A couple of years ago I was driving to work listening to PDQ’s PowerShell Podcast, hosted by the one and only Andrew Pla, and Spencer Alessi was on talking about Active Directory security tooling. He brought up PingCastle. I had not used it. I downloaded it that afternoon, ran it against our domain, and within the hour I had a list of findings I had not seen before. A few months later I was on stage at MAEDS giving a talk called Securing Active Directory with PowerShell and Other Tools, and PingCastle was in the slide deck. I told a room of Michigan K-12 IT directors to go run it.

I still tell people to run it. PingCastle is good software. Vincent Le Toux has been maintaining it for the better part of a decade, the scoring model is calibrated against more real environments than anyone else’s, and the HTML report is the closest thing our industry has to a shared vocabulary for AD posture. If you have ever sat in a room where two engineers compare AD environments by maturity level, PingCastle is the reason that conversation is possible.

A note on scope before I go further. PSGuerrilla is not an AD-only tool. It ships 431 security checks across four theaters: Google Workspace (98 checks), Active Directory (175 checks), Entra ID, Azure, Intune, and M365 (159 checks), and continuous monitoring on top of all of it. PingCastle is fundamentally an AD tool with a separate paid Cloud Edition for Entra. So a fair comparison is really just the AD piece. That is what most of this article is about. But I want to be honest up front that the cloud side is not a place PingCastle wins. It is a place PSGuerrilla extends much further by the end.

So why did I build PSGuerrilla?

Why I built it anyway

Two reasons. The first is structural and the second is philosophical, and they reinforce each other.

The structural one is that PingCastle’s coverage stops where Vincent’s roadmap stops and there are categories of AD risk in 2026 that did not exist when the original rule set was written. ADCS escalation is the obvious example. ESC1 through ESC8 were documented in SpecterOps’ Certified Pre-Owned paper and PingCastle covers them well. ESC9 through ESC16 and EKEUwu were published after PingCastle’s ADCS module was written, and templates that pass PingCastle’s checks can still get you domain owned via ESC9 or ESC13. Same story with NTDS hash analysis, logon script body parsing, NTLM relay preconditions as a category, and Tier-0 hygiene for accounts that are functionally Tier-0 but do not appear in standard privileged group enumeration. Someone needed to write the checks.

The philosophical reason is that PingCastle Basic Edition is free for internal IT, but not for security consultants, MSSPs, pen testers, or auditors running it against client domains. For those use cases you need one of PingCastle’s commercial licenses (Auditor or Enterprise, depending on the engagement). That is a defensible business model. Vincent is well within his rights to fund the project that way and the per domain cost is reasonable. But it cuts out the people who deliver findings for a living without a budget for tooling, and it cuts out the consultancies that work with under resourced organizations. K-12 districts, county governments, rural hospitals, and small nonprofits, which are the places I spend most of my career thinking about, almost always get audited by someone who is bringing their own tools to the engagement.

I run the IT department for a public Michigan school district of about 4,900 students across 10 buildings. I know what the tooling budget looks like at that scale. The same dynamic plays out at every district my size in the state and most of the country. The principle I keep coming back to is that asymmetric defenders in resource constrained environments need asymmetric tools. That is the whole point of what I call Guerilla Zero Trust: high impact, low cost defenses that do not require a million dollar SOC stack to operate. PSGuerrilla is licensed under CC BY 4.0. Internal IT, consultants, MSSPs, pen testers, and red teams can all use it commercially. No per domain pricing, no commercial license tier, no usage gate. That license model is the actual headline.

The technical comparison below is what justifies the existence of the second tool. The license is what justifies who gets to use it.

The headline numbers for the AD side

PSGuerrilla’s Invoke-Reconnaissance cmdlet (the Active Directory module specifically) ships 203 AD security checks across 14 categories. Every one is callable as a standalone PowerShell function and documented with a stable check ID:

Category Count Prefix Privileged Account Hygiene 30 ADPRIV- Group Policy 24 ADGPO- Password Policy + NTDS 22 ADPWD- Domain / Forest 20 ADDOM- Certificate Services 19 ADCS- ACL / Delegation 16 ADACL- Logon Scripts 11 ADSCRIPT- Kerberos 11 ADKERB- Trusts 11 ADTRUST- Stale Objects 11 ADSTALE- Network (NTLM relay) 10 ADNET- Tier-Zero Hygiene 7 ADTIER- Logging Posture 7 ADLOG- Tradecraft Indicators 4 ADTRADE-

PingCastle ships roughly 150 rules in its scoring engine across anomalies, privileged accounts, stale objects, and trusts. The categories overlap significantly with mine, but the depth varies category by category. The gap is not uniformly 53 checks. In some areas PingCastle is at parity. In others it is much wider than the totals suggest.

