Skip to main content
Applies to BloodHound Enterprise only BloodHound Enterprise’s analysis process includes several key steps that work together to surface findings and prioritize risk.

Analysis stages

By default, BloodHound runs the full analysis pipeline in the following order:
  1. Active Directory post-processing
  2. Azure post-processing
  3. Tagging
  4. Analysis
BloodHound uses the full analysis pipeline for all standard and scheduled analysis runs. BloodHound Enterprise customers can enable Variable Analysis Mode to skip post-processing for some analysis runs to speed up the process (for example, when updating Privilege Zones).
Scheduled analysis is a SpecterOps-managed feature.

Choke point analysis

BloodHound Enterprise generates one view per environment, such as an Active Directory domain or Azure tenant. The choke point view organizes findings by category and shows the number of exposed principals in each, helping you quickly understand where risk concentrates.
Exposure and impact metrics are calculated from this analysis and surfaced with findings.

Relationships and zone boundaries

Attack Path analysis includes both relationship-driven path analysis and principal-level risky configuration findings. BloodHound evaluates how abusable relationships connect principals across privilege boundaries and flags principals with configurations that increase risk. This includes boundaries between Tier Zero and user-defined Privilege Zones. A path that crosses zones can represent a stepping stone into higher-privilege assets, which is why zone-specific findings can differ in severity and priority.

Post-processing

BloodHound does not rely only on directly collected relationships. During post-processing, it derives additional relationships that are relevant to Attack Path analysis. One result is a composite edge. A composite edge is a derived relationship between two nodes that represents a group of underlying relationships condensed into a single, meaningful connection. BloodHound uses composite edges to simplify understanding of that complexity and surface Attack Paths that are not visible from any single relationship alone. Some attack techniques require a combination of permissions before they can be abused, so BloodHound models those combined conditions as one simplified relationship. For example, the DCSync edge requires a combination of permissions to create an abusable path. BloodHound models this as a composite edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.
BloodHound creates the following edges during post-processing:

Variable Analysis Mode

When updating Privilege Zones, you likely want to see updated object membership and related findings as quickly as possible. You can speed up this process by enabling Variable Analysis Mode on the Administration > Early Access Features page. Variable analysis mode skips the post-processing stages of analysis. BloodHound still updates normal analysis completion tracking after these runs, including timestamps and related status information.
This option applies to Privilege Zone-triggered analysis only. Other actions that trigger analysis still run the full pipeline.

Remediation

After reviewing findings on the Attack Paths page, you can:
  • Remediate to sever the edges that create the risk and improve your environment’s security posture.
  • Accept when risk is known and temporarily tolerated.
For acceptance workflow steps, see Risk Acceptance. To track remediation progress over time, see Posture.