments, enabling providers to manage multiple clients from a single platform with separate workspaces, per-tenant reporting, and controlled access for internal teams and client stakeholders.

It produces clear, client-ready reports with prioritized findings and attack chain visibility, making it easy to demonstrate risk reduction over time.

Yes. The collector works across different operating systems and deployment models, including restricted environments.

Deployment is quick. The collector can be run within minutes, and initial results are available shortly after. Most customers are up and running, reviewing their first attack chains, in under an hour.

Download, configure, and run the collector, review findings, and begin prioritizing fixes. No complex setup is required. The collector can run on a single existing machine in the network; no additional servers or infrastructure are required.

Yes. Every finding includes clear remediation steps, and additional guidance can be provided as needed.

A walkthrough of attack chains, findings, and how ForestGuardian prioritizes fixes in a real or sample environment.

No. A demo can be done using sample environments or by mapping to your setup.