GET STARTED LOGIN
01
WEB REPORT
Interactive penetration test report — full attack chain, credential dumps, privilege escalation paths
DEMO open_in_new
02
LIVE SCAN
Watch the attack in real-time — Kerberoast, DCSync, Golden Ticket streaming to your terminal
WATCH play_arrow
03
ALL PLATFORMS
Web, Windows, Linux, Android — one attack engine, four deployment targets, zero compromise
EXPLORE devices
04
WHY NOT AI
AI scanners hallucinate CVEs. We execute real Kerberos attack chains with cryptographic proof
COMPARE balance
4
PLATFORMS
30+
ATTACK MODULES
15
MIN TO DA
0
DATA SENT TO AI
[ HOW IT WORKS ]
Domain Admin in 4 steps
01 SECURE TUNNEL .OVPN
1

Upload VPN

Upload your .ovpn config.
Isolated secure tunnel created.

02 DC · 10.0.0.1 BREACHED
2

Target & Scan

Enter DC IP address.
One click launches full attack.

03 DOMAINATOR NEWS [+] TGS hash captured [*] AS-REP svc_backup [+] ESC1 cert template [!] DOMAIN ADMIN [+] TGS hash captured [*] AS-REP svc_backup [+] ESC1 cert template [!] DOMAIN ADMIN BREAKING: ENTIRE FOREST COMPROMISED IN 4 MINUTES —
3

Watch Live

Real-time Hackflix terminal.
Every attack module streams live.

04 REPORT DOMAIN ADMIN ACHIEVED
4

Get Report

Full web report — attack chain,
hashes, and remediation.

[ LIVE SCAN ]
Same attack. Every platform.
language WEB
desktop_windows WINDOWS
terminal LINUX
phone_android ANDROID
app.domainator.co.il/scan/live
DOMAINator.exe
domainator@kali:~$ ./DOMAINator.bin
10:48 LTE   39%
SCANNING
[ AVAILABLE ON ]
One platform. Every device.
Web Windows Linux Android
zoom_inCLICK TO ZOOM
DOMAINator Web Client Web ClientOPEN
DOMAINator Windows & Linux Desktop WindowsDOWNLOADLinuxDOWNLOAD
DOMAINator Android AndroidDOWNLOAD
[ AI VS REALITY ]
Why AI scanners fail at Active Directory
0%
of AI scanners can execute a single real Kerberos attack chain. They guess. We prove.
CAPABILITY AI SCANNERS DOMAINATOR
Kerberos Exploitation TGS-REQ + cracking
ADCS Certificate Abuse ESC1-ESC11
DCSync Domain Dump DRSUAPI replication
Pass-the-Hash / Relay NTLM + Kerberos relay
Golden Ticket Forge KRBTGT + crypto
Multi-Step Attack Chains 30+ chained flows
Data Stays On-Premise sent to cloud LLM isolated namespaces
Reproducible Results non-deterministic deterministic always

Built by penetration testers who hack Active Directory daily. Every attack chain is battle-tested — not generated by AI and hoped for the best.

