DocumentationRequest a Demo
Request a Demo
Platform
Documentation

FAQs

Quick answers about Forestall scanning, safety, permissions, and outputs.

Request a demo

1. Getting Started

What is Forestall?

Forestall is an identity security posture management (ISPM) platform. It scans Active Directory and hybrid identity environments to find misconfigurations, excessive privileges, attack paths, and credential exposure — then helps you prioritize and fix them.

What environments do you support?

Forestall supports on-premises and hybrid identity environments:

  • On-premises Active Directory (single or multi-forest)
  • Hybrid environments with Entra ID (Azure AD)
  • Multi-domain and cross-trust configurations

How long does a typical scan take?

Most environments complete an initial scan in under 60 minutes. Large estates (100k+ objects) may take a few hours. Scans run in the background and do not require downtime.

What do I get at the end of a scan?

A prioritized list of findings, attack path maps, compliance scores against baselines, and actionable remediation guidance. All results are available in the dashboard and exportable as PDF, CSV, or JSON.

2. Deployment

Is Forestall agentless?

Yes. No agents are installed on domain controllers or endpoints. The scanner runs from a single machine in your environment and queries AD over standard protocols (LDAP/S).

Do you require Domain Admin privileges?

No. Forestall works with a standard domain user account that has read access. Domain Admin or elevated privileges are not required for assessment.

Where does the scanner run?

The scanner runs on a customer-hosted machine inside your network. No data leaves your environment unless you explicitly configure an export.

Can we scan multi-domain / multi-forest environments?

Yes. Forestall supports scanning across multiple domains, forests, and trust relationships from a single deployment.

Do you support air-gapped or restricted networks?

Yes. The scanner operates fully offline. Updates and license activation can be handled through an offline transfer process.

3. Security & Privacy

What data do you collect during a scan?

Forestall reads directory metadata: object attributes, group memberships, ACLs, GPO settings, and trust configurations. It does not read file contents, email, or user credentials.

Do you exfiltrate data outside the environment?

No. All scan data stays on the customer-hosted scanner by default. There is no call-home or telemetry that transmits identity data externally.

How is data stored and protected?

Scan results are stored locally on the scanner host and encrypted at rest. Access is controlled through the product’s role-based access model.

Can we control retention and delete scan data?

Yes. You can set retention policies and delete scan data on demand from the admin settings.

Does Forestall perform exploitation or active testing?

No. Forestall is a passive, read-only assessment tool. It does not modify objects, test credentials, or perform any exploitation. All analysis is based on configuration and metadata.

4. Permissions & Access

What minimum permissions are required for AD assessment?

A standard domain user account with read access to the directory. No write or admin permissions are needed.

  • Read access to AD objects, attributes, and ACLs
  • Read access to Group Policy Objects (SYSVOL)
  • Network access to domain controllers (LDAP/S)

Can we run with read-only accounts?

Yes. Read-only is the recommended and default configuration. Forestall never writes to the directory.

What about Entra ID / cloud identity permissions?

For hybrid environments, Forestall uses a read-only application registration in Entra ID with Directory.Read.All scope. No write or admin consent is required.

How do you handle privileged access in the product?

Forestall uses role-based access control (RBAC) within the product. Administrators can assign viewer, analyst, and admin roles to control who sees findings and who manages settings.

5. Findings & Risk

How do you prioritize findings?

Each finding is scored by exploitability and blast radius. Findings that affect Tier-0 assets or create direct attack paths are ranked highest. You can filter by category, severity, or affected asset.

What is an “attack path” in Forestall?

An attack path is a chain of misconfigurations or excessive permissions that an attacker could follow to reach a high-value target (e.g., Domain Admin). Forestall maps these paths using graph analysis and highlights choke points for remediation.

What are “shadow admins”?

Shadow admins are accounts with effective admin-level privileges through indirect means — such as ACL inheritance, delegation, or nested group membership — without being explicitly listed in admin groups.

Can you map exposure to Tier-0 / critical assets?

Yes. Forestall identifies Tier-0 assets (Domain Admins, DC accounts, schema admins, etc.) and maps all paths and permissions that lead to them.

How do you reduce false positives?

Findings are validated against actual environment context — live group memberships, effective permissions, and real trust relationships. This removes theoretical-only risks and focuses on exploitable conditions.

6. Reporting & Automation

What reports are available?

Forestall provides multiple report types:

  • Executive summary (posture score, trend, top risks)
  • Detailed findings report (per category)
  • Compliance scorecards (per baseline)
  • Attack path maps
  • Remediation task lists

Can we export findings?

Yes. All findings and reports can be exported as CSV, PDF, or JSON from the dashboard.

Do you support ticketing workflows (Jira / ServiceNow)?

Integration with Jira and ServiceNow is on the roadmap. Currently, findings can be exported and imported into your existing workflow tools.

Can we track remediation progress over time?

Yes. Forestall tracks finding status across scans, so you can see which issues have been resolved, which are new, and how your posture score changes over time.

7. Compliance

What baselines do you support?

Forestall supports industry-standard baselines:

  • CIS Benchmarks for Active Directory
  • Microsoft Security Baselines
  • DISA STIGs (where applicable)
  • Custom baselines for organization-specific policies

Can you generate evidence-ready compliance reports?

Yes. Compliance reports map each finding to the relevant control, include pass/fail status, and can be exported in formats suitable for auditors.

How do compliance scores work?

Each scanned setting is compared against the selected baseline. A compliance score is calculated as the percentage of controls that pass. Scores are broken down by domain, OU, or GPO for granular visibility.

8. Licensing & Support

How is licensing measured?

Licensing is based on the number of assessed identity objects. Contact sales for pricing based on your environment size.

Can we run a PoC?

Yes. Forestall offers a 1-day Proof of Value engagement where we scan your environment and walk through findings together. No long-term commitment required.

What support channels do you provide?

Forestall provides multiple support options:

  • Email support with SLA-based response times
  • Dedicated customer success manager (enterprise plans)
  • Documentation and knowledge base
  • Scheduled check-in calls

How do updates work?

Updates are delivered as new scanner builds. For connected environments, updates can be applied from the admin console. For air-gapped deployments, updates are provided as offline packages.

See your identity exposure clearly.

If you want a guided walkthrough, we'll run it with you.

Request a demo

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

FAQs | Forestall