Sizing Up Identity Risk with Purple Knight and Forest Druid

calendar Jun 5, 2026 · 13 min read · Semperis Active Directory Entra ID Identity Cyber Resilience Security Deep Dive  ·
Share on: linkedin copy
Purple Knight and Forest Druid identity assessment dashboards

Overview

A few months ago I wrote about why identity has become the new perimeter, and how building real resilience for Active Directory and Entra ID is one of the most underappreciated security investments most organizations can make. The response I got back, almost universally, was some version of the same question: "I agree with all of this, but where do I even start?"

Fair question. Identity resilience as a discipline is large. It spans hardening, detection, recovery, and validation across both on-premises AD and Entra ID, and the tooling landscape is crowded. Standing up a full identity threat detection and recovery platform is a real project. It deserves the time and the budget. But while you are working through that, you can get a credible read on your current exposure right now, for free, in an afternoon.

That is what this post is about. Two free community tools from Semperis, Purple Knight and Forest Druid, that are worth knowing about for anyone trying to get their arms around identity risk for the first time. They are not a replacement for a full identity protection platform. They are positioned as a starting point, and after running Purple Knight against my own lab, I can tell you it is a credible one.

Why Free Assessment Tools Matter

There is a temptation, when the topic is this serious, to wait until you have budget approval, a project plan, and a vendor selected before you start measuring anything. I would push back on that. A real assessment against your real environment is a much stronger artifact for a leadership conversation than any amount of vendor slideware.

Vendor pitches are abstract. A score card that says your environment has 47 indicators of exposure across seven categories, including five compromise indicators and a dozen Tier 0 attack paths, is not abstract. It is a forcing function.

Both Purple Knight and Forest Druid are designed to deliver exactly that kind of artifact, and both are free downloads with no license keys, no time-bombed trial, and no required vendor calls. You run them, you read the output, you decide what to do next.

Purple Knight: The Identity Score Card

Purple Knight is a security assessment tool for Active Directory, Entra ID (formerly Azure AD), and Okta. It scans your environment for indicators of exposure and indicators of compromise, then produces a categorized report with a security score and prioritized remediation guidance.

The numbers Semperis publishes give you a sense of scale: more than 48,000 downloads, more than 180 security indicators, and an average 45 percent attack surface reduction reported by organizations that use the findings. Treat those as vendor numbers, but they at least suggest a tool with real adoption and a meaningful indicator catalog behind it.

To see what a baseline actually looks like, I ran Purple Knight against a newly deployed lab domain. This is a brand new single-domain forest with zero customizations, no legacy debt, no years of accumulated delegations. Just what Windows Server gives you out of the box. The scan finished in 32 seconds, evaluated 138 indicators, and found 15 indicators of exposure. The result: a score of 81 percent and a grade of C.

Purple Knight score of 81 percent and a C grade on a newly deployed lab domain with no customizations
Purple Knight score of 81 percent and a C grade on a newly deployed lab domain with no customizations

Sit with that for a second. A pristine domain, minutes old, starts life with a C. That is not a knock on the tool. It is the point. Active Directory defaults reflect decades of backward compatibility decisions, not current security guidance. If a fresh lab scores a C out of the gate, an environment carrying years of service accounts, delegation shortcuts, and quick fixes is almost certainly holding exposure nobody has measured.

A dose of realism before anyone panics over a letter grade. The score reflects the specific indicators Purple Knight evaluates, and not every indicator carries the same weight in your environment. A finding that is critical in one organization may be an accepted tradeoff in another. Your mileage will vary based on your actual use case, so treat the grade as a conversation starter and the individual findings as the real output, not the other way around.

