In nearly every internal penetration test conducted against an Active Directory environment of any meaningful size, a single attack technique appears with such consistency that senior practitioners now treat it as the field-test equivalent of a coin toss that nearly always lands the same way. The technique is Kerberoasting, and its persistence in modern enterprise networks has become the most reliable proof point that the gap between cybersecurity controls organizations believe they have and the cybersecurity controls they actually have remains, in 2026, very wide indeed. The Kerberoasting attack works on roughly the same proportion of internal pentests today as it did five years ago, and that fact alone is worth a board conversation.
The Kerberoasting attack is not new. It was publicly described by Tim Medin in 2014. It exploits a design feature of the Kerberos authentication protocol rather than a software vulnerability, which means it cannot be patched in any conventional sense. It must be defended through configuration discipline. And the configuration discipline required — long and unique service-account passwords, the use of Group Managed Service Accounts where possible, the constraint of service-principal-name exposure, and the active monitoring of suspicious ticket requests — is precisely the kind of unglamorous identity hygiene that loses the budget battle to more visible projects every fiscal year. The result is a technique that continues to work in environments whose owners would, in a board pack, describe themselves as well-secured.
Why the Kerberoasting Attack Refuses to Die
The Kerberoasting attack refuses to die for three structural reasons. First, the attack works against any service account whose service principal name is registered in Active Directory and whose password is weaker than the offline-cracking budget of a moderately resourced adversary. Second, service accounts in real-world environments routinely have passwords that have not been rotated in years, that follow predictable corporate patterns, and that grant high-privilege access to systems whose business owners have long since left the organization. Third, the telemetry required to detect the attack — ticket request volume, ticket-granting-service patterns, and encryption-type anomalies — sits inside event logs that are not, in most organizations, monitored with anything like the rigor applied to endpoint or network telemetry. The MITRE ATT&CK technique T1558.003 entry documents the technique with a directness most defenders have not yet matched in their defenses.
“Kerberoasting is the closest thing modern Active Directory has to a permanent fixture. It is not a bug. It is a configuration debt that almost every enterprise carries and almost no enterprise pays down on its own.”
Sean Metcalf, Founder, Trimarc Security
Field Notes from Three Internal Pentests
Scenario One: A Manufacturer Whose Backup Service Account Held the Domain
An industrial manufacturer with twenty-two hundred users commissioned an internal penetration test scoped to a single foothold on a finance workstation. Within the first hour, the operator enumerated service principal names and identified eighty-seven service accounts. Six of those accounts had passwords that yielded under offline cracking within nine minutes, including the account used by the legacy backup software. That account, by long-standing convention, was a member of Domain Admins. The operator’s first ticket request returned domain-admin-equivalent access. The post-engagement report noted, with some understatement, that the entire backup-recovery posture of the organization rested on a fourteen-character password that had not been rotated since the system was deployed in 2017.
Scenario Two: A Healthcare Network That Closed Most of the Gap
A regional healthcare network commissioned an internal pentest after a multi-year identity-hygiene program. The Kerberoasting attack still worked — on three out of forty-two service accounts, none of them privileged. The remaining thirty-nine accounts had been migrated to Group Managed Service Accounts with system-managed long passwords. The three remaining weak accounts were legacy systems whose vendors had refused to support gMSA. The network’s CISO took the report as confirmation that the program was substantially complete and that the residual three accounts were operationally accepted risk — with documented owners, expiration dates and a vendor-pressure plan. This is what mature Kerberoasting defense looks like.
Scenario Three: A Software Company Whose SPN Hygiene Hid the Risk
A growing software company believed it had no Kerberoasting exposure because its service principal name inventory was clean. The pentest operator agreed — until she discovered that a developer team had, three months earlier, registered an SPN for a test environment under a service account that was incidentally a member of a privileged group through an inherited nesting two layers deep. The account’s password was the developer’s laptop password from 2021. The Kerberoasting attack succeeded against that single account and yielded privileged access to the production environment. The lesson, the report noted, was not about Kerberoasting at all. It was about group nesting, change-control discipline and the operational risk of letting development teams self-service identity registration.
