ETCSec logo
v3.0.0·440 checks·Apache 2.0

Open-Source AD & Entra ID
Security Auditor

ETC Collector is an open-source (Apache 2.0) security auditor for Active Directory and Microsoft Entra ID, written in Go. Multiplatform (Linux, Windows, macOS, Docker), with 440+ security checks, ADCS ESC1-ESC11 detection, and attack path graphs. 6.2x faster than PingCastle.

Community: 414 checks free (266 AD · 148 Entra ID)Pro: 440 checks (282 AD · 158 Microsoft Entra ID). Audit in 6.58s. 6.2× faster than PingCastle.

curl -fsSL https://get.etcsec.com/install.sh | sudo bash
Download v3.0.0View on GitHub
Community Edition: Apache 2.0 — free for everyone, including companies. Direct download, no email required. License details
282 AD Checks
158 Entra ID Checks
23 Categories
Apache 2.0

Why ETC Collector

Built for speed & coverage

Everything you need for AD & Entra ID identity security auditing

0+

Security Checks

0 AD + 0 Entra ID

282 Active Directory checks + 158 Entra ID checks

6.58s
ETC Collector
41s
PingCastle
2m55s
Purple Knight
6.58s
41s
175s

Blazing Fast

6.58s full audit — 6.2× faster than PingCastle

Attack Path Analysis

Identify privilege escalation vectors

BFS attack path graph included in Community
ADCS ESC1–ESC11 full taxonomy (Pro)
Delegation & shadow credential abuse

Open Source Community

Apache 2.0 — free for everyone, including companies

Linux
amd64, arm64
macOS
Intel & Apple Silicon
Windows
x86_64
Docker
ghcr.io/etcsec-com
0
Security Checks
0.00s
Audit Time (s)
0%
Free for Everyone
282 AD Checks·158 Entra ID Checks·14 AD Categories·9 Azure Categories

Competitive Benchmarks

Faster. More checks. Still free.

Community Edition: Apache 2.0 — free for everyone, including companies.

vs PingCastle 3.5
6.2× faster
6.58s vs 41s · 96.7% rule coverage
vs Purple Knight 5.0
26.6× faster
6.58s vs 2m55s · 96.6% indicator coverage
Tool
Audit Time
AD Checks
Entra ID Checks
ETC Collector
v3.0
6.58s
282
158
PingCastle
3.5
41s
61 *
Purple Knight
5.0
2m55s
119
50

* Rule count reflects atomic top-level rules triggered on our test domain. PingCastle also includes composite risk indicators depending on domain configuration.

Purple Knight 5.0 includes Entra ID indicators, but its 2m55s runtime was measured from the Windows GUI report because the product does not expose a CLI or silent mode.

Azure 158 detections
ADCS ESC1–ESC11
CIS / NIST / ANSSI / DISA
SaaS management

Quick Start

Up & running in one command

Single static binary — no runtime dependencies

# One-liner install
curl -fsSL https://get.etcsec.com/install.sh | sudo bash

# Run an AD audit
etc-collector audit ad --ldap-url ldaps://dc.example.com
1

Install

One-liner script or grab the binary for your OS

2

Configure

Set your AD/Azure credentials in config.yaml or via flags

3

Audit

Run and get structured JSON results in seconds

Frequently Asked Questions

Common questions

Pro Edition

Go further with Pro

The Community Edition is open source (Apache 2.0), free for everyone — individuals and enterprises. Pro unlocks advanced detectors, ADCS full taxonomy, additional Azure Risk detections, and an AI-native MCP server integration. Included with the ETCSec SaaS subscription.

Community: 266 AD + 148 Entra ID = 414 detections
Pro:      282 AD + 158 Entra ID = 440 detections
Pro adds: ADCS ESC1–ESC11 (+11 AD) · Azure Risk Protection (+10 Entra ID) = +21
Get Pro AccessSee license terms →
ADCS ESC1–ESC11 Full certificate abuse taxonomy (+11 AD detections)
Azure Risk Protection 10 additional Entra ID detections (Pro only)
HTML Report Executive-ready audit report
MCP Server AI-native audit integration
Included with ETCSec SaaS No separate purchase — part of your subscription

ETCSec SaaS

Multi-tenant platform

Dashboards, historical trending, automated scheduling, and team collaboration — all backed by ETCSec SaaS.

Explore ETCSec SaaS
Visual dashboards & reporting
Historical trending & analytics
Automated scheduling & alerts
Multi-tenant support
Compliance report generation (CIS, NIST, ANSSI)
API integrations (SIEM, SOAR)
Role-based access control
Priority support