NodeZero vs. GOAD:
Get the Full Story

GOAD in under 15 minutes — no shortcuts, no simulation

GOAD is one of the most realistic Active Directory labs ever created — a multi-domain, multi-forest environment used by red teamers to prepare for certifications like the OSCP and by defenders to practice hardening real-world AD.

It’s built to punish mistakes — with real-world misconfigurations like weak Kerberos policies, exposed credentials, vulnerable certificate templates, and mismanaged trust relationships.

NodeZero® didn’t just complete GOAD.
It conquered it — in under 15 minutes.

No credentials. No CVEs. No simulation.
Just real attacks, executed autonomously.

NodeZero’s campaign — explained

Starting point: unauthenticated

NodeZero launched inside GOAD with no credentials, no inside knowledge, and no manual tuning. It discovered an exposed SMB share allowing anonymous access — and immediately began gathering intelligence.

From there, it extracted user lists, identified weak accounts, and cracked its first password — just like an attacker would in the wild.

Building the chain in parallel

With that initial foothold, NodeZero moved quickly. It discovered scripts with embedded credentials, pivoted to systems where those credentials had local admin, and deployed a RAT — all while executing other tasks in parallel.

It escalated privileges, dumped LSASS, and harvested more credentials to expand access — accelerating the kill chain faster than a human red team could.

Domain compromise, then full forest takeover

NodeZero didn’t stop at one domain. It abused Active Directory Certificate Services (ADCS), exploited a vulnerable certificate template (ESC3), impersonated a domain admin, and moved laterally across trust boundaries into the parent domain.

In under 15 minutes, NodeZero had full control — without triggering alerts, crashing systems, or requiring a single manual command.

No LLMNR. No CVEs. No shortcuts.
 Just autonomous software chaining real weaknesses into real impact.

Why this matters

What would take an expert red teamer 6–12 hours took NodeZero

1 minutes — and it’s repeatable.

Every technique maps to real adversary tradecraft — including TTPs used by APT29, Volt Typhoon, and other nation-state actors.

This wasn’t a simulation or a scan. NodeZero performed real attacks, against real misconfigurations, in a production-like environment.

Every action is logged. Every escalation path is traceable. You don’t have to guess — the proof is in the evidence.

This is offense-driven defense — operationalized through autonomous software.

What GOAD made clear

Hourglass Streamline Icon: https://streamlinehq.com

Attackers don’t need hours — they need minutes

NodeZero demonstrated how quickly a full domain and forest can fall. Your detection and response must operate on that same timeline.

Adhd Disorder Symptoms 2 Streamline Icon: https://streamlinehq.com

This is real risk — not theoretical

The path to compromise was built entirely from common misconfigurations and overlooked exposures — the kind that persist in most environments.

Ai Teacher Streamline Icon: https://streamlinehq.com

Software can now replicate expert adversaries

NodeZero made its own decisions. No seeded knowledge. No CVEs. No manual intervention. Just smart, attacker-like logic — encoded in software.

Browser Gauge Streamline Icon: https://streamlinehq.com

Your own AD is the next proving ground

GOAD was the benchmark. Now it’s time to test your own environment — and see how it holds up under pressure.

Want the full attack breakdown?

The full GOAD campaign shows exactly how NodeZero achieved forest-wide dominance — from unauthenticated access to domain compromise.

This is what AI-driven offensive security looks like in action.
Download the Full GOAD Report
Coming Soon

Join the Horizon3.ai Community

Want to ask questions about the GOAD campaign or connect with other offensive security professionals?
Join the Horizon3.ai Community on Discord
Join the Discord →