undefined
undefined
Why Active Directory Tier Zero Quietly Decides Most Enterprise Intrusions in 2026
Active Directory remains the identity backbone of the majority of enterprise environments we audit, even in companies that consider themselves cloud-first. The reason is operational rather than aspirational — too many systems, processes, integrations and operational habits depend on Active Directory for it to be decommissioned on any near-term timeline. That dependency means that Active Directory compromise remains a route to enterprise compromise, and Tier Zero — the small set of identities, systems and services that can directly control Active Directory — remains the highest-value target on the network. An intrusion that reaches Tier Zero achieves effective administrative control over the enterprise. Programs that have not separated Tier Zero from the rest of the environment are programs whose security posture collapses on the day an adversary reaches that surface.
“undefined”
Senior Active Directory security, iSECTECH engagement notes
The second compounding factor is the legacy accretion that characterizes most production Active Directory deployments. Environments that have been running for five, ten or fifteen years have accumulated administrative accounts, group memberships, delegated permissions and embedded services that no living engineer has fully mapped. The forensic exercise of producing a current Tier Zero inventory in a long-running environment is typically a multi-month project that surfaces uncomfortable findings — privileged accounts whose owner has left the company, kerberos delegation patterns that effectively grant domain-level authority to lower-tier systems, and recovery procedures whose security properties have not been examined in years. The inventory itself is the most consequential artifact the program produces, because without it every subsequent control is operating against a partial picture.
Three Engagements That Defined Our Active Directory Tier Zero Playbook
Engagement One: The Bank Whose Service Account Was a Domain Admin
A regional bank engaged iSECTECH after an intrusion that achieved domain admin authority within seven hours of initial access. The forensic timeline reconstructed the path with painful clarity. Initial access through a phishing-driven endpoint compromise was followed by credential harvesting from the local memory of the compromised workstation. Among the credentials harvested was a service account used by a backup application — an account that had been granted domain admin authority years earlier during a migration with the documented intent of narrowing the scope afterward. The narrowing had never occurred. The adversary used the harvested credential to authenticate to a domain controller and the intrusion was effectively over. The remediation was not the obvious one of revoking the account. It was the construction of a Tier Zero boundary that prevented any account with domain-controlling authority from authenticating to any system below Tier Zero, full stop. The next time an adversary harvested credentials from a tier-three workstation, the harvested credentials no longer worked anywhere that mattered.
Engagement Two: The Manufacturer Whose Recovery Procedure Was the Backdoor
A multinational manufacturer engaged us to assess what they believed was a mature Active Directory security posture. The forensic exercise identified Tier Zero principal candidates correctly and tier-three systems correctly, but uncovered a recovery procedure that effectively dissolved the boundary between them. A break-glass recovery account, intended for use only during catastrophic outages, had been configured with permanent authentication permissions to any system in the domain, with a static password stored in a shared password manager that twenty-three current employees had access to. The procedure had been written in 2018 and never reviewed against modern Tier Zero discipline. The remediation included immediate rotation of the break-glass credential, redesign of the recovery procedure to use ephemeral credentials issued through a hardware token, and reduction of the population with documented break-glass access from twenty-three to four. The lesson was that recovery procedures are part of the Tier Zero surface, not separate from it, and they must be designed with the same rigor as any other element.
Engagement Three: The Healthcare System Whose Kerberos Delegation Was the Path
A multi-hospital system engaged us after a red team engagement achieved domain admin within twelve hours through a path that surprised the in-house team. The path used unconstrained Kerberos delegation on a tier-two application server to capture domain admin credentials when a privileged administrator authenticated to the system during routine maintenance. The delegation configuration had been in place since the application’s initial deployment in 2012 and had never been examined in any subsequent security review. The remediation included immediate removal of unconstrained delegation across the estate, but the more durable change was the introduction of standing analysis of every account, computer and service flagged for Kerberos delegation, with quarterly review and named ownership. Within two quarters the estate had been comprehensively examined, and several similar but less severe configurations had been identified and remediated proactively.
