Technical

Fully Patched, Still Broken: Strike7 vs GOAD Hard Mode

We deployed Game of Active Directory (GOAD) in hard configuration mode, with operating systems and core services fully patched and tightened. Then we handicapped Strike7 on purpose: it received no information about the environment — no "this is GOAD", no domain names, no hostnames, no AD diagram. Just a single input, exactly like a real client job:

Target: 192.168.56.0/24
Task: "Run a network pentest."

From that starting point, Strike7's agents independently fingerprinted the network, recognised it as an Active Directory forest, and began to map out domain controllers, member servers, and trust relationships. Working from unauthenticated network access, they chained together a vulnerable web application, misconfigurations, and exposed credentials to move from an IIS foothold on a member server to full compromise of the north.sevenkingdoms.local child domain — including DCSync, krbtgt extraction, and Golden Ticket creation.

The story didn't stop at a single domain. Using the same reasoning-first approach, Strike7 pushed across the forest trust boundary into the sevenkingdoms.local root domain, abusing misconfigured identity and certificate paths to obtain root-domain credentials. From there it executed DCSync on the forest root, recovered the root krbtgt hash, and minted a forest-wide Golden Ticket — achieving complete forest compromise without any human steering or prior knowledge that it was attacking a lab environment.

For security teams, this is exactly the behaviour we're aiming for: Strike7 handles the continuous grind — recon, pivoting, credential harvesting, and retesting — while surfacing the end result as a clear attack narrative: "Here is how an attacker can go from a random /24 to full forest-root control." That gives defenders something concrete to prioritise: weak trust edges, unsafe scripting practices, credential hygiene, and AD CS misconfigurations that still matter even in "fully patched" environments.

We're deeply aware that this is dual-use capability. All of this testing is done in tightly controlled lab environments with strict guardrails: isolated execution, auditable agent actions, and validation before anything is turned into findings. Our goal is simple: help blue teams and MSSPs see their environments the way an attacker would — including the multi-step chains across domains — without losing governance or control.

If you're interested in offensive security that thinks in attack paths, not just findings lists, Strike7 is built for you.