Your Active Directory.
No blind spots.

ADSecure Report™ is a pioneering European Active Directory audit platform that produces 7 distinct regulatory reports in a single scan. 286 security controls aligned with NIS2, ISO 27001 and GDPR.

On-site intervention systematically included
SHA-256 validation in presence of the CISO
Zero AD data sent to our servers — on-premise scan
QR Code verifiable attestation
Book a meeting Learn more
78
Global Security Score
LAPS deployed
OK
SMBv1 active
CRITICAL
Kerberoastable accounts
7 found
Audit policies
CONFIGURED
286
Security controls
7
Distinct reports
26
On-prem domains
7
Cloud groups
100%
Made in Belgium

Why choose ADSecure?

One of the few platforms combining guided remediation, business visibility and multi-framework compliance

Complete AD Audit

Exhaustive analysis of accounts, GPOs, delegations, Kerberos, DNS, PKI, trust relationships. Structured report immediately actionable.

Guided Remediation

Each vulnerability comes with step-by-step instructions for the system administrator, with risk level and intelligent prioritization.

Smart Scoring

Score by identity, by server, by business service. Not 1,000 alerts: the 10 actions that are truly critical for your security.

Executive Mode

Non-technical dashboard with business risks, compliance and key indicators for decision-makers and auditors.

7 Distinct Reports

CEO, IT Manager, DPO/GDPR, PowerShell Remediation Guide (sysadmin), Detailed Scoring (CIS/ISO/NIS2/DORA), Trend Report (time comparison), and AD Forest Report (multi-domain, trusts, topology).

Security & Privacy

Local data processing, end-to-end encryption, no data transmitted without explicit consent.

Verifiable Legal Attestation

Every ADSecure scan generates a timestamped, tamper-proof QR Code attestation — verifiable in real time at verify.mandatoryshield.com. Admissible as due-diligence evidence in audits, insurance claims, and regulatory inspections. An innovative approach.

Regulatory Compliance

ADSecure aligns your AD security with European and international standards

NIS2
Covered
European Directive — October 2024
NIS2 requires essential and important EU entities to implement robust cyber risk management measures and incident notification (72h). It covers critical sectors: energy, health, transport, finance, public administration.
  • Privileged access management
  • Detection and notification (72h)
  • Vulnerability management
  • Business continuity
ISO 27001
Aligned
International ISMS Standard
ISO/IEC 28601 is the international reference standard for Information Security Management Systems (ISMS). It defines requirements for establishing, implementing and maintaining a globally recognized ISMS.
  • Access control (A.5.15)
  • Cryptography (A.8.24)
  • Operations security (A.8.15–A.8.16)
  • Incident management (A.5.24)
CIS Controls
Integrated
Technical framework v8
CIS Controls (v8) define 18 priority controls to drastically reduce the attack surface. Highly technical in nature, they are used by IT teams and auditors as a practical implementation guide.
  • Account management (CIS 05)
  • Access management (CIS 06)
  • Audit log management (CIS 08)
  • Application security (CIS 16)
GDPR
Compliant
EU Regulation 2016/679
GDPR (EU 2016/679) governs the collection, processing and protection of personal data in the European Union. For AD, it involves access traceability, authorization management and rights minimization.
  • Access traceability
  • Lifecycle management
  • Least privilege
  • Log management
Cyfun
Aligned
Belgian CCB Framework
CyFun is the Belgian cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB). Based on NIST CSF and adapted to the Belgian context, it classifies organizations into 4 maturity levels (Basic, Important, Essential, Critical).
  • Asset identification
  • Authentication protection
  • Anomaly detection
  • Incident response
DORA
Covered
Financial sector — 2025
DORA (EU 2022/2554) applies since January 2025 to European financial entities (banks, insurance companies, ICT providers). It requires robust digital operational resilience, including access management and resilience testing.
  • ICT risk management
  • Resilience testing
  • Incident management
  • Third-party oversight
ANSSI
Aligned
French National Cybersecurity Agency
ANSSI publishes technical recommendations for Active Directory hardening, widely adopted across French-speaking Europe. ADSecure maps directly to R33 (Server Core) and R72 (FSMO separation).
  • DC hardening (R33)
  • FSMO & SPOF separation (R72)
  • Tiering model
  • PAM recommendations

Legal notice: ADSecure provides evidence of technical controls and does not constitute NIS2, ISO 27001 or GDPR certification. Regulatory compliance requires additional documentary assessment by a qualified auditor. DORA (EU 2022/2554) applies exclusively to EU financial entities.

Transparent Pricing

Four offers designed around how you work — not your headcount

One-time

Oneshot

A single MSC-led intervention. You receive the reports, not the software.

  • Full on-prem + cloud scan (286 controls)
  • All 7 HTML reports delivered
  • On-site SHA-256 validated execution
  • Expert debrief & report walkthrough
  • QR Code verifiable attestation
€ 2,400
Book a meeting
Annual

Essential

Annual subscription with trend tracking and software updates. For SMEs with 20–200 users.

