Skip to main content

The Vilkas Wire

What Happens to Active Directory Between Annual Penetration Tests

May 18, 2026 · By Ben Rollin

Defender TipsActive Directory
AD Continuous Monitoring

Most organizations handle Active Directory security the same way: they bring in a firm once a year, run a penetration test, fix whatever gets flagged, and move on. That process can feel reassuring, with a detailed report documenting a slew of issues, and for a while, there is a real sense that things are under control.

The problem is that Active Directory does not stay still after the test is over. Admins make necessary changes, vendor tools are installed, permissions are adjusted, and policies are updated. None of that is outside the norm, and none of it is done with malicious intent, but all of those routine changes gradually reshape the environment, which means the environment you have in month ten is often very different from the one that was tested in month one.

Changes Compound Over Time

A penetration test usually lasts a week or two, and the other 50 weeks are spent operating on trust.

During that time, new service accounts are created and then forgotten, and group memberships expand to solve short-term access problems and never get rolled back. Group Policy changes get made under pressure, but nobody has time to fully validate the downstream impact. New vendor tools get rolled out that make changes inside Active Directory that go further than expected, and no one catches it because nothing immediately breaks.

Individually, none of those changes looks alarming, but they slowly compound. The environment becomes harder to understand, not because anyone is careless, but because day-to-day IT work keeps moving while security visibility stays fixed.

How Environments Drift

Domain compromise doesn't always begin with one huge, obvious misconfiguration sitting in plain sight. What usually happens is abuse of a long chain of small, reasonable decisions that never get looked at together through the lens of an attacker.

A permission set is granted to solve an urgent problem and never revisited, a service account picks up extra rights over the course of a year or two of “just this once” approvals, with the intent to bake in a more secure choice later. A policy change fixes one issue but creates an inconsistency elsewhere. A file share that was supposed to remain limited to one team gradually becomes available to far more people than intended and grows in size with documents that should not be accessible to every department across the company.

Each of these examples is just the normal background noise of running an environment. The issue is that security risk is often not determined by any single change (though, of course, a single change CAN have devestating effects). An organization's overall Active Directory security risk is determined by the directory's cumulative state, which changes constantly.

The Attacker Perspective

Attackers are usually not hunting for one perfect flaw; they are looking for a path of issues they can chain together, ideally using built-in functionality and misconfigurations that allow them to blend in with routine network activity.

A weak credential on a service account may not matter much in isolation, but if that account has accumulated more permissions than it should have, and an ACL somewhere creates an unexpected bridge to something sensitive, and a certificate template is exposed in a way that supports impersonation, then suddenly there is a real path to exploitation and even domain compromise. Each change may have been fine at the time, but the environment can become risky when those changes pile up and interact with each other, creating a combination of permissions, accounts, and settings that provides an attacker with a path.

This is why timing is key. An assessment from a year ago may have been accurate on the day it was performed, but it would be completely out of date today. The attack chain(s) may not have existed then, but may exist today and often go undiscovered for months or years, with low visibility into the continuously changing Active Directory environment.

Why Visibility is Challenging

Organizations with dedicated security teams can review changes continuously because that is someone’s full-time job, but many companies do not have that luxury.

The team managing Active Directory is usually also handling help desk tickets, firewall replacements, vendor onboarding, endpoint issues, and whatever else broke overnight. In that reality, annual or periodic penetration tests become the most logical way to get external validation. That does not mean they are enough; it just means they are the cadence most teams can sustain. Penetration tests are also rather intrusive, and may eat up time from internal resources needed on other projects. This does not mean they're not a necessity, but doing a full-blown internal penetration test with a heavy focus on Active Directory on a monthly basis just isn't feasible in the vast majority of organizations.

The gap appears in between those assessments, as there is often no standing process that answers a simple but important question: what changed, what does that mean for the attack surface, how do we fix it, and how do we prevent similar issues from cropping up in the future?

What Visibility Really Means

The problem usually is not a total lack of data. Most environments have no shortage of logs, directory events, and some form of change tracking. What they usually do not have is an easy way to connect those changes to security impact without spending hours on manual correlation.

Can you answer right now what changed in Active Directory over the last 30 days that affected privilege, access, or policy? Not just what changed, but whether the change expanded exposure or opened up a new attack chain? For most teams, that answer is buried across too many systems and too many handoffs to be able to answer confidently.

Sure, it can be done manually to some extent, but it will most likely result in an incomplete picture. Work around this type of visibility is just not done consistently, and it usually does not happen until someone is already worried, if at all.

Pentests are Not the Problem

This is not an argument against penetration testing. A good test is valuable; we perform them regularly and are among the biggest advocates of periodic penetration testing. These assessments, when done well, find real issues, challenge assumptions, and give teams concrete work to do to further harden the environment.

The biggest limitation is that penetration tests are point-in-time assessments, scoped down to a short testing window, and the tester has to cover network attacks, surfaces, applications, Active Directory, Linux hosts, databases, etc. They capture the state of an Active Directory environment at a specific moment, which means they are not designed to tell you how that environment changes after the report is delivered. That is not an inherent flaw in the process, but simply what the process is built to do.

What most organizations actually need is not necessarily more frequent one-off testing, though testing at least biannually is better than waiting 12 months (or longer) between assessments. They need a way to understand what is happening between tests, and that only comes through proactive, in-depth, continuous Active Directory security monitoring that gives you deep visibility into every object, every corner of the domain or domains.

Closing Thoughts

Active Directory changes and evolves constantly. I've tested 100s of Active Directory environments, and many looked very different year over year when I was brought in to perform tests over a multi-year period. That is not a bug; it is what a live environment does as businesses grow, priorities shift, acquisitions occur, and roles change.

The real issue is operating without visibility into how those changes affect security from one week or even one day to the next. Most organizations are not missing that visibility because they do not care; they're missing it because maintaining continuous awareness is genuinely difficult without the right tools and processes.

Active Directory security is defined by the environment as it exists right now, not by the last assessment sitting in PDF form on a file share somewhere, collecting digital dust. For many organizations that rely on annual testing, “right now” is still the question nobody can answer cleanly.

Ready to Get a Clearer View of Active Directory?

There is a good chance that risk is accumulating in the gaps between assessments if your organization only reviews Active Directory once a year. A quarterly AD review gives you a much better chance of catching permission creep, exposed attack chains, and risky changes before they turn into a real problem. Vilkas Cybersecurity helps organizations get that visibility with ongoing Active Directory security monitoring and targeted reviews that go beyond a point-in-time test. If you want a clearer picture of where your directory stands today, a quarterly review is a great place to start, establishing a baseline for your AD security posture and planning for continuous reviews.

Loading form…