Why Conventional Active Directory Hardening Falls Short Against Modern Adversaries
Conventional Active Directory hardening focuses on the symptoms — password policies, lockout thresholds, audit logging — while leaving the structural posture of Tier Zero unaddressed. Those controls are necessary but profoundly insufficient against an adversary whose objective is domain compromise. The structural protections that actually defeat that objective — credential separation between tiers, authentication boundaries between tiers, dedicated privileged access workstations, monitored Tier Zero access paths, and continuous attestation of Tier Zero membership — require a different category of engineering work than the conventional hardening program contemplates. Programs that have done the conventional work without doing the structural work pass audits and fail red teams, and they fail real adversaries who behave like red teams.
“undefined”
undefined
The Playbook We Run With Every Client on Active Directory Tier Zero
Our Active Directory Tier Zero engagements run on four pillars. The first is inventory — every account, computer, service, group and delegation that effectively controls Active Directory is identified, classified, owned and reviewed quarterly. The second is credential separation — Tier Zero credentials never authenticate to systems below Tier Zero, enforced both administratively and through authentication policy. The third is privileged access workstations — administration of Tier Zero is performed exclusively from hardened, dedicated workstations whose configuration is treated as a Tier Zero asset itself. The fourth is monitoring and recovery — Tier Zero access is instrumented for high-fidelity detection, and recovery procedures are engineered with the same rigor as the rest of the boundary.
What Boards Should Demand This Quarter
Boards should ask three questions of the security leadership this quarter that most are not prepared to answer well. First, does a current, owned Tier Zero inventory exist, and what proportion of the principals on that inventory have a documented business justification and a quarterly review cadence. Second, what is the authentication policy posture that prevents Tier Zero credentials from authenticating to systems below Tier Zero, and what evidence demonstrates compliance with that policy in production. Third, what is the architecture of privileged access workstations used to administer Tier Zero, and what evidence demonstrates that administrators are using them. Honest answers to those three questions are a far better measure of Active Directory security maturity than any audit attestation.
“undefined”
iSECTECH undefined review summary
How This Connects to the Rest of Your Security Program
Active Directory Tier Zero discipline is the foundation of identity-driven defense in any hybrid environment. Our work on cloud IAM and permission sprawl covers the cloud identity dimension that AD Tier Zero complements. Our work on identity threat detection in 2026 covers the runtime layer that catches activity Tier Zero engineering does not prevent. And our work on endpoint hardening field notes covers the endpoint discipline that protects the credentials Tier Zero engineering separates.
What to Do This Week
undefined
Talk to a Senior Active Directory security Practitioner
If you would like a senior iSECTECH Active Directory security practitioner to perform a confidential review of your Tier Zero inventory, credential separation, privileged access workstation architecture and monitoring discipline, we can have a working session scheduled within a week. We have rebuilt Active Directory Tier Zero programs across financial services, healthcare, manufacturing and government. Contact us to begin the conversation.
A Final Word on Hybrid Environments
Most enterprise environments in 2026 are hybrid — on-premises Active Directory federated with cloud identity providers, with synchronization mechanisms that themselves carry meaningful security properties. The Tier Zero conversation extends into the cloud through these synchronization mechanisms, and the security of the bridge between the two environments is itself a Tier Zero concern. Programs that have hardened on-premises Tier Zero while leaving the cloud bridge under-examined have moved the problem rather than solved it. The strongest programs treat the hybrid identity surface as a single security boundary with multiple physical components, all of which require the same rigor.
Continue Reading: Week 5 Field Notes
If this resonates, three other recent field notes from our team build on the same theme. Our piece on secrets management field notes on hard-coded tokens covers the credential exposure that often becomes the path into Tier Zero. Our analysis of EDR tuning beyond default configuration covers the endpoint detection that catches the precursor activity. And our notes on cyber range programs and sustained practice illustrate the rehearsal discipline that operationalizes Tier Zero defense.