  • Everything in Oneshot (full scan, 7 reports, on-site SHA-256)
  • Trend report — track security evolution over time
  • Software update access included
  • Full compliance: NIS2, ISO 27001, GDPR, CIS, DORA, ANSSI
  • Email support included
€ 6,900/year
Book a meeting
Recommended

Professional

Annual license with unlimited scans and ShieldConnect SIEM export. For ETIs with 200–800 users and advanced SMEs.

  • Unlimited scans during subscription period
  • All 286 controls + 7 reports
  • Multi-domain Active Directory
  • SIEM connectors included — ShieldConnect (Sentinel, Splunk, Elastic, Wazuh, Graylog, QRadar, Teams, Slack)
  • Priority phone + email support + premium product updates
€ 14,900/year
Book a meeting

Roadmap add-ons (v4.0, Q3–Q4 2026):

ShieldPredict — Simulation ShieldBrand — Custom branding
Per scan

Auditor

For external auditors & pentesters. NIS2, ISO 27001. Pay per scan pack.

  • Scan packs: 5, 10 or 20 scans
  • Full scan + all 7 reports per audit
  • Multi-client use
  • QR Code verifiable attestation per client
  • Pack valid up to 18 months
On quote
Book a meeting

✓ All prices are ex-VAT — VAT applies as per applicable legislation
✓ One-Shot payment: 10% deposit on signing — 50% on first report delivery + 50% on final reports
✓ Payment terms: 30 days end of month
✓ Essential & Professional subscriptions billed quarterly
✓ Auto-renewal with 30-day notice
✓ Custom quote within 48h
✓ Special conditions for public sector and associations

Frequently Asked Questions

Find quick answers to the most common questions

ADSecure Report™ is an Active Directory audit platform that produces, from a single scan, seven distinct regulatory reports: (1) Senior Management Report (CEO), (2) IT Manager Report, (3) DPO/GDPR Report, (4) Remediation Report (step-by-step PowerShell guide for sysadmins), (5) Detailed Scoring Report (by domain, CIS/ISO/NIS2/DORA weighting), (6) Trend Report (evolution over time, comparison with previous scans), (7) Active Directory Forest Report (multi-domain, trusts, topology). 286 control points cover 26 on-prem domains and 7 cloud groups of your AD infrastructure.

No. The scan runs in read-only mode, without installation, without modifying the infrastructure. Data does not leave the client's environment. The self-contained PowerShell agent runs on any Windows environment from Server 2016 onwards. No Active Directory data transits to our servers: this is guaranteed architecturally, not contractually.

On-site presence is not an option in our model: it's a principle. Deploying a security tool on a domain controller without being physically present to validate its integrity and accompany the report delivery means missing the essence of what an audit means. The SHA-256 validation of the executable, performed live in the presence of the CISO before launch, is the foundation of trust.

Operating system: Windows 10/11 (64-bit) or Windows Server 2016/2019/2022. The EXE is compiled as x64 — it will not run on a 32-bit system.

PowerShell: Windows PowerShell 5.1 minimum (included natively on Win10/11 and Server 2016+). PowerShell 7+ (Core) is not supported — native Windows PowerShell only.

RSAT: The ActiveDirectory PowerShell module must be installed on the machine running the scan. On Windows 10/11: Settings › Apps › Optional features › RSAT: Active Directory Domain Services and LDS Tools. On Windows Server: Install-WindowsFeature RSAT-AD-PowerShell

Network & AD rights: The machine must be a member of the domain being audited. A domain controller reachable on the network (ports LDAP 389, Kerberos 88, RPC 135). An account with Active Directory read rights — Domain Admin recommended for a full scan.

Execution rights: Run the EXE "as administrator" (the EXE automatically requests UAC elevation via the -requireAdmin flag).

Output folder: Write access to Documents\ADSecure (created automatically) — HTML reports are generated there.

Optional — AADS cloud module: Only required if scanning Entra ID / Azure AD: Install-Module MSAL.PS -Scope CurrentUser, .NET Framework 4.6.1+ (native on Win10/Server 2016+), an Azure account with read-only Graph permissions on the tenant (admin consent required), internet access for Microsoft Device Code Flow — no secret stored, authentication in memory only.

Yes. ADSecure helps you build your compliance evidence: Each of ADSecure's 286 controls is mapped to the relevant NIS2 article (EU Directive 2022/2555, mandatory since October 2024) and to the relevant Annex A controls of ISO/IEC 27001:2022 (93 controls across the Organizational, People, Physical and Technological themes — A.5 to A.8). The management report automatically generates an Art. 21 compliance summary ready for auditors. We also cover CIS Controls v8, GDPR, Cyfun (Belgium), DORA (financial sector) and ANSSI R33/R72 recommendations. ADSecure does not, by itself, confer NIS2 compliance or ISO 27001 certification — these require an organizational assessment by a qualified auditor.

