cerberus is a pure-enumeration collector in the BloodHound / SharpHound / PingCastle / Certipy class: it reads the security-relevant Active Directory surface over both LDAP and ADWS and emits structured data and factual findings for a downstream analyzer. It does not exploit, crack, or solve attack-path graphs - those are deliberate boundaries, covered below. This dossier inventories what it does, compares it against the leading tools, and checks it against the 2025-2026 attack surface (Windows Server 2025 dMSA / BadSuccessor, ADWS-stealth tradecraft, Windows LAPS).
01 / the comparison
Rows are enumeration capabilities; columns are the leading tools, cerberus first. Marks reflect each tool's primary documented capability: full, partial (secondary, limited, or configuration-dependent), or none. The set spans the major collectors and auditors; specialists folded into neighbours are noted (SoaPy under SOAPHound, SharpView under PowerView, CrackMapExec under NetExec, AzureHound under the cloud row).
| Capability | cerberus | SharpHound | SOAPHound | PingCastle | Purple Knight | Certipy | ADRecon | PowerView | ldapdomaindump | NetExec |
|---|---|---|---|---|---|---|---|---|---|---|
| Collection channels & operational security | ||||||||||
| LDAP / LDAPS collectionAuthenticated directory queries over 389/636 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| ADWS collection (port 9389)Stealth channel; appears as DC-to-self in logs | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| SMB / RPC collectionShares, local admins, host-level sessions | ◐ | ✓ | ✗ | ◐ | ◐ | ✗ | ◐ | ✓ | ✗ | ✓ |
| Built-in throttle / jitter / opsec pacingRate-limit, jitter, decompose/reformulate | ✓ | ◐ | ◐ | ✗ | ✗ | ✗ | ✗ | ◐ | ✗ | ◐ |
| DC-less discovery (DNS-SRV + CLDAP ping)Locate/fingerprint DCs with no bind | ✓ | ◐ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ◐ |
| Core directory objects | ||||||||||
| Users / computers / groupsBase object enumeration | ✓ | ✓ | ✓ | ✓ | ✓ | ◐ | ✓ | ✓ | ✓ | ✓ |
| OUs / containers / GPO linksTree structure and policy linkage | ✓ | ✓ | ◐ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ◐ |
| Nested group membership / tokenGroupsEffective / transitive membership | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ◐ |
| Trusts (forest-trust routing + SID-filter attrs)msDS-TrustForestTrustInfo, trustAttributes | ✓ | ✓ | ◐ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ◐ |
| Sites / subnets / FSMO rolesReplication topology singletons | ✓ | ◐ | ✗ | ✓ | ◐ | ✗ | ✓ | ✓ | ✗ | ✗ |
| ACL, delegation & permissions | ||||||||||
| Raw security-descriptor dump (DACL + SACL)Every ACE field preserved; SACL with privilege | ✓ | ◐ | ✓ | ◐ | ◐ | ◐ | ✓ | ✓ | ◐ | ✗ |
| Kerberos delegation (unconstrained/constrained/RBCD)Incl. msDS-AllowedToActOnBehalfOf | ✓ | ✓ | ◐ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ◐ |
| AdminSDHolder / SDPropProtected-object ACL drift | ✓ | ◐ | ✗ | ✓ | ✓ | ✗ | ◐ | ◐ | ✗ | ✗ |
| Default security descriptors (schema defaultSD)Per-class default ACLs | ✓ | ✗ | ✗ | ◐ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Foreign-security-principals / cross-domain trusteesCross-domain ACE material | ✓ | ✓ | ◐ | ◐ | ◐ | ◐ | ◐ | ◐ | ✗ | ✗ |
| Active Directory Certificate Services (AD-CS) | ||||||||||
| Certificate Authority enumerationEnterprise CAs, NTAuth, flags | ✓ | ◐ | ✓ | ◐ | ◐ | ✓ | ◐ | ✗ | ✗ | ◐ |
| Certificate template enumerationTemplate flags, EKUs, enrollment rights | ✓ | ◐ | ✓ | ◐ | ◐ | ✓ | ◐ | ✗ | ✗ | ◐ |
| ESC1-ESC16 misconfiguration findingsFull named-escalation coverage | ✓ | ◐ | ✗ | ◐ | ◐ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Service accounts & the 2025 surface | ||||||||||
