auto/attack

Ransomware is what happens
after Domain Admin.

By the time the encryptor runs, an attacker already owns the domain. Human-operated ransomware doesn’t spread on its own — an attacker works from a foothold to Domain Admin, and only then disables the backups and pushes the encryptor to every host at once. Reaching that control is the objective, long before anything is encrypted. AutoAttack is an autonomous adversary you deploy as one container inside your network: set the objective a ransomware crew would pursue — reach Domain Admin, reach the backups — and it proves whether that path is open, deploying no encryptor and changing nothing. It runs the same way every time.

Deploy

how ransomware spreads

initial access An attacker turns one weakness into a foothold — a phished credential, an exposed service, a reused password. One host, no special privilege yet.
escalation They gain higher privilege on that first host, then hunt it for credentials that reach further.
lateral movement Credentials taken from one machine open the next. The attacker moves host to host, toward the accounts that run the domain.
domain control The chain ends at Domain Admin — control of a domain controller, and with it every host, account, and policy in the domain.
mass encryption Only now does the attacker disable the backups, switch off security tooling, and push the encryptor to every host at once — often through the domain’s own management channels.

what the adversary proves

objective Name the outcome a ransomware crew wants — reach Domain Admin, reach the backup server. You set it in plain English, and the adversary works toward that specific outcome.
the route It returns the exact route to that goal: the weakness it started from, what it chained next, and where the path crosses into the domain — the same chain walked in Active Directory takeover.
the hosts Every host on that route, named — the machines an attacker would move through to reach the whole estate.
the backups Point it at the systems that hold your backups, and it proves whether they’re reachable from an ordinary foothold — the access an attacker needs before encryption pays off.
proof Every step carries the captured evidence behind it. You see what the adversary did, streamed to your dashboard as it lands. Verify it yourself.

readiness vs a checklist

the real question Vulnerability management returns a ranked list of weaknesses, each one matched to a database and never tried. Readiness asks the harder question: can an attacker reach domain-wide control from where they’d land?
proven Black-box on the third-party GOAD Active Directory range with no credentials, AutoAttack reached Domain Admin on all three domains — the first at 0:41.
the inventory On the same range, from the same black-box start, an exposure-inventory tool (Nessus) reached Domain Admin zero of three times. See the full chain.

safe on production

no encryptor It proves the path a ransomware crew would take and deploys no encryptor — nothing on your network is encrypted or damaged.
no lockouts Credential attempts are throttled to your domain’s real lockout policy. No account gets locked out.
no footprint It installs nothing and writes nothing to disk on your hosts. Proof streams to your dashboard as each step lands.
ephemeral Each engagement runs in a fresh container that lives only for the run, then is destroyed. Stop it from your dashboard the moment you choose. See how it stays safe.
Deploy