[ WHAT AI CAN'T DO ]
Real attacks need real protocol operations
AI SCANNER FAILED
$ ai-scan --target corp.local
[✗] Kerberoastno network access
[✗] DCSyncno authenticated RPC
[✗] ADCS Abuseno live LDAP session
[✗] Pass-the-Hashno protocol stack
[✗] Golden Ticketno KRBTGT hash
[✗] Shadow Credsno LDAP write
[!] 0 exploits · 47 hallucinated CVEs
VS
DOMAINATOR ● LIVE
$ domainator --target 10.10.14.5
[✓] Kerberoast3 SPNs cracked
[✓] ADCS ESC1Admin impersonated
[✓] DCSyncAll hashes extracted
[✓] Pass-the-HashLateral movement
[✓] Golden TicketPersistent access
[✓] Shadow CredsmsDS overwritten
[★] DOMAIN ADMIN — 14 minutes
0%
AI SUCCESS RATE
30+
ATTACK CHAINS
14m
TO DOMAIN ADMIN
0
DATA SENT TO AI
KERBEROAST AS-REP ROAST DCSYNC ADCS ESC1-ESC11 PASS-THE-HASH GOLDEN TICKET SHADOW CREDENTIALS RBCD DELEGATION NTLM RELAY S4U IMPERSONATION GPO ABUSE KERBEROAST AS-REP ROAST DCSYNC ADCS ESC1-ESC11 PASS-THE-HASH GOLDEN TICKET
[ BATTLE PLANS ]
Individual AD penetration testing
sword_rose SQUIRE — FREE TRIAL
Start with 1 free scan — no credit card required. Experience the full attack chain on your own environment.
1 SCAN 1 RESCAN WEB REPORT $0 FOREVER
START FREE SCAN
ENTERPRISE
FOR COMPANIES PROTECTING THEIR DOMAIN
shield
BARON
Entry Warrior
$49
/month
  • ✔ 3 scans / month
  • ✔ 1 rescan / month
  • ✔ Essential Web Report
  • ✔ Domain Conquest Map
  • ✔ Live Terminal (Hackflix)
  • ✔ 24h report access
SELECT
MOST POPULAR
security
DUKE
Battle Commander
$149
/month
  • ✔ 6 scans / month
  • ✔ 2 rescans / month
  • ✔ Advanced Web Report
  • ✔ Domain Conquest Map
  • ✔ Live Terminal (Hackflix)
  • ✔ 24h report access
SELECT
👑
EMPEROR
Supreme Ruler
$299
/month
  • ✔ 12 scans / month
  • ✔ 4 rescans / month
  • ✔ Ultimate Web Report
  • ✔ Domain Conquest Map
  • ✔ Permanent report access
  • ✔ Priority queue
  • ✔ Dedicated support
SELECT
SOLO OPERATOR
FOR INDEPENDENT PENETRATION TESTERS
terminal
HACKER
Your Own Arsenal
$149
/month
  • ✔ 5 scans / month
  • ✔ 2 rescans / month
  • ✔ Operator Web Report
  • ✔ Full Attack Chain
  • ✔ Live Terminal (Hackflix)
  • ✔ Portable & Mobile Access
SELECT
CISO'S FORTRESS
FOR TEAM LEADERS MANAGING RANGERS
Multi-hacker team management
groups
WARBAND
CISO · 3 Rangers
$299
/month
  • ♦ 4 scans / ranger / month
  • ♦ 1 rescan / ranger / month
  • ♦ Ranger Live Screens
  • ♦ CISO Analytics Dashboard
  • ♦ Per-Ranger Isolation
  • ♦ Serial Key Management
SELECT
BEST VALUE
verified_user
LEGION
CISO · 5 Rangers
$499
/month
  • ♦ 5 scans / ranger / month
  • ♦ 2 rescans / ranger / month
  • ♦ Ranger Live Screens
  • ♦ CISO Analytics Dashboard
  • ♦ Per-Ranger Isolation
  • ♦ Serial Key Management
  • ♦ Priority Support
SELECT
CONQUER YOUR DOMAIN

Join the order. Start your first scan today.