| gMSA (+ managed-password blob read)msDS-ManagedPassword when authorized | ✓ | ◐ | ◐ | ◐ | ◐ | ✗ | ◐ | ◐ | ✗ | ◐ |
| sMSA (standalone managed service accounts)Legacy single-host MSAs | ✓ | ✗ | ✗ | ◐ | ◐ | ✗ | ◐ | ◐ | ✗ | ✗ |
| dMSA + BadSuccessor (Windows Server 2025)msDS-ManagedAccountPrecededByLink + who can CreateChild | ✓ | ◐ | ✗ | ◐ | ◐ | ✗ | ✗ | ✗ | ✗ | ◐ |
| Machine account quota (MAQ)ms-DS-MachineAccountQuota | ✓ | ◐ | ✗ | ✓ | ✓ | ✗ | ◐ | ◐ | ✗ | ✓ |
| KeyCredentialLink / Shadow CredentialsmsDS-KeyCredentialLink presence | ✓ | ✓ | ◐ | ◐ | ◐ | ◐ | ✗ | ✗ | ✗ | ◐ |
| Secrets recoverable from the directory (authorized read) | ||||||||||
| GPP cpassword (MS14-025)Decryptable SYSVOL preference passwords | ✓ | ✗ | ✗ | ✓ | ◐ | ✗ | ◐ | ✓ | ✗ | ✓ |
| LAPS (legacy + Windows LAPS)ms-Mcs-AdmPwd and msLAPS-* attributes | ✓ | ◐ | ✗ | ◐ | ◐ | ✗ | ◐ | ◐ | ✗ | ✓ |
| Kerberoastable / AS-REP-roastable identificationSPNs + DONT_REQ_PREAUTH (no cracking) | ✓ | ✓ | ◐ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ✓ |
| Group Policy & domain configuration | ||||||||||
| GPO deep content (GptTmpl.inf, registry.pol, GPP XML)Parsed policy bodies, not just links | ✓ | ◐ | ✗ | ✓ | ◐ | ✗ | ◐ | ◐ | ✗ | ◐ |
| Logon-script (Scripts.ini) / advanced audit (Audit.csv)Execution surface + audit gaps | ✓ | ✗ | ✗ | ◐ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Password policy / fine-grained PSODomain policy + msDS-PasswordSettings | ✓ | ◐ | ✗ | ✓ | ✓ | ✗ | ✓ | ✓ | ◐ | ✓ |
| dSHeuristics / domain-wide switchesAnonymous access, list-object mode, etc. | ✓ | ◐ | ✗ | ✓ | ◐ | ✗ | ◐ | ◐ | ✗ | ✗ |
| Schema & replication metadata | ||||||||||
| Full schema dump (attributeSchema / classSchema)Confidential bits, linkIDs, OIDs | ✓ | ✗ | ◐ | ◐ | ◐ | ✗ | ◐ | ◐ | ✗ | ✗ |
| Replication metadata + ATTRTYP->name resolutionPer-attribute version/drift, MakeAttid | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Custom-prefix ATTRTYP (live prefixMap, validated)Resolve custom-schema attribute IDs | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Hybrid & cloud seam | ||||||||||
| Entra Connect / hybrid-sync detection (on-prem)PHS/PTA/Seamless-SSO, Golden-SAML surface | ✓ | ◐ | ✗ | ◐ | ◐ | ✗ | ◐ | ◐ | ✗ | ✗ |
| Full Entra ID / Azure cloud enumerationCloud-only objects (AzureHound territory) | ✗ | ✗ | ✗ | ◐ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Output, drift & analysis model | ||||||||||
| Structured JSON / CSV exportMachine-readable collection output | ✓ | ✓ | ✓ | ◐ | ◐ | ✓ | ✓ | ◐ | ✓ | ✓ |
| BloodHound-compatible outputFeeds the graph engine | ✓ | ✓ | ✓ | ✗ | ✗ | ◐ | ✗ | ✗ | ✗ | ◐ |
| Attack-path GRAPH computationEdge/path solving (by design: feeds, not solves) | ✗ | ✓ | ✓ | ◐ | ◐ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Scored HTML health / risk reportRanked findings + remediation narrative | ✗ | ✗ | ✗ | ✓ | ✓ | ✗ | ◐ | ✗ | ◐ | ✗ |
| Snapshot / diff (drift over time)Compare collections across runs | ✓ | ✗ | ✗ | ◐ | ◐ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Posture | ||||||||||
| Pure enumeration (no exploitation / no cracking)Read-only collection by design | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ◐ | ✓ | ✗ |
Marks are a fair-use assessment from current public documentation and tradecraft writeups (2025-2026); capabilities evolve and some tools expose a row only with specific flags, modules, or builds. "Pure enumeration" marks a read-only collection posture - Certipy and NetExec are marked none there because they also perform exploitation, not as a quality judgement.