ADSecure's QR Code attestation is an enforceable, timestamped, tamper-proof document. It is verifiable in real time at verify.mandatoryshield.com and constitutes admissible due-diligence evidence in the context of an audit, a claim or a regulatory inspection. It's a unique market innovation that gives legal value to your security audits.

We offer four plans designed around how your team works:

Oneshot (€2,400 ex-VAT) is a one-time MSC-led intervention — ideal for organizations that need a comprehensive security baseline or pre-certification evidence without a recurring commitment.

Essential (€6,900/year — €575/month) adds trend reporting and software update access on top of the Oneshot. Designed for SMEs with 20–200 users who need to track security evolution over time.

Professional (€14,900/year — €1,242/month) gives your team an annual license with unlimited scans plus ShieldConnect (6 SIEM connectors: JSON/CEF export). For ETIs with 200–800 users and advanced SMEs.

Auditor is designed for external NIS2 / ISO 27001 auditors and pentesters — purchased as scan packs of 5, 10 or 20 scans, usable across multiple client environments.

Contact us to discuss which plan matches your security maturity and regulatory obligations.

We do not offer free trials due to the sensitive nature of Active Directory audits and our systematic on-site approach. However, we organize personalized appointments to present the platform, answer your specific questions and assess your needs. Contact us at contact@mandatoryshield.com to schedule a discussion with our experts.

After contract signing and invoicing, we schedule the on-site intervention within 5 to 10 business days depending on your location. The first audit and report delivery take place during this mission. Subsequent audits are scheduled according to your plan: 4 audits per year for Essential, unlimited scans for Professional, or per scan pack for the Auditor plan.

Yes, included from the Essential plan. The Azure AD & hybrid cloud module is included in all plans at no extra cost. It analyzes your Microsoft cloud environment, Azure AD Connect synchronizations and federation configurations, and produces a dedicated report alongside the on-premise AD audit.

Shield modules are optional add-ons for the Professional plan, designed for security teams that need more than audit reports.

ShieldConnect (available in v3.4 — Professional plan only) sends scan results directly to your SIEM (Sentinel, Splunk, Elastic, Wazuh, Graylog, QRadar) and messaging tools (Teams, Slack) in JSON or CEF format. 6 connectors included.

The following modules are planned for v4.0 (Q3–Q4 2026) and are not yet available:

ShieldPredict will simulate future attack scenarios based on your current AD posture, scoring risks by real exploitability and business impact rather than generic CVE scores.

ShieldBrand will allow MSPs and integrators to deliver ADSecure reports under their own brand identity.

Contact us at contact@mandatoryshield.com to discuss availability and pricing.

Yes. The Auditor plan is specifically designed for external NIS2, ISO 27001 auditors, and pentesters who need to run AD security assessments across multiple client environments.

Instead of an annual subscription, you purchase a scan pack (5, 10 or 20 scans). Each scan includes the full 286-control analysis and all 7 regulatory reports. Packs are valid for up to 18 months and can be used across different client Active Directories.

The QR Code verifiable attestation — generated per scan and verifiable at verify.mandatoryshield.com — provides your clients with legally admissible audit evidence ready for regulatory inspections.

Contact us at contact@mandatoryshield.com to discuss Auditor pricing.

Who we are

Mandatory Shield Company develops ADSecure, the first Active Directory audit solution designed for European SMEs and mid-sized companies. ADSecure produces a complete report in under 5 minutes covering 286 security controls, aligned with NIS2, ISO 27001, CIS and GDPR, including ready-to-use PowerShell remediation scripts. No data leaves the client's infrastructure — everything runs locally, in read-only mode.

PR
Pierre-Antoine Rouhaud
Co-Founder & CEO
Expert in securing Windows infrastructures and Active Directory environments. Pierre-Antoine combines strategic business vision with deep technical expertise in identity security. He leads ADSecure's product direction, commercial strategy, and regulatory compliance positioning across NIS2, ISO 27001 and DORA markets.
RB
Raphaël Berki
Co-Founder & CTO
Software architect and cybersecurity specialist, Raphaël designs ADSecure's core engine — 286 security controls covering on-prem Active Directory and Azure Entra ID. His expertise spans Kerberos attack analysis, ADCS vulnerability research (ESC1–ESC7), behavioral detection, and intelligent scoring systems aligned with CIS Controls, ANSSI and DORA frameworks.

Our Mission

Enable every European organization to master the security of its Active Directory, regardless of its size, with tools that are both powerful, accessible and compliant.

Built in Belgium

Developed in Brussels. GDPR native. European sovereignty.

Innovation

Continuous R&D to anticipate tomorrow's threats.

Trust

Transparency, guidance and expert support.

Contact

Book a Meeting

Let's discuss your Active Directory security needs. Our experts will contact you within 24 hours to arrange an appointment.

✉️Email
contact@mandatoryshield.com
🌐Website
www.mandatoryshield.com
📍Location
Brussels, Belgium (European Union)