Problem Solution Pricing About Intel Book a Demo
AI Penetration Testing Platform

Enterprise-grade pentesting.
SMB-friendly pricing.
No security team required.

ThreatForged AI finds what scanners miss — and tells you exactly how to fix it.

Book a Demo See How It Works
// The Problem

You know you need a pentest. The options just don't work.

Most SMBs know they need penetration testing. Compliance requires it. Cyber insurance demands it. But the options are brutal.

Option 01
$15K–$30K

Consulting Firms

Per engagement, weeks of wait time, a PDF report you need a security expert to decode. Then do it all again next year.

Option 02
$50K+/yr

Enterprise Platforms

Built for SOC teams you don't have. Requires security expertise to operate. Priced for Fortune 500 budgets.

Option 03
Not enough

Vulnerability Scanners

They find known CVEs. They don't chain weaknesses together, exploit credentials, or move laterally. That's what attackers do.

// The Solution

An AI pentester that works like the real thing.

ThreatForged AI is an AI agent that thinks and acts like a human pentester — then delivers a report your IT Director can act on.

Recon & Enumeration

Full AD Recon

BloodHound graph analysis, user and group privilege mapping, attack path visualization across your domain.

Credential Attacks

NTLM Relay & Coercion

PetitPotam, PrinterBug, DFSCoerce — tests whether your environment is vulnerable to credential relay attacks.

Certificate Abuse

ADCS Exploitation

ESC1, ESC8, ESC15 exploitation against your PKI infrastructure. The most common blind spot in SMB environments.

Privilege Escalation

Full Domain Takeover

DCSync, pass-the-hash, Kerberoasting, lateral movement chains — every path to domain admin, mapped and documented.

// Real-World Example

Full domain compromise in under 15 minutes.

This is the actual attack chain ThreatForged AI runs against a misconfigured SMB environment — the same steps a real attacker would take.

// attack chain: domain admin via llmnr → adcs → dcsync
01 LLMNR Poisoning Responder captures NTLMv2 hashes from broadcast queries on the local network.
02 NTLM Relay → ADCS Relayed hash used to authenticate to ADCS HTTP endpoint. ESC8 template issues a domain controller certificate.
03 PetitPotam Coercion Domain controller coerced into authenticating to attacker-controlled listener via MS-EFSRPC.
04 Pass-the-Certificate DC certificate used to obtain Kerberos TGT for the domain controller machine account.
05 DCSync → Domain Admin Domain replication rights used to dump all domain credentials. Full domain compromise achieved.
⚠ Time to domain admin: 14 minutes, 32 seconds — from an unprivileged user account
// Pricing

No annual contracts. No six-figure commitments.

Per-assessment pricing. Pay when you need it. Scale as you grow.

Setup
$500 one-time
Scoping call, environment intake, secure deployment of the assessment agent. Required for first engagement.
Most Common
Base Assessment
$1,500 / assessment
Full AD enumeration, NTLM relay testing, ADCS abuse, privilege escalation chains. Up to 50 IPs. Compliance-ready report included.
Additional Scope
$15 / IP
Expand scope beyond the base 50 IPs. Billed per additional IP assessed.
Compare: typical consulting firm engagement = $15,000–$30,000. ThreatForged AI delivers the same findings at a fraction of the cost.
// About

Built by a practitioner, not a product team.

ThreatForged AI was founded by Ryan Kucher after years of hands-on AD assessments inside credit unions and community banks. We know your environment because we've broken into ones just like it — legally, under scope, on behalf of clients who needed to know the truth.

Our AI-assisted methodology combines an automated attack reasoning engine with practitioner-built runbooks covering NTLM relay, ADCS exploitation, coercion techniques, BloodHound analysis, and DCSync. You get the depth of a manual engagement at a fraction of the cost — with a report your IT Director can act on today.

Austin, TX — [email protected]

Start a Conversation
$ ./threatforged --phase enum --target corp.local
[*] BloodHound collection started...
[+] Users: 847 Computers: 203
[!] Kerberoastable SPNs: 12
 
$ ./threatforged --phase adcs
[*] Enumerating certificate templates...
[!] ESC1: UserCert_v2 — enrollee supplies subject
[!] ESC8: HTTP enrollment endpoint exposed
 
$ ./threatforged --phase escalate
[*] Coercing DC via PetitPotam...
[!] DCSync complete — all hashes dumped
_
// SMB Intel

Threat intel, translated.

Cyber news that actually matters to your IT team — no jargon, no filler.

All posts
Active DirectoryMar 2026

Why attackers love your ADCS server (and what to do about it)

Certificate Services misconfigurations are one of the fastest paths to domain admin in SMB environments.

Read more →
Credential SecurityFeb 2026

NTLM relay attacks are still wrecking credit unions in 2026

NTLM is old. The attacks that abuse it are older. And most community banks are still wide open.

Read more →
RansomwareJan 2026

The ransomware playbook attackers run on SMBs — step by step

Most ransomware groups follow the same internal AD attack chain. Knowing the steps lets you break it.

Read more →
// Contact

Book a demo or request an assessment.

We work with a limited number of clients at a time. Reach out to check availability and scope.

Response timeWithin 24 hours
Email[email protected]
Engagement typeScoped, fixed-price assessments
Sectors servedCredit unions, community banks, SMBs under 200 employees
LocationAustin, TX — remote assessments available nationwide