On-prem identity hardening
Harden Microsoft Active Directory (AD), certificate services (ADCS), and SMB shares—where a single standard account can expose your entire environment—to resist modern identity attacks with proactive defense.
Deep visibility and context
Active Directory is not just a directory of users and groups, it’s a living graph of permissions, paths, and misconfigurations. Saporo maps this graph with unmatched depth and clarity.
Coverage of standard and exploitable permissions attackers use to move laterally or escalate privileges
Graph mapping of all AD, SMB shares, and ADCS objects, including templates, enrollment abuse, and secrets
Exploitation context that shows how access can be abused, not just who has it
Visibility into systemic risk across AD, SMB, and ADCS, uncovering hidden weak points in your environment
Saporo turns complex AD environments into clear, actionable graphs so you can see and fix risks before attackers exploit them.
Why AD security matters
Active Directory underpins enterprise security, but one misstep can expose you. Misconfigurations, delegation, or excessive privileges often stay hidden until attackers exploit them.
Detect excessive privileges and unused administrator accounts that increase attack surface
Identify dangerous delegation paths and trust relationships that attackers exploit to move laterally
Surface weak GPOs, OUs, and certificate templates that leave domains open to abuse
Reveal hidden attack paths to Domain Admins and other high-value targets
Saporo gives you the visibility to uncover weaknesses before attackers can turn them into domain-wide compromise.
Access graph + attack graph
Saporo goes beyond static posture checks with dual graph perspectives that reveal not just risks, but how attackers move through them.
Access Graph – maps who can access what across AD, ADCS, and SMB shares
Attack Graph – models how misconfigurations and permissions chain into compromise paths
Identify chokepoints where one remediation step eliminates millions of potential attack paths
Attack modelization simulating how different types of attacks would play in your environment (ransomware, DC sync, etc.)
Saporo helps you think like an attacker and act like a defender by removing the attack paths that matter most before they’re used.
Misconfiguration hardening
AD misconfigurations are everywhere, but not all are equally dangerous. Saporo correlates them with attack paths to show what matters most.
Over 200+ mapped controls aligned to ANSSI AD hardening, ISO 27001, and MITRE ATT&CK
Misconfigurations prioritized by propagation risk and exposure of high-value targets
Global misconfiguration and ANSSI score views
Detailed fix recommendations with optional AI-assisted remediation support
Saporo turns endless findings into a prioritized list of what to fix first backed by attacker logic, not just compliance checkboxes.
Monitor for change and drift
AD environments evolve constantly, and attackers exploit drift as soon as it appears. Saporo continuously monitors and correlates changes with risk.
Track what was changed, who changed it, and when, across AD, ADCS, and SMB shares
Receive alerts on abnormal or high-risk activity to stay ahead of attacks. Alert thresholds are configurable.
50+ custom rules to monitor important or suspicious changes via Active Directory and Domain Controller logs
Links changes back to score impact so you see posture shift in real time and identify the potential root cause of the drift.
Saporo keeps your Microsoft environments hardened continuously adapting to change and reducing the risk of exploitation.