“Kerberoasting is rarely the problem. It is the indicator of the problem. The problem is standing privilege on accounts whose owners and purposes nobody has audited in years.”
Senior Practitioner, iSECTECH Internal Penetration Testing Practice
What Senior-Led Defense Looks Like
The defense against the Kerberoasting attack is structurally simple and operationally relentless. First, every service account that does not strictly require it loses its service principal name registration. Second, every remaining service account migrates to Group Managed Service Accounts where the platform supports it. Third, the residual non-gMSA accounts have their passwords rotated to long, system-generated values managed by a vault. Fourth, every privileged group is audited for nested membership and standing privilege, with a documented owner per account. Fifth, ticket-granting-service request telemetry is monitored for the patterns the attack produces — high-volume requests, rare encryption types, and requests for service accounts that have no legitimate authentication context.
Boards reading our analysis of the six cybersecurity metrics that belong on every quarterly agenda often add a seventh, identity-specific metric: the percentage of service accounts on Group Managed Service Accounts. The metric is simple, the trajectory is unambiguous, and the absence of progress is a clear governance signal.
Why This Connects to Authentic Penetration Testing
The Kerberoasting attack is also the cleanest possible illustration of the difference between an authentic penetration test and a compliance scan, the subject of our analysis of why “we passed our last pentest” has become the most dangerous sentence in cybersecurity. A compliance scan will not attempt the technique. A senior-led adversarial engagement will, on day one, and the result is a far more honest description of the organization’s actual security posture than any vulnerability count could produce.
“If your last internal pentest did not include Kerberoasting in its first hour, you do not have an internal pentest report. You have a list of patches.”
HD Moore, Founder of Metasploit and runZero
The Operational Discipline Boards Should Demand
The operational discipline boards should demand around the Kerberoasting attack is straightforward. A directors’ question worth asking next quarter is: “What proportion of our service accounts are on Group Managed Service Accounts, and what is the trajectory?” A second worth asking is: “When was the last time our internal penetration test attempted Kerberoasting, and what was the result?” If the answer to either question is uncertain or absent, the conversation has just become productive.
The 2026 reality is that the Kerberoasting attack continues to work against the majority of mid-market and enterprise Active Directory environments because the configuration debt that enables it has, at most organizations, never been paid down. Paying it down is not a glamorous program. It is, however, one of the highest-leverage identity-hygiene investments an organization can make — cheaper than most tools, more durable than most controls, and quietly visible in every subsequent assurance report.
The Kerberoasting Attack as a Cultural Indicator
Beyond the technical specifics, the Kerberoasting attack has become a cultural indicator in the way senior practitioners read an organization. An environment in which the attack works on most service accounts is rarely an environment with a single identity problem. It is, in nearly every case, an environment in which identity hygiene has lost annual budget battles to more visible projects, in which change-control discipline has eroded under growth pressure, and in which the chief information security officer has accumulated more responsibility than authority. The technical finding is the symptom; the organizational reality is the underlying condition. Senior practitioners who have read enough Kerberoasting reports can, with disquieting accuracy, predict the maturity of a company’s broader identity program from the proportion of service accounts that fall to the attack in the first hour. The metric is informal. It is also, in our experience, almost never wrong.
Have Your Active Directory Tested by Someone Who Will Try the Attack
iSECTECH’s Internal Penetration Testing and Active Directory Security practitioners hold OSCP, OSEP and CRTO credentials and conduct senior-led adversarial engagements that begin with techniques like Kerberoasting in the first hour, not the last day. If your internal directory has not been tested by senior operators who will actually attempt the technique, talk to a senior iSECTECH specialist about an engagement that produces an honest description of your identity posture. For the wider operational context, see our four-hour ransomware containment playbook — the response capability the Kerberoasting attack ultimately tests.
Continue Reading: Week 3 Field Notes
Active Directory failures rarely sit alone. Our Week 3 briefs extend the identity perspective: why the forgotten privileged account is still the most expensive failure mode, how MFA fatigue produces 11-minute compromises in 2026, and why the supply chain has become the new perimeter.