ADCS: where the gap is widest

Active Directory Certificate Services is the single area where the difference matters most.

PingCastle covers the classic ADCS escalation paths from the original Certified Pre-Owned paper, ESC1 through ESC8. That coverage is solid and stable.

PSGuerrilla ships the full modern escalation surface:

• ADCS-002 ESC1: Enrollee Supplies Subject Alternative Name

• ADCS-003 ESC2: Any Purpose Extended Key Usage

• ADCS-004 / ADCS-005 ESC3: Enrollment Agent Template Abuse (both conditions)

• ADCS-006 / ADCS-007 ESC4: Vulnerable Template ACLs and Ownership

• ADCS-008 ESC5: Vulnerable PKI Object ACLs

• ADCS-009 ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag

• ADCS-010 ESC7: Vulnerable CA ACLs

• ADCS-011 ESC8: NTLM Relay to AD CS HTTP Endpoints

• ADCS-012 ESC9: No Security Extension

• ADCS-013 ESC11: RPC Relay Without Encryption

• ADCS-014 ESC13: Issuance Policy OID Group Link

• ADCS-015 ESC15: Application Policies in Schema v1 Templates

• ADCS-016 ESC16: UPN SAN Misconfiguration

• ADCS-017 EKEUwu: Extended Key Usage Abuse

• Plus CA server inventory (ADCS-001), template enumeration (ADCS-019), and CA auditing configuration (ADCS-018)

ESC9 through ESC16 plus EKEUwu represent attack paths documented after PingCastle’s ADCS module was originally written. Templates that pass PingCastle’s checks can still be exploited via ESC9 (no security extension allows certificate requests from a user account with a manipulable altSecurityIdentities mapping) or ESC13 (issuance policy linked to a group SID). If you have an internal PKI and you have not audited it since 2022, PSGuerrilla will find paths PingCastle does not surface. I have watched this happen in production.

The NTDS password audit nobody else ships free

PSGuerrilla integrates DSInternals to read NTDS.dit offline (no domain impact, optional DC backup path) and runs four distinct checks against the resulting hashes:

• ADPWD-010 Users with Blank Passwords (Critical)

• ADPWD-011 Duplicate Password Hashes (High)

• ADPWD-012 Passwords in HaveIBeenPwned Database (High)

• ADPWD-014 Default/Common Passwords (High)

Plus tier aware cross references via ADPRIV-016 (Privileged Accounts Weak Passwords).

PingCastle does not ship offline NTDS hash analysis or HIBP integration in the Basic edition. The typical adjacent tool here is Specops Password Auditor, which is a separate product with separate licensing. PSGuerrilla ships it as part of Invoke-Reconnaissance. The HIBP corpus downloads once and updates via Update-ThreatIntel.

This is the single most operationally useful finding most environments can generate. A privileged account password that appears in HIBP is a meeting on Monday morning. I have run this against my own domain and against domains I have been allowed to test. It surfaces real issues on the first run, every time.

Logon scripts, NTLM relay, and tradecraft

Three categories I treat as first class concerns that PingCastle treats more lightly in my opinion.

Logon Script Analysis (11 checks, ADSCRIPT-001 through ADSCRIPT-011) parses every .bat, .cmd, .ps1, and .vbs in SYSVOL and Netlogon. It flags hardcoded credentials (ADSCRIPT-004), LOLBins usage (ADSCRIPT-005), plaintext passwords (ADSCRIPT-006), world-writable script permissions (ADSCRIPT-007), external resource references (ADSCRIPT-008), and UNC paths to non-DC locations (ADSCRIPT-010). In any environment older than five years, this category returns findings on the first run. I built it because I have seen what lives in SYSVOL at districts that inherited their domain from a previous administrator. PingCastle catches the GPP cpassword leftovers but does not parse script bodies at this level.

