Pricing About Blog Book a Demo
AI Penetration Testing Platform

AI penetration testing.
SMB-friendly pricing.
No security team required.

ThreatForged AI finds what scanners miss and tells you exactly how to fix it. Trusted by credit unions, community banks, and SMBs running Windows Active Directory.

Book a Demo See How It Works
// The Problem

You know you need a pentest. The current options fall short.

Most SMBs know they need penetration testing. What they don't know is whether their Active Directory is already compromised. Compliance requires it. Cyber insurance demands it. The available options rarely fit.

Option 01
$15K–$30K

Consulting Firms

Per engagement, weeks of wait time, a PDF report that requires a security expert to decode. Repeat annually.

Option 02
$50K+/yr

Enterprise Platforms

Built for SOC teams you don't have. Requires security expertise to operate. Priced for Fortune 500 budgets.

Option 03
Not enough

Vulnerability Scanners

They find known CVEs. Attackers chain weaknesses together, exploit credentials, and move laterally. Scanners don't test for that.

// The Solution

An AI pentester built for how attacks actually work.

ThreatForged AI is an AI agent that thinks and acts like a human pentester, then delivers a report your IT Director can act on.

Recon & Enumeration

Full AD Recon

BloodHound graph analysis, user and group privilege mapping, attack path visualization across your domain. You see exactly what attackers see before they act on it.

Credential Attacks

NTLM Relay & Coercion

PetitPotam, PrinterBug, DFSCoerce: tests whether your environment is vulnerable to credential relay attacks. The most common path to domain admin in SMB environments, tested and documented.

Certificate Abuse

ADCS Exploitation

ESC1, ESC8, ESC15 exploitation against your PKI infrastructure. The attack surface most vendors skip entirely.

Privilege Escalation

Full Domain Takeover

DCSync, pass-the-hash, Kerberoasting, lateral movement chains. Every path to domain admin, mapped and documented. If it exists in your environment, the report will show it.

// Real-World Example

Full domain compromise in under 15 minutes.

This is the actual attack chain ThreatForged AI runs against a misconfigured SMB environment, the same steps a real attacker would take.

// attack chain: domain admin via llmnr → adcs → dcsync
01 LLMNR Poisoning Responder captures NTLMv2 hashes from broadcast queries on the local network.
02 NTLM Relay → ADCS Relayed hash used to authenticate to ADCS HTTP endpoint. ESC8 template issues a domain controller certificate.
03 PetitPotam Coercion Domain controller coerced into authenticating to attacker-controlled listener via MS-EFSRPC.
04 Pass-the-Certificate DC certificate used to obtain Kerberos TGT for the domain controller machine account.
05 DCSync → Domain Admin Domain replication rights used to dump all domain credentials. Full domain compromise achieved.
⚠ Time to domain admin: 14 minutes, 32 seconds from an unprivileged user account.
// Pricing

No annual contracts. No six-figure commitments.

Per-assessment pricing. Pay when you need it. Scale as you grow.

Setup
$500 one-time
Scoping call, environment intake, secure deployment of the assessment agent. Required for first engagement.
Most Common
Base Assessment
$1,500 / assessment
Full AD enumeration, NTLM relay testing, ADCS abuse, privilege escalation chains. Up to 50 IPs. Compliance-ready report included.
Additional Scope
$15 / IP
Expand scope beyond the base 50 IPs. Billed per additional IP assessed.
Compare: typical consulting firm engagement = $15,000 to $30,000. ThreatForged AI delivers the same findings at a fraction of the cost.
// About

Built by a practitioner, not a product team.

ThreatForged AI was founded by Ryan Kucher after years of hands-on AD assessments inside credit unions and community banks. We know your environment because we've worked inside ones just like it, legally, under scope, on behalf of clients who needed to know the truth.

Our AI-assisted methodology combines an automated attack reasoning engine with practitioner-built runbooks covering NTLM relay, ADCS exploitation, coercion techniques, BloodHound analysis, and DCSync. You get the depth of a manual engagement at a fraction of the cost, with a report your IT Director can act on today.

Austin, TX — ryan@threatforged.ai

Start a Conversation
// SMB Intel

Threat intel, translated.

Cyber news that actually matters to your IT team. No jargon. No filler.

All posts
Active DirectoryMar 2026

Why attackers love your ADCS server (and what to do about it)

Certificate Services misconfigurations are one of the fastest paths to domain admin in SMB environments.

Read more →
Credential SecurityFeb 2026

NTLM relay attacks are still wrecking credit unions in 2026

NTLM is old. The attacks that abuse it are older. And most community banks are still wide open.

Read more →
RansomwareJan 2026

The ransomware playbook attackers run on SMBs, step by step

Most ransomware groups follow the same internal AD attack chain. Knowing the steps lets you break it.

Read more →
// Contact

Book a demo or request an assessment.

Assessments run on a scheduled basis. Reach out to check current availability and confirm scope before your next exam cycle.

Response timeWithin 24 hours
Emailryan@threatforged.ai
Engagement typeScoped, fixed-price assessments
Sectors servedAny SMB running Active Directory — credit unions, law firms, manufacturers, MSPs, healthcare, and more
LocationAustin, TX — remote assessments available nationwide