Active Directory environments are sprawling. Most organizations running AD accumulate years of permissions, group memberships, delegation trusts, and inherited ACLs that nobody fully understands. That complexity is exactly what attackers count on. A compromised low-privilege account can chain together misconfigurations nobody thought to audit, moving laterally through nested group memberships and unconstrained delegation until domain admin is within reach. The gap between "technically possible" and "obvious to a defender" is enormous, and that gap is where attack-path analysis tools live.

Manual enumeration of these paths is impractical at scale. AD graphs in real environments routinely contain tens of thousands of nodes and relationships that interact in non-obvious ways. Automated mapping became a necessity, not a luxury, for anyone doing serious offensive security work against Windows infrastructure.

Enter BloodHound CE

BloodHound CE is an open-source tool designed to map Active Directory environments and reveal the attack paths that exist within them. It is widely used by red teams during penetration tests and adversary simulations to demonstrate how an attacker with initial access could escalate privileges and move through a network.

The tool works by collecting data from Active Directory environments using a dedicated ingestor, then loading that data into a graph database. Once ingested, the relationships between users, groups, computers, and access control lists become queryable and visual. What would take an analyst hours of manual LDAP queries and cross-referencing appears as traversable graph paths. The database can answer questions like: "What is the shortest path from this compromised user to Domain Admin?" — and show multiple routes, not just one.

It is worth noting that BloodHound CE serves both sides of the engagement. Blue teams and defenders use the same data to identify and remediate dangerous permission structures before an adversary finds them. The tool does not discriminate between offensive and defensive use; it simply makes the attack surface visible.

Under the hood

BloodHound CE is a multi-component system. The architecture consists of three main parts: a data collector, a graph database, and a web interface.

The data collector, known as SharpHound, is written in C#. It runs on a domain-joined machine and queries Active Directory through LDAP, the SAMR protocol, and other Windows-native interfaces to extract information about users, groups, computers, group memberships, ACLs, sessions, trusts, and more. SharpHound outputs the collected data as JSON files, which are then ingested into the backend.

The backend uses Neo4j, a dedicated graph database, to store and query the collected relationships. Neo4j is purpose-built for connected data, making it a natural fit for the highly relational nature of AD permission structures. The backend service handles ingestion of SharpHound JSON output into Neo4j and serves queries to the frontend.

The web interface is a JavaScript and React-based frontend that allows users to interact with the graph visually. It renders nodes and edges, runs pre-built queries for common attack patterns, and lets analysts build custom traversals. The interface communicates with Neo4j through the backend API.

The overall stack is operationally demanding. Running BloodHound CE requires hosting Neo4j, the backend API, and the web frontend, along with a Windows machine or credentials capable of running SharpHound against the target domain. It is not a single-binary tool — it is a small platform.

Running it

The most straightforward way to get BloodHound CE running is through Docker, which bundles the Neo4j database, backend, and frontend into a set of containers. The project provides Docker Compose support for this purpose.

To deploy it:

git clone https://github.com/SpecterOps/BloodHound.git
cd BloodHound/docker-compose
docker compose up -d

After the containers start, the web interface is typically accessible at http://localhost:3000. Neo4j will be running on its default port. Default credentials are provided in the project's documentation — they should be changed immediately in any non-lab environment.

To collect data from an Active Directory environment, run SharpHound on a domain-joined host with appropriate network access:

SharpHound.exe -c All

This command collects all major data types and outputs JSON files to the current directory. Those files are then uploaded through the web interface or the API to populate the Neo4j database for analysis.

Trade-offs

BloodHound CE is not a lightweight tool. The requirement to maintain a Neo4j instance, a backend service, and a frontend means more moving parts compared to simpler AD enumeration scripts. For someone who just needs a quick look at group memberships, it is overkill. Tools like ldapsearch, net, or Powerview can answer simpler questions without the overhead of a graph database and web dashboard.

The data collection phase also requires meaningful access to the target domain. SharpHound needs at least read-level LDAP access, and collection quality improves significantly with higher-privileged credentials. Running it with a low-privilege account will produce an incomplete picture, which can be misleading if the analyst does not realize what was missed.

That said, for its intended use case — mapping complex, multi-step attack paths across large AD environments — there is no real substitute at this price point. The graph-based approach surfaces relationships that flat text output from simpler tools cannot easily represent. It is heavier than alternatives like ADCollector or simple BloodHound queries run through third-party clients, but it provides a self-hosted, fully open-source platform without the licensing restrictions of the commercial BloodHound Enterprise edition.

For red teams, it has become a standard part of the post-exploitation toolkit. For blue teams willing to invest the setup effort, it offers a clear view of exactly where their AD environment is most exposed.

BloodHound CE is hosted on GitHub at github.com/SpecterOps/BloodHound.