Network NTLM Relay Preconditions (10 checks, ADNET-001 through ADNET-010) covers the conditions that make Responder, mitm6, and Print Spooler relay attacks work. LDAP Signing required (ADNET-001), LDAP Channel Binding enforced (ADNET-002), SMB Server/Client Signing required (ADNET-003/004), LLMNR disabled (ADNET-005), NetBIOS-over-TCP reviewed (ADNET-006), IPv6 mitm6 mitigation posture (ADNET-007), WPAD auto-discovery disabled (ADNET-008), Print Spooler on DCs (ADNET-009), WebClient service default state (ADNET-010). PingCastle covers LDAP and SMB signing. The WPAD, LLMNR, IPv6, and WebClient surface as a dedicated category is mine.

Tradecraft Indicators (4 checks, ADTRADE-001 through ADTRADE-004) is small but distinctive. ADTRADE-001 finds GPP cpassword leftovers in SYSVOL (the 2014 vulnerability that still lives in production environments today; I have found this in district domains in the last twelve months). ADTRADE-002 checks for DCShadow indicators (rogue configuration partition servers that signal a sophisticated persistence technique). ADTRADE-003 catches stale BitLocker recovery keys. ADTRADE-004 audits RODC Password Replication Policy hygiene. PingCastle catches the cpassword issue. The other three are PSGuerrilla originals.

Tier-Zero hygiene: the tier-bleed problem

My ADTIER-001 through ADTIER-007 checks address a category PingCastle largely does not cover: service accounts that are effectively Tier-0 but do not appear in standard privileged group enumeration.

The flagship example is ADTIER-001 (Azure AD Connect MSOL_ Audit). When Azure AD Connect installs in Express mode, it creates a domain account named MSOL_<random-hex> and grants it Replicating Directory Changes plus Replicating Directory Changes All on the domain naming context. That is DCSync rights. The account is functionally a domain takeover if compromised. It lives in the default Users container, has a 10 year password expiry, and rarely appears in Domain Admins enumeration because it gets its power via direct ACL rather than group membership. Most AD tools miss it. I have personally found this account misconfigured in environments that had been audited by other tools and passed.

ADTIER-002 through ADTIER-005 extend the same logic to backup software service accounts (Veeam, CommVault), hypervisor accounts (vCenter), configuration management (SCCM), and SQL service accounts that have crept into Tier-0 groups over time. ADTIER-006 flags Tier-0 admins living outside dedicated Tier-0 OUs. ADTIER-007 flags service accounts that hold interactive logon rights via privileged group membership, which violates the Microsoft tier model.

This is one of the highest signal categories in a modern AD audit. Hybrid identity environments accumulate these accounts across change windows nobody documents. PSGuerrilla checks for them by default.

Logging posture

PingCastle does not audit logging configuration as a distinct category. My ADLOG-001 through ADLOG-007 covers the controls that determine whether an incident response would actually have data to work with:

• ADLOG-001 Advanced Audit Policy configured

• ADLOG-002 PowerShell Script Block Logging enabled

• ADLOG-003 PowerShell Module Logging enabled

• ADLOG-004 Process Creation Auditing with command line (Event 4688)

• ADLOG-005 Microsoft Defender Tamper Protection policy

• ADLOG-006 Windows Event Forwarding (WEF) Subscription Manager configured

• ADLOG-007 Sysmon deployment indicator

This category does not change the attack surface. It changes what is recoverable when something goes wrong. Worth running for that reason alone, and a category I care about deeply because I have sat in incident calls where the question of “do we have logs for that” had a bad answer.

What PingCastle still wins on

I want to be careful here. PingCastle is not behind on every front, and I am not trying to suggest otherwise. Several things it does that PSGuerrilla either does not match or covers differently:

• The Healthcheck XML primitive. PingCastle uses this as a stable cross environment data format. It is useful for trend analysis across multiple domains, especially in MSSP contexts (with an Auditor or Enterprise license).

• Scoring model maturity. PingCastle’s 0 to 100 risk score is calibrated against several years of real world data, and the Maturity Level framework is widely recognized. PSGuerrilla has its own Guerrilla Score with FORTRESS, DEFENDED POSITION, CONTESTED GROUND, EXPOSED FLANK, UNDER SIEGE, and OVERRUN tiers, but PingCastle’s calibration history is longer.

• Trust analysis depth on the AD side. PingCastle’s multi-forest trust mapping is mature and well tested. PSGuerrilla covers AD trusts in 11 checks but does not visualize the relationships the same way.