Register Now Login
close
DOMAINATOR
Emperor Report
flagCONQUEST
keyCREDENTIALS
verified_userADCS
account_treeATTACK CHAIN
buildREMEDIATION
SCAN #4701 · 2026-05-10
DOMAIN COMPROMISED
Target Domaincorp.contoso.com
Domain ControllerDC01
DC IP Address10.10.14.5
Scan Duration23 minutes
9.8
CRITICAL
RISK SCORE
2,847
USERS
156
CREDENTIALS
342
MACHINES
ATTACK PATH SUMMARY
AS-REP Roast → Kerberoast → ADCS ESC1 → Domain Admin
key CAPTURED CREDENTIALS
6 credentials recovered across multiple attack vectors
USERNAMEHASH / PASSWORDSOURCETYPE
Administrator:500aad3b435b51404ee:fc525c9683e8fe067cbb...DCSyncNTLM
krbtgt:502aad3b435b51404ee:9d1d6c0327e80c2a4c3b...DCSyncNTLM
svc_mssqlSummer2024!KerberoastCleartext
svc_backup$krb5asrep$23$svc_backup@CORP...AS-REPHash
j.smithWelcome2024!SprayCleartext
DA_adminP@ssw0rd2024SYSVOL/GPPCleartext
verified_user ADCS ANALYSIS
Certificate AuthorityCONTOSO-DC01-CA
Templates Analyzed14
warning ESC1 VULNERABLE: CorpTemplate
Enrollee Supplies SubjectYES
Client Authentication EKUYES
Low-Privilege EnrollmentDomain Users
Manager ApprovalDISABLED
Authorized Signatures0
EXPLOITATION RESULT
Certificate issued for: Administrator@corp.contoso.com
TGT obtained via PKINIT authentication
account_tree ATTACK CHAIN
Full exploitation path from anonymous to domain admin
Anonymous Enumeration
847 users discovered
User Spray
j.smith:Welcome2024!
AS-REP Roast
svc_backup -- no pre-auth
Kerberoast
svc_mssql:Summer2024!
ADCS ESC1
Certificate as Administrator
PKINIT → TGT
Administrator TGT obtained
DCSync
All domain hashes extracted
DOMAIN ADMIN
Full domain compromise achieved
build REMEDIATION
5 findings requiring immediate attention
Disable SPN accounts pre-auth requirement CRITICAL
Account svc_backup has Kerberos pre-authentication disabled, enabling AS-REP roasting. Enable pre-auth on all service accounts and audit accounts with DONT_REQUIRE_PREAUTH flag.
Fix ADCS ESC1 template -- remove enrollee-supplies-subject CRITICAL
CorpTemplate allows any domain user to request certificates with arbitrary SANs. Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, restrict enrollment to specific groups, and require CA manager approval.
Rotate all service account passwords (>25 chars) HIGH
svc_mssql password (Summer2024!) was cracked via Kerberoasting. Replace all SPN-associated accounts with gMSA (Group Managed Service Accounts) for automatic 120-char password rotation.
Implement tiered admin model HIGH
Lateral movement was trivial due to flat admin structure. Implement Microsoft's tiered administration model (Tier 0/1/2) to segment privileged access and prevent credential exposure across tiers.
Enable LDAP signing and channel binding MEDIUM
LDAP signing is not enforced, enabling relay attacks and MITM on LDAP traffic. Configure LdapServerIntegrity=2 and enable LDAP channel binding on all domain controllers.
close
LIVE SCAN DEMO
Watch the conquest unfold in real-time
language WEB
desktop_windows WINDOWS
terminal LINUX
phone_android ANDROID
app.domainator.co.il/scan/live
DOMAINator.exe
domainator@kali:~$ ./DOMAINator.bin
10:48LTE   39%
SCANNING
close
OUR PLATFORMS
Same power, every device
Web Windows Linux Android
zoom_in CLICK TO ZOOM
Web
Windows & Linux
Android
WEB APP WINDOWS LINUX ANDROID
close
WHY NOT AI
Side-by-side: AI hallucinations vs real exploitation
AI-SCANNER-PRO v4.2.0
DOMAINATOR v3.0
ATTACK TECHNIQUES COMPARISON
Kerberoasting
AS-REP Roasting
ADCS ESC1-ESC11
DCSync Attack
Pass-the-Hash
Golden Ticket
ACL Abuse
Multi-Step Chains
AI SCANNER                                      DOMAINATOR
warning
DATA EXFILTRATION RISK
AI scanners upload your AD topology, credentials, and network map to third-party cloud APIs
security
ZERO DATA LEAKAGE
DOMAINator uses isolated network namespaces. Your data never leaves the scan environment
THE REAL DIFFERENCE

WHY NOT HIRE A PENTESTER?

Here's what actually happens when a company orders an infrastructure pentest from a cyber firm — and why DOMAINator delivers more.