A few things that make Purple Knight stand out:

  • Hybrid coverage out of the box. AD, Entra ID, and Okta in one assessment. That matters because the attacker does not care about your org chart. They will pivot from on-premises to cloud, or compromise an SSO provider that federates back into your corporate identities, without respecting any boundary you draw.
  • Indicators of Exposure and Indicators of Compromise. Two different lenses on the same environment. IOEs are the misconfigurations and risky settings that have not been weaponized yet, the things that make you an easier target. IOCs are evidence that something has already happened, signals that may indicate an attack is in progress or has occurred. Both matter, and they generate very different conversations with leadership.
  • Seven categories with a score per category. Account security, AD delegation, AD infrastructure, account hygiene, group policy security, Kerberos security, and hybrid configuration. You walk away with a vector, not just a number, which makes prioritizing remediation actually possible.
  • 180-plus security indicators, continuously updated. Semperis maintains the indicator set and pushes updates as new techniques surface in the threat research community. You are getting a moving target's worth of detection, not a snapshot from when the tool was last released.
  • Framework correlation. Findings are mapped to MITRE ATT&CK, MITRE D3FEND, ANSSI, and other frameworks. This is the difference between telling a security committee "fix these 15 things" and "fix these 15 things, and here is the threat actor technique each one defends against." The second conversation goes much better.
  • Prioritized, expert remediation guidance. Each finding comes with explanation and recommended action. You are not handed a list of vulnerabilities and left to figure out severity. The output reads like a report a senior identity engineer wrote for you.

Where to Get Started

The workflow is straightforward on paper. Download the tool, run it from a domain-joined workstation with read access to AD, point it at your Entra ID tenant or Okta org, wait for the scan to complete, and review the report.

A few principles worth keeping in mind before you run it:

  • Run it from a system that can actually see everything. Purple Knight needs read access to AD. Running it from a workstation that does not have line of sight to all your domain controllers will give you a partial picture. Pick your central management subnet or a privileged access workstation.
  • Read access is enough. The tool is documented as read-only. It does not modify the directory or create accounts. This matters when you are trying to get internal approval to run it. You are doing a passive read against the directory you already operate.
  • Plan to run it more than once. Purple Knight is positioned as a recurring measurement, not a one-time scan. A monthly or quarterly cadence builds a trend line. The first run tells you where you stand. Every subsequent run tells you whether you are getting better, worse, or staying flat.
  • Treat the IOC findings differently than the IOE findings. An IOE finding is a backlog item. An IOC finding is a phone call to your incident response team. Make sure your operations team understands the difference before you start running scans.

The output is a categorized score across seven domains plus a prioritized list of findings with remediation guidance, exactly what my lab run produced. That gives you something concrete to take into a security review, and a baseline to measure improvement against on the next run.

Forest Druid: Inside-Out Attack Path Management

Where Purple Knight is breadth, Forest Druid is depth. It exists to solve a very specific problem: there are millions of theoretical attack paths through any reasonably sized hybrid identity environment, and trying to enumerate them all is a fool's errand.

The Semperis pitch on Forest Druid is "stop chasing attack paths, focus on your Tier 0 perimeter," and that framing tracks with how most security practitioners think about identity risk in modern environments.

What Tier 0 Means and Why It Matters

Microsoft's tiered administration model defines Tier 0 as the assets that, if compromised, give an attacker control of the entire environment. Domain controllers. Domain admin accounts. Certificate authorities. The accounts and groups that have effective control over those systems.

The dangerous truth about Tier 0 in most organizations is that the actual Tier 0 perimeter is much larger than the organization thinks it is. Service accounts buried in nested groups. A help desk role that has been granted excessive permissions over a domain controller. An application principal in Entra ID that ended up with a role assignment nobody documented. Each of those is part of the real Tier 0 perimeter, even if they do not appear on any architecture diagram.

Forest Druid takes an inside-out approach. Rather than enumerating millions of attack paths from the edge inward, it starts at the Tier 0 assets you already know about and walks outward, mapping every account, group, and relationship that has effective access to them. The result is a graph of your real Tier 0 perimeter, not the one you think you have.

A few capabilities that stand out in the data sheet and the way the tool is positioned:

  • Identifies the true Tier 0 perimeter. It is built to surface the accounts and groups with effective access to Tier 0 assets, including the ones that are not obvious from a quick look at Domain Admins. Semperis specifically calls out Tier 0 assets "otherwise missed by default" as one of the headline outputs.
  • Cuts down excessive privileges. Once you can see the real perimeter, you can shrink it. Forest Druid is designed to prioritize the relationships that, if removed, collapse the largest attack surface, with the goal of measurable reduction rather than theoretical reduction.
  • Prioritizes by severity, not by frequency. This is the philosophical break with traditional attack path tools. The most common attack path is not always the most dangerous. Forest Druid ranks paths by how much damage they enable, not how many of them exist. That changes which findings end up at the top of your remediation list.
  • AD and Entra ID together. Hybrid identity attacks pivot across the boundary. Forest Druid scans both, surfaces hybrid attack paths, and lets you see where on-premises and cloud identity meet in ways that benefit attackers.
  • Visual graph output. Identity risk is hard to communicate in a spreadsheet. A graph view is the kind of artifact that lands well with leadership and auditors, since it makes the risk concentrations visible rather than buried in a table.