• Single binary deployment. PingCastle runs as one .exe. PSGuerrilla requires PowerShell 7 and the DSInternals module for the NTDS checks. If you need to run something on a locked down jump host with no PowerShell modernization story, PingCastle is easier to deploy.

If your organization has standardized on PingCastle and your team understands the scoring model, there is no reason to abandon it. The two tools coexist well. PSGuerrilla fills the AD categories PingCastle does not cover, extends into Entra, M365, and Workspace that PingCastle does not touch in the free tier, and offers a license model that fits engagements PingCastle’s free tier does not.

Beyond AD: where the comparison stops being a comparison

PingCastle is at its core an AD tool. PingCastle Cloud Edition is a paid add-on that crosses into Entra. That is a fair business decision. But it is worth being precise about what it means: in the free tier, PingCastle does not audit Entra ID, M365, Intune, or Google Workspace at all. PSGuerrilla does all four, by default, under the same CC BY 4.0 license, in the same module.

Invoke-Infiltration runs 159 checks across Entra ID, Azure, Intune, and M365. That covers Conditional Access, PIM, application consent grants, risky sign-ins, Exchange Online security posture, SharePoint sharing settings, Teams external access, Intune compliance policies, and the rest. Invoke-Fortification runs 98 checks against Google Workspace, covering admin console hardening, OAuth third party app review, Drive sharing posture, Gmail security defaults, audit log configuration, and 23 behavioral detection signals via Invoke-Recon. I built the Workspace side first because I run a Google district, and I needed something that audited Workspace the way PingCastle audits AD. There was nothing free that did it.

The continuous monitoring layer is where the multi-theater design starts to pay back. Invoke-Surveillance watches Entra ID for sign-in risk and directory changes. Invoke-Watchtower does baseline drift detection against AD. Invoke-Wiretap tails the M365 unified audit log for Exchange, SharePoint, Teams, Defender, and Power Platform events. Patrols schedule any of these via Register-Patrol and route alerts through nine providers: Teams, Slack, PagerDuty, Twilio, SendGrid, Mailgun, generic webhook, Syslog CEF/LEEF, and Windows Event Log.

For K-12 specifically, there is a K12 scoring profile and a compliance crosswalk that maps findings to FERPA, COPPA, CIPA, NIST 800-171, and state ed tech frameworks. That is built in. Nobody else ships this for free (and I need it bad!).

If you want to do an apples to apples comparison on cloud identity, you would need PingCastle Cloud Edition (paid) on one side and Invoke-Infiltration (free) on the other, and at that point you are not really comparing the same product anymore.

Output and remediation

Where PingCastle stops at the report, PSGuerrilla pairs every finding with a remediation. I built it this way because in my day job I do not have a remediation team. I have me, and I have a small team of people who already have full plates. If I am going to ship a tool that produces 150 findings, I owe my own future self a way to work through them without writing 150 PowerShell scripts.

Export-TechnicalReport ships each finding with check ID, current value, recommended value, severity, MITRE ATT&CK mapping, CIS Benchmark citation, NIST SP 800-53 and 800-171 references, and step by step remediation. Export-RemediationScripts writes one .ps1 per finding, each with a safety preamble and rollback comments. Export-ExecutiveSummary produces a one page document for the board. Export-BudgetJustification groups remediations by cost tier so leadership can make funding decisions.

For a 150 finding environment, that turns a six week remediation sprint into a structured backlog where each ticket carries the script attached. Nothing auto-applies. The intended workflow is read, scope, approve, execute.

How this is being built

I should be direct about something. I am not writing all 431 of these checks by hand. PSGuerrilla is being built with the assistance of AI tools doing a lot of the implementation, with my expertise and lived experience as the watchful eye over every commit. I know what a misconfigured MSOL_ account looks like in production because I have found one. I know what GPP cpassword leftovers do in a real district because I have cleaned them up. The agentic tools accelerate the work. The judgment about what to check, why it matters, and what the remediation actually has to do is mine.

I am also actively stress testing the module against sample environments to verify the checks behave correctly across configurations I do not run in production. That work is not glamorous and it does not show up in a demo, but it is the difference between a tool that runs and a tool that runs reliably.

My advice for anyone reading this who has thought about building their own tooling: take the PSGuerrilla base, drop it in your own repo, and let Copilot CLI loose on it to customize it to your environment. Add your own checks. Tune the scoring weights. Wire up the alerting providers you actually use. The CC BY 4.0 license exists precisely so this is allowed.