MANUAL PENTESTER AI SCANNERS DOMAINATOR
COST $10,000–$30,000+ per engagement $200–$500/mo (limited scope) From $49/mo — unlimited depth
TIME TO REPORT 3–5 days testing + 1–2 weeks for report delivery Hours (surface-level only) 15–45 minutes — full report on completion
ATTACK COVERAGE 1–2 attack paths found on average. Pentester finds one path to DA and stops Suggests theoretical vulnerabilities. Doesn't exploit anything Tests every known privilege escalation gate — doesn't stop at the first win
PE GATES TESTED Whatever the pentester knows + has time for (usually 1–3) None — doesn't perform real exploitation 30+ escalation vectors — every combination of access + vulnerability
MISSED OPPORTUNITIES Common. Pentester has valuable access but doesn't realize it can chain into PE Can't chain — no real exploitation engine Zero. Every credential, every access, every path is cross-referenced and exploited
TESTING MODES Usually graybox only (given a domain user) External scanning only Anonymous, graybox (domain user), and machine account — all from one scan
REAL EXPLOITATION Yes — but limited to pentester's skill & time No — reports theoretical risks only Full exploitation — real credentials, real shells, real DA
RETEST Pentester returns to office, re-tries only the previously reported findings. Charges again Reruns the same surface scan Full rescan — retests everything including new paths. Finds regressions AND new issues
CONSISTENCY Depends on who they send. Junior vs senior = completely different results Consistent but shallow Same depth every time. No human variance. No bad days
LIVE VISIBILITY You wait 2 weeks for a PDF. No idea what happened during the test Dashboard with scan progress Watch every attack live in real-time. Full terminal output. Nothing hidden
KNOWLEDGE Limited to one person's experience. They can't know every AD misconfiguration Trained on public data — misses real-world edge cases Encyclopedic. Every known AD attack technique, every combination, tested systematically
INTELLIGENCE BRIEFING

FREQUENTLY ASKED

What exactly does DOMAINator do?
+
DOMAINator is a fully automated Active Directory penetration testing platform. You connect a VPN to a client's network, enter the target IP, and the system executes a real attack chain — credential harvesting, relay attacks, privilege escalation, and lateral movement. It tests every known escalation path, not just the first one it finds. You get a full penetration test report with evidence, attack paths, and remediation — not a vulnerability scan.
How is this different from hiring a pentester?
+
A typical infrastructure pentest means one person sitting in your office for 3–5 days, finding 1–2 attack paths to Domain Admin, writing it up, and delivering a report 2 weeks later. They stop at the first win. They test what they know and have time for. DOMAINator tests every escalation gate systematically — in minutes, not days. It cross-references every credential, every access, every misconfiguration to find paths a human would miss or not have time to explore. And it costs a fraction of what a single engagement costs.
Why not just use an AI-based scanner?
+
AI scanners suggest theoretical vulnerabilities. They don't exploit anything. They can't relay a credential, escalate privileges, or move laterally through an Active Directory environment. DOMAINator performs real exploitation with real tools — it harvests actual credentials, gains real shells, and achieves actual Domain Admin access. The report shows proof, not predictions.
What does "rescan" mean and why does it matter?
+
In a traditional retest, the pentester comes back, opens your previous report, and tries to recreate only the findings you fixed. That's it. DOMAINator's rescan runs the entire attack chain again from scratch. It re-tests everything — including new attack paths that may have appeared since the fixes, regressions, and misconfigurations the original scan didn't need because it already had DA. It's not a checklist re-check — it's a full test.
Is my client's data safe?
+
Your data never leaves the scan environment. Credentials and hashes found during the scan are used only within the attack chain and stored encrypted in your report. Reports are retained for a limited time based on your plan, then permanently deleted. We don't share data with third parties. Zero data is sent to any AI service.
Do I need authorization to run a scan?
+
Yes, absolutely. DOMAINator executes real attacks against real infrastructure. You must have written authorization from the network owner before running any scan. Every scan requires you to confirm authorization. Unauthorized use is illegal and a violation of our terms of service.
What do I need to get started?
+
Three things: 1) An account on DOMAINator. 2) A VPN configuration file (.ovpn) that connects to the target network. 3) The IP address of a Domain Controller. Upload the VPN, enter the target, and hit scan. The platform handles everything else — from reconnaissance to the final report.
How long does a scan take?
+
Most scans complete in 15–45 minutes depending on the environment. You can watch the entire attack chain live in real-time through the terminal view. Every action is logged and visible — nothing happens behind a black box.
What's the CISO plan for?
+
The CISO plans (Warband and Legion) are built for security teams. You get a command dashboard to manage multiple pentesters, monitor all scans across your team, view aggregate analytics, and control scan policies. Each team member gets their own credentials — they run scans, you see everything.
Can I cancel anytime?
+
Yes. All plans are month-to-month unless you choose annual billing (which saves 17%). Cancel anytime — no contracts, no hidden fees, no cancellation penalties. Your scans and reports remain accessible until the end of your billing period.
keyboard_arrow_up
expand_more expand_more
SCROLL