Problem Solution Pricing About Intel LinkedIn Book a Demo
AI Penetration Testing Platform

Enterprise-grade pentesting.
SMB-friendly pricing.
No security team required.

ThreatForged AI finds what scanners miss — and tells you exactly how to fix it.

Book a Demo See How It Works
See a sample report and full pricing →
threatforged — assessment in progress
$./threatforged --target corp.local --phase enum
[*] Starting BloodHound collection...
[+] Users: 847   Computers: 203   GPOs: 31
[!] Kerberoastable SPNs found: 12
[!] Unconstrained delegation: 3 hosts
$./threatforged --phase adcs
[*] Enumerating certificate templates...
[!] ESC1 — UserCert_v2: enrollee supplies subject
[!] ESC8 — HTTP enrollment endpoint exposed
$./threatforged --phase escalate
[*] Coercing DC via PetitPotam...
[*] Relaying to ADCS HTTP endpoint...
[!] DC certificate obtained
[!] DCSync complete — all hashes dumped
$./threatforged --report
[+] Compliance-ready report generated
_
⚠ DOMAIN ADMIN ACHIEVED 14m 32s from unprivileged user
Built for
Credit Unions Community Banks SMBs Under 200 Employees MSP & vCISO Platforms SOC 2 & PCI-DSS Compliance
// The Problem

You know you need a pentest.
The options just don't work.

Most SMBs know they need penetration testing. Compliance requires it. Cyber insurance demands it. But the options are brutal — and attackers know it.

Option 01
$15K – $30K

Consulting Firms

Per engagement, weeks of wait time, a PDF report you need a security expert to decode. Then pay again next year to do it all over.

Option 02
$50K+ / year

Enterprise Platforms

Built for SOC teams you don't have. Requires dedicated security expertise to operate. Priced for budgets you don't have.

Option 03
Not a pentest

Vulnerability Scanners

They find known CVEs. They don't chain weaknesses, exploit credentials, or move laterally — which is exactly what attackers do.

// The Solution

An AI pentester that works
like the real thing.

ThreatForged AI is an AI agent that thinks and acts like a human pentester — reconnaissance, exploitation, lateral movement, privilege escalation — then delivers a report your IT Director can act on today.

Recon & Enumeration

Full AD Recon

BloodHound graph analysis, user and group privilege mapping, and attack path visualization across your entire domain.

Credential Attacks

NTLM Relay & Coercion

PetitPotam, PrinterBug, DFSCoerce — tests whether your environment is vulnerable to credential relay attacks with no user interaction.

Certificate Abuse

ADCS Exploitation

ESC1, ESC8, ESC15 exploitation against your PKI infrastructure — the most common blind spot in SMB environments.

Privilege Escalation

Full Domain Takeover

DCSync, pass-the-hash, Kerberoasting, lateral movement chains — every path to domain admin mapped and documented.

// Real-World Example

Full domain compromise
in under 15 minutes.

This is the actual attack chain ThreatForged AI runs against a misconfigured SMB environment — the same steps a real attacker takes.

// attack chain: llmnr → ntlm relay → adcs esc8 → petitpotam → dcsync → domain admin
01 LLMNR Poisoning Responder captures NTLMv2 hashes from broadcast queries on the local network. No user interaction required.
02 NTLM Relay → ADCS Relayed hash used to authenticate to ADCS HTTP endpoint. ESC8 template issues a domain controller certificate.
03 PetitPotam Coercion Domain controller coerced into authenticating to attacker-controlled listener via MS-EFSRPC abuse.
04 Pass-the-Certificate DC certificate used to obtain Kerberos TGT for the domain controller machine account. Full DC impersonation achieved.
05 DCSync → Domain Admin Domain replication rights used to dump all domain credentials. Full domain compromise. Every account, every hash.
⚠ Time to domain admin: 14 minutes, 32 seconds — starting from a single unprivileged user account
// Why It Matters

The gap attackers live in.

These aren't edge cases. They're the standard findings from real financial institution assessments.

<4hrs
Average time from initial access to domain admin in SMB environments
90%
Cost reduction vs. traditional consulting firm engagements
$20K
Average consulting firm quote for the same scope — before you negotiate
0
Security team headcount required to run a ThreatForged assessment
// Pricing

No contracts. No surprises.

Per-assessment pricing. Pay when you need it. No annual commitments, no retainers, no six-figure contracts.

Setup
$500 one-time
Scoping call, environment intake, and secure agent deployment. Required for first engagement only.
See what's included
Most Common
Base Assessment
$1,500 / assessment
Full AD assessment — enumeration, NTLM relay, ADCS abuse, privilege escalation. Up to 50 IPs. Report in 5 business days.
View full scope
Additional Scope
$15 / IP
Extend coverage beyond the base 50 IPs. Same methodology, same report. No minimum.
Calculate your cost
// SMB Intel

Threat intel, translated.

Cyber news that actually matters to your IT team — no jargon, no filler.

All posts
Active DirectoryMar 2026

Why attackers love your ADCS server (and what to do about it)

Certificate Services misconfigurations are one of the fastest paths to domain admin in SMB environments.

Read more →
Credential SecurityFeb 2026

NTLM relay attacks are still wrecking credit unions in 2026

NTLM is old. The attacks that abuse it are older. Most community banks are still wide open.

Read more →
RansomwareJan 2026

The ransomware playbook attackers run on SMBs — step by step

Most ransomware groups follow the same internal AD attack chain. Knowing the steps lets you break it.

Read more →
// Contact

Book a demo or request
an assessment.

We work with a limited number of clients at a time. Reach out to check availability and scope.

Response timeWithin 24 hours
Emailryan@threatforged.ai
Engagement typeScoped, fixed-price assessments
Sectors servedCredit unions, community banks, SMBs under 200 employees
LocationAustin, TX — remote assessments available nationwide