02 / currency check
The AD enumeration surface moved in the last year. Each shift below is paired with cerberus's status against it.
Delegated Managed Service Accounts shipped as a Kerberoasting mitigation. Akamai showed any principal with CreateChild on an OU can set msDS-ManagedAccountPrecededByLink on a new dMSA and have the KDC grant it a target's access - a DCSync-grade path with no elevated rights.
cerberus → Covered. The dmsa collector surfaces PrecededByLink, DelegatedMSAState and the migration state; RuleCreateChild flags who is positioned to stage one.
SOAPHound (FalconForce), SoaPy (IBM X-Force) and ShadowHound moved collection off raw LDAP onto Active Directory Web Services (port 9389), where queries surface as the DC talking to itself and evade many LDAP-source detections.
cerberus → Covered. cerberus ships a full native ADWS transport (NMF / NBFX / NBFS / SOAP) alongside LDAP, so the same surface is collectable over the stealth channel.
Defenders now key on SOAPHound's hardcoded (!soaphound=*) filter and a constant SDFlags:0x7 on every query - static signatures that betray the tool regardless of channel.
cerberus → Mitigated by design. The opsec layer paces, jitters and reformulates/decomposes queries rather than emitting a fixed signature filter.
BloodHound Community Edition v8 generalised attack-path modelling beyond AD and Entra ID via OpenGraph, broadening what a downstream graph engine can ingest.
cerberus → Complementary by design. cerberus emits BloodHound-compatible output and does not solve graphs itself - it is the collector that feeds the engine.
Microsoft's identity sensor now inventories and classifies gMSAs, sMSAs and user-based service accounts as a first-class posture signal.
cerberus → Covered (collection side). Dedicated gmsa, smsa and dmsa collectors enumerate every managed and standalone service-account class.
Windows LAPS superseded the legacy ms-Mcs-AdmPwd attribute with a new msLAPS-* schema and optional encrypted-password storage.
cerberus → Covered. cerberus reads both the legacy LAPS attribute and the Windows LAPS schema, including the encrypted-blob presence.
03 / the gaps, honestly
Two categories, kept separate on purpose: deliberate scope boundaries handled by companion tools, and genuine gaps or partials inside its own enumeration mission.
Intentional. A companion tool owns each; these are not deficiencies.
Inside the enumeration mission - the honest remaining edge.
verdict
Within pure Active Directory enumeration, cerberus's security-relevant surface is comprehensive and current to the 2025-2026 attack surface - including the Windows Server 2025 dMSA / BadSuccessor primitive and ADWS-stealth collection that most of the field is still catching up to. Where it stops (graph solving, exploitation, full cloud enumeration, scored risk reports) it stops by design, feeding or complementing the tools that own those jobs.
Remaining inside-scope edge: a domain-wide live-session sweep (partial today), the SYSVOL filesystem-SD dual-ACL (behind the smb build tag), and Config-NC depth beyond the RID pool (deferred for lack of a concrete high-value target). None block the mission.
references
akamai.com/blog/security-researchibm.com/think/x-forcehuntress.com/bloghacktricks.wikilearn.microsoft.com