> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Analysis Process

> Understand how the BloodHound Enterprise analysis process works to surface findings and prioritize risk.

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=f1e5b5b68b628fd10faf78983d19efbf" alt="Applies to BloodHound Enterprise only" width="225" height="45" data-path="assets/enterprise-edition-pill-tag.svg" />

BloodHound Enterprise's analysis process includes several key steps that work together to surface findings and prioritize risk.

## Analysis stages

By default, BloodHound runs the full analysis pipeline in the following order:

1. Active Directory post-processing
2. Azure post-processing
3. Tagging
4. Analysis

BloodHound uses the full analysis pipeline for all standard and scheduled analysis runs. BloodHound Enterprise customers can enable [Variable Analysis Mode](/analyze-data/findings/analysis#variable-analysis-mode) to skip post-processing for some analysis runs to speed up the process (for example, when updating Privilege Zones).

<Note>
  Scheduled analysis is a SpecterOps-managed feature.
</Note>

## Choke point analysis

BloodHound Enterprise generates one <Tooltip tip="An aggregate view of the graph for a selected environment and privilege zone. It simplifies large volumes of nodes and edges into a compact visualization optimized for readability." cta="Learn more" href="/analyze-data/findings/attack-paths">choke point view</Tooltip> view per environment, such as an Active Directory domain or Azure tenant. The choke point view organizes findings by category and shows the number of exposed principals in each, helping you quickly understand where risk concentrates.

<Note>
  [Exposure and impact](/analyze-data/findings/attack-paths#exposure-and-impact) metrics are calculated from this analysis and surfaced with findings.
</Note>

## Relationships and zone boundaries

Attack Path analysis includes both relationship-driven path analysis and principal-level risky configuration findings.

BloodHound evaluates how abusable relationships connect principals across privilege boundaries and flags principals with configurations that increase risk.

This includes boundaries between Tier Zero and user-defined [Privilege Zones](/analyze-data/privilege-zones/overview). A path that crosses zones can represent a stepping stone into higher-privilege assets, which is why zone-specific findings can differ in severity and priority.

## Post-processing

BloodHound does not rely only on directly collected relationships. During **post-processing**, it derives additional relationships that are relevant to Attack Path analysis. One result is a **composite edge**.

A composite edge is a derived relationship between two nodes that represents a group of underlying relationships condensed into a single, meaningful connection.

BloodHound uses composite edges to simplify understanding of that complexity and surface Attack Paths that are not visible from any single relationship alone. Some attack techniques require a combination of permissions before they can be abused, so BloodHound models those combined conditions as one simplified relationship.

For example, the [DCSync](/resources/edges/dc-sync) edge requires a combination of permissions to create an abusable path. BloodHound models this as a composite edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.

<Accordion title="Show post-processed edges">
  BloodHound creates the following edges during post-processing:

  * [`ADCSESC1`](/resources/edges/adcs-esc1)
  * [`ADCSESC3`](/resources/edges/adcs-esc3)
  * [`ADCSESC4`](/resources/edges/adcs-esc4)
  * [`ADCSESC6a`](/resources/edges/adcs-esc6a)
  * [`ADCSESC6b`](/resources/edges/adcs-esc6b)
  * [`ADCSESC9a`](/resources/edges/adcs-esc9a)
  * [`ADCSESC9b`](/resources/edges/adcs-esc9b)
  * [`ADCSESC10a`](/resources/edges/adcs-esc10a)
  * [`ADCSESC10b`](/resources/edges/adcs-esc10b)
  * [`ADCSESC13`](/resources/edges/adcs-esc13)
  * [`AddMember`](/resources/edges/add-member)
  * [`AdminTo`](/resources/edges/admin-to)
  * [`AZAddOwner`](/resources/edges/az-add-owner)
  * [`AZRoleApprover`](/resources/edges/az-role-approver)
  * [`CanPSRemote`](/resources/edges/can-ps-remote)
  * [`CanRDP`](/resources/edges/can-rdp)
  * [`CoerceAndRelayNTLMToADCS`](/resources/edges/coerce-and-relay-ntlm-to-adcs)
  * [`CoerceAndRelayNTLMToLDAP`](/resources/edges/coerce-and-relay-ntlm-to-ldap)
  * [`CoerceAndRelayNTLMToLDAPS`](/resources/edges/coerce-and-relay-ntlm-to-ldaps)
  * [`CoerceAndRelayNTLMToSMB`](/resources/edges/coerce-and-relay-ntlm-to-smb)
  * [`DCSync`](/resources/edges/dc-sync)
  * [`EnrollOnBehalfOf`](/resources/edges/enroll-on-behalf-of)
  * [`EnterpriseCAFor`](/resources/edges/enterprise-ca-for)
  * [`ExecuteDCOM`](/resources/edges/execute-dcom)
  * [`ExtendedByPolicy`](/resources/edges/extended-by-policy)
  * [`GoldenCert`](/resources/edges/golden-cert)
  * [`HasTrustKeys`](/resources/edges/has-trust-keys)
  * [`IssuedSignedBy`](/resources/edges/issued-signed-by)
  * [`OwnsLimitedRights`](/resources/edges/owns-limited-rights)
  * [`ProtectAdminGroups`](/resources/edges/protect-admin-groups)
  * [`SyncLAPSPassword`](/resources/edges/sync-laps-password)
  * [`SyncedToADUser`](/resources/edges/synced-to-ad-user)
  * [`SyncedToEntraUser`](/resources/edges/synced-to-entra-user)
  * [`TrustedForNTAuth`](/resources/edges/trusted-for-nt-auth)
  * [`WriteOwnerLimitedRights`](/resources/edges/write-owner-limited-rights)
</Accordion>

## Variable Analysis Mode

When updating Privilege Zones, you likely want to see updated object membership and related findings as quickly as possible. You can speed up this process by enabling **Variable Analysis Mode** on the **Administration** > **Early Access Features** page.

Variable analysis mode skips the post-processing stages of analysis. BloodHound still updates normal analysis completion tracking after these runs, including timestamps and related status information.

<Note>
  This option applies to Privilege Zone-triggered analysis only. Other actions that trigger analysis still run the full pipeline.
</Note>

## Remediation

After reviewing findings on the **Attack Paths** page, you can:

* **Remediate** to sever the edges that create the risk and improve your environment's security posture.
* **Accept** when risk is known and temporarily tolerated.

For acceptance workflow steps, see [Risk Acceptance](/analyze-data/findings/risk-acceptance).

To track remediation progress over time, see [Posture](/analyze-data/findings/posture).