Where to Get Started

Forest Druid pairs naturally with Purple Knight. Purple Knight is breadth, telling you what is exposed across hundreds of indicators. Forest Druid is depth, telling you which of those exposures actually shorten the path to Tier 0. Used together, they should produce a prioritized remediation plan rather than an unranked list of findings.

A reasonable workflow for using them in sequence:

  1. Run Purple Knight to get the broad exposure picture and the score card.
  2. Run Forest Druid to map the real Tier 0 perimeter and the highest-severity attack paths into it.
  3. Cross-reference the two. Items that show up in both, especially anything where Purple Knight flags a configuration weakness on a path Forest Druid identifies as a Tier 0 access route, belong at the top of the remediation list.
  4. Work the remediation list. Prune unnecessary group memberships, tighten delegation, rotate stale Tier 0 credentials, and remove application principals that no longer need their assignments.
  5. Re-run both tools. Watch the Tier 0 perimeter shrink and the Purple Knight score improve.

The cross-referencing step is where the value compounds. Either tool on its own is useful. Together they should give you a prioritized, defensible remediation plan that holds up in front of leadership and a security committee.

Where These Tools Fit in a Broader Strategy

I want to be clear about what these are and what they are not.

Purple Knight and Forest Druid are assessment and visibility tools. They tell you where you are exposed and where the highest-severity attack paths run. They do not protect, detect, or recover by themselves. They are not a replacement for an identity threat detection and response platform, a backup and recovery solution for AD and Entra ID, or a real change-tracking and rollback capability.

What they do is exactly what most organizations need before they make those bigger investments: a credible, defensible, current understanding of where you stand.

If you read my identity resilience post and walked away thinking the scope felt impossibly large, this is your ramp. Run Purple Knight this week. Run Forest Druid the week after. Walk into your next security review with a real assessment and a prioritized remediation plan. The conversation about what to invest in next becomes much easier when it is grounded in actual findings against your actual environment.

Practical Notes Before You Run Either Tool

A few things worth doing before you fire either of these off:

  • Get appropriate approval. Even a passive read of the directory is a security activity. Loop in your security and compliance teams. Not because they will say no, but because they should know what is running and why.
  • Run from a hardened or isolated workstation. A privileged access workstation is ideal. At minimum, a system that is patched, has EDR running, and is not used for general purpose work.
  • Treat the output as sensitive. The reports are detailed maps of identity exposure. If they leak, they are a roadmap for an attacker. Store them with the same care you would treat penetration test reports.
  • Plan a re-run cadence before your first run. A monthly or quarterly cadence works for most organizations. The point is to build a trend line, not a one-off snapshot. Decide on the cadence up front and put it on the calendar.
  • Use the framework mappings in conversations with leadership. The MITRE ATT&CK and ANSSI correlations matter. They translate "we have a misconfigured delegation on a service account" into "we have an exposure aligned to the technique used in these documented incidents." That translation is what gets remediation work prioritized.

Where to Get Them

Both tools are downloadable directly from Semperis with a free account.

No license keys. No required vendor calls. You can be looking at real findings within an hour of starting the download.

Final Thought

Identity resilience is a journey, and the journey is worth taking seriously. But it does not start with a six-figure platform purchase. It starts with knowing where you stand. Purple Knight and Forest Druid are two credible, no-cost ways to build that picture. If a brand new lab domain starts at a C, it is worth finding out where your production environment actually sits. Forest Druid is next on my list to run against the lab.

Run them. Read the reports. Have the conversation. Then decide what to invest in next.

If you have already run either tool in your own environment, I would love to compare notes on what the findings looked like and how you turned them into a remediation program. Connect with me on LinkedIn or drop a note at mike@mikedent.io.