Huy Kha | Senior Identity & Security Architect

For organizations of any size, managing hybrid identity security across on-premises and cloud environments can be challenging. Purple Knight has long been trusted to expose risky misconfigurations. Now, Semperis—the identity security experts behind Purple Knight—offer Lightning Intelligence, a SaaS security-posture assessment tool that automates scanning to provide continuous monitoring without the need for periodic manual assessments. Small and mid-sized businesses can easily deploy Lightning Intelligence to continuously monitor Active Directory and Entra ID security posture, see security trends, and produce reports.

With added support for multi-forest and multi-tenant environments, Lightning Intelligence offers comprehensive visibility and actionable insights across the environment. A unified dashboard displays security scores for each forest and tenant, along with on-demand security posture reports. Lightning Intelligence is designed for rapid deployment and requires no domain controller (DC) agent installation. And the Semperis research team continuously updates all the security indicators to keep defenses current.

Lightning Intelligence dashboard shows the security posture for multi-forest Active Directory environments; each forest is assigned a security score, exposure count, and detailed breakdown of criticality levels

Differences between Lighting Intelligence and Purple Knight

Semperis’ free Purple Knight tool helps organizations assess the security of their Active Directory (AD) environments by identifying vulnerabilities and misconfigurations. However, the tool must be run manually each time, and updates require downloading the latest version to stay current with new indicators of exposure (IOEs). Lightning Intelligence, on the other hand, offers a fully automated experience.

Lightning Intelligence continuously scans on a scheduled basis, reporting security scores directly in a unified dashboard. With support for multi-forest and multi-tenant environments, the tool provides a comprehensive view of all connected AD forests and tenants, displaying security scores, misconfigurations, and vulnerabilities for each environment. Continuous updates to IOEs ensure that users always have access to the most up-to-date information, without any manual intervention.

A unified dashboard displaying all indicators of exposure (IOEs) and associated risk scores across all connected forests

Lightning Intelligence features a weekly security score trend, which makes it easy for users to track changes and see how their scores improve over time.

Weekly score trend helps users track changes over time

Indicators of exposure and compromise

Lightning Intelligence displays IOEs in the dashboard. Depending on the criticality of the IOE, some indicators are checked hourly; others are assessed daily or weekly.

The Lightning Intelligence dashboard highlights various IOEs with details such as severity level, result, category, and the date and time each was detected

From the IOEs shown, you can also dive deeper into the results to identify the root cause of each exposure. The following example shows an IOE that monitors whether the Built-in Administrator account in AD has been used within the past two weeks. Regular use of this account is not recommended, as it lacks a personal identity, making it difficult to trace who made specific changes in AD.

Example of an IOE alert in Lightning Intelligence, showing recent use of the Built-in Administrator account within the past two weeks

Security posture assessment reports

Within the Lightning Intelligence dashboard, one click is all you need to download a security report that shows all IOEs for each specific environment.


The security posture overview report in Lightning Intelligence provides a summary of the security assessment results for a selected Active Directory environment

Each week, once Lightning Intelligence has completed a full cycle of all IOE checks across the environment, you can download a security report to review any identified misconfigurations or vulnerabilities. Another huge plus: You can download security reports and run scans on demand, at any time. This capability enables you to track security scores and monitor progress over time.

Lightning Intelligence helps meet Five Eyes report directives

In 2024, the Five Eyes alliance released a report on spotting AD breaches by looking for attacks such as Kerberoasting, Golden Ticket, and DCSync. Lightning Intelligence aligns with the Five Eyes recommendations by providing continuous scanning for AD misconfigurations and vulnerabilities. This proactive and automated approach to detecting weaknesses in AD makes it harder for some common attacks to succeed.

Lightning Intelligence helps small teams quickly find and fix AD security vulnerabilities

Lightning Intelligence is a versatile tool that benefits organizations of all sizes. The solution is especially valuable for small and medium-sized businesses with limited resources and staff to focus on the security posture of AD and Entra ID. For managed service providers (MSPs) that manage multiple AD forests across various clients, Lightning Intelligence provides a single, unified dashboard to monitor security posture across all environments, with automated scans and on-demand reporting to easily track and address IOEs. Enterprises with more complex, multi-forest setups can use the tool to gain visibility across the entire AD infrastructure, identifying and resolving vulnerabilities and misconfigurations in real time.

The most significant benefit, in my opinion, is Lighting Intelligence’s continuous scanning capabilities. These ensure that AD environments are regularly checked for misconfigurations and potential risks. Unlike Purple Knight, which long-time users know requires manual operation, Lightning Intelligence runs automatically to deliver proactive security insights without additional overhead.

More resources