BloodHound is a free, open-source security research tool that maps Active Directory and Azure AD environments as a graph, exposing every attack path that leads from a low-privilege user account to Domain Admin or other high-value targets.
What is BloodHound?
BloodHound is an Active Directory reconnaissance and attack-path analysis tool developed and maintained by SpecterOps. Where conventional scanners produce flat lists of misconfigurations, BloodHound treats the entire AD environment as a mathematical graph — nodes are users, groups, computers, and GPOs; edges are the trust relationships and permissions between them — and then computes the shortest chain of hops from "normal employee" to "owns the forest."
The Mac app you download is the BloodHound Community Edition (CE) graphical interface, an Electron-based desktop client. The real work happens in a Docker-based backend comprising a Go API layer, a Neo4j graph database, and PostgreSQL, which you run locally or point at a remote server. Data is collected separately on Windows using SharpHound, SpecterOps' dedicated ingestor, or via AzureHound for cloud identities — so Mac users need either a Windows VM or a jump box in the target environment to gather the raw AD telemetry.
What does BloodHound do best?
BloodHound excels at surfacing privilege-escalation chains that are completely invisible to traditional tooling. A user in the Help Desk group might have GenericWrite on a computer object, which holds a cached local admin session belonging to a Domain Admin account — three hops, and you own the forest. BloodHound computes and draws that path in seconds, with every intermediate node labelled and clickable.
Beyond offensive recon, defenders use it in blue-team mode: schedule a weekly run against your own environment, watch the graph for new edges after each patch cycle, and catch misconfigurations before an adversary does. The built-in Cypher query interface lets analysts ask arbitrarily specific questions — "which kerberoastable accounts have a path to any Tier-0 asset?" — that no checkbox-compliance report could ever answer.
The GUI is clean and keyboard-navigable. Selecting a node surfaces its full properties panel; right-clicking opens a shortest-path search. Large enterprise environments produce a dense node cloud, but BloodHound's filter bar and layout controls keep navigation tractable even on a 13-inch screen.
Is BloodHound free?
BloodHound Community Edition is completely free and open-source under the Apache 2.0 licence, hosted on GitHub with no account or registration required. SpecterOps also maintains BloodHound Enterprise, a SaaS offering with continuous attack-path monitoring, automated remediation guidance, and enterprise support — but for penetration testers, security researchers, and internal red teams, the community edition covers every core workflow without a paywall.
There is no feature-locked free tier, no licence key to manage, and no call-home telemetry in the open-source build.
Who should use BloodHound?
BloodHound is built for security professionals: penetration testers conducting AD assessments, internal red teams modelling threat paths, and blue teamers responsible for hardening the Windows estate. If you are studying for OSCP or working through an AD-focused CTF, BloodHound will accelerate your understanding of privilege escalation faster than almost any textbook.
It is not a tool for macOS-only environments. If your organisation runs no Active Directory infrastructure, there is nothing for BloodHound to map. General Mac users with no Windows domain to assess have no practical use for it — be honest with yourself before spending an hour on the Docker setup.
What are the best BloodHound alternatives?
For open-source attack-path analysis, Adalanche is the closest peer — written in Go, it self-collects on Windows and renders a similar graph view with arguably simpler local setup. PingCastle generates structured HTML risk reports quickly and suits rapid-audit scenarios, though its visualisation is far less expressive than BloodHound's graph engine. ADExplorer (Sysinternals) snapshots Active Directory for offline browsing but offers no built-in path analysis whatsoever. For Azure-heavy shops, ROADtools provides complementary Entra ID enumeration that pairs well with AzureHound data.
None of these replaces BloodHound's combination of a mature graph engine, a large community-developed Cypher query library, and sustained SpecterOps research backing it year after year.