Building modules without agentic AI in 2026 seems nuts to me at this point. The tools are too good. The leverage they give a single practitioner who knows what they want is too high. If you are an IT director at a district my size and you are sitting on tribal knowledge about your environment that nobody else has, that knowledge plus an agentic editor is enough to produce something worth running. The barrier to making real tools has collapsed. Expertise still matters. Judgment still matters. The willingness to actually ship still matters. What has changed is how much typing sits between those things and a working module.

How to use both

The honest recommendation for AD specifically is to use both, at least initially. PingCastle’s scoring is a useful reference point and the Maturity Level framework gives leadership a familiar yardstick. PSGuerrilla extends the AD coverage into ADCS depth, NTDS password analysis, logon scripts, NTLM relay preconditions, Tier-0 hygiene, logging posture, and tradecraft indicators that PingCastle does not surface. Then it keeps going into Entra, Azure, Intune, M365, and Google Workspace that PingCastle’s free edition does not touch.

For internal IT teams: run both on the AD side. PingCastle Basic is free for you. PSGuerrilla fills the AD gaps and gives you the cloud identity audit on top.

For consultants, MSSPs, pen testers, and analysts who need to deliver findings to clients without per-engagement licensing: PSGuerrilla is CC BY 4.0 across all 431 checks. Attribute the source in the report (a footnote suffices) and ship.

Trying it

PSGuerrilla is published to the PowerShell Gallery at powershellgallery.com/packages/PSGuerrilla, so for most people the install is one line. For the AD audit specifically, you do not need to set anything else up. PSGuerrilla uses your current Kerberos session, so if you are running from a domain-joined machine with appropriate read rights, you can go from Install-Module to running checks in two commands.

# Install from the PowerShell Gallery (recommended)
Install-Module PSGuerrilla
Import-Module PSGuerrilla

# AD audit. No vault setup needed. Uses your current Kerberos session.
Invoke-ADRecon                  # alias for Invoke-Reconnaissance

# For cloud audits, set up the encrypted credential vault first
Set-Safehouse
Invoke-Infiltration             # Entra / Azure / Intune / M365 (159 checks)
Invoke-Fortification            # Google Workspace (98 checks)

# Or run everything in one go after Set-Safehouse
Invoke-Campaign

# Alternative install path if you want the latest unreleased changes
# git clone https://github.com/jimrtyler/PSGuerrilla.git
# Import-Module ./PSGuerrilla/PSGuerrilla.psd1

For the AD audit, no credential setup is needed when running from a domain-joined machine. Add Install-Module DSInternals if you want the NTDS hash analysis. For the cloud paths you will need an Entra app registration with the right Graph scopes (the README walks through it) and, for Workspace, a GCP service account with domain wide delegation. Both of those credentials live in the safehouse vault that Set-Safehouse creates.

The first run produces the executive summary, technical report, remediation playbook, and per-finding scripts. The technical report includes every check ID, observed value, recommended value, and remediation steps. The remediation scripts go into a separate folder. Nothing runs automatically.

PSGuerrilla is at guerrilla.army. The site includes an interactive configuration builder that generates the JSON config file for whichever environments you want to audit. Source is at github.com/jimrtyler/PSGuerrilla. CC BY 4.0.

PingCastle is at pingcastle.com. Commercial licensing (Auditor, Enterprise, and Cloud Edition) is per-domain.

The right answer for most teams on the AD side is both, for different reasons. The right answer for the cloud side is the tool that audits it for free. The right answer for analysts who bill for the work is the tool that does not charge per engagement.

Report what you find

PSGuerrilla will encounter edge cases in environments I have not tested against yet. That is the nature of shipping a security module that touches six different identity platforms across whatever combination of legacy and modern configurations your domain has accumulated since it was stood up. If you hit a check that produces a false positive, a missing dependency, an unhelpful error message, or a remediation script that does the wrong thing in your environment, open an issue at github.com/jimrtyler/PSGuerrilla/issues. The more specific the better. Versions, OS, domain functional level, the exact check ID, and anonymized output if you can share it. The faster I see it, the faster I can fix it for everyone running the next version.

If you build your own checks on top of the base and want them merged upstream, pull requests are welcome too. Thanks for reading if you’re still here!