Huy Kha | Senior Identity & Security Architect

For organizations of any size, managing hybrid identity security across on-premises and cloud environments can be challenging, and Purple Knight has long been trusted to expose risky misconfigurations. Lightning Intelligence, a SaaS security posture assessment, automates scanning to provide continuous monitoring without the need for periodic manual assessments. Small and mid-sized businesses can easily deploy Lightning Intelligence to continuously monitor AD and Entra ID security posture, see security trends, and produce reports.

With added support for multi-forest and multi-tenant environments, Lightning Intelligence offers comprehensive visibility and actionable insights across the environment in a unified dashboard that displays security scores for each forest and tenant, along with on-demand security posture reports. Lightning Intelligence is designed for rapid deployment and requires no DC agent installation. All the security indicators are continuously updated by the Semperis research team to keep defenses current.

Lightning Intelligence dashboard shows the security posture for multi-forest Active Directory environments; each forest is assigned a security score, exposure count, and detailed breakdown of criticality levels

Differences between Lighting Intelligence and Purple Knight

Purple Knight is Semperis’ free tool that helps organizations assess the security of their Active Directory (AD) environments by identifying vulnerabilities and misconfigurations. However, it needs to be run manually each time, and updates require downloading the latest version to stay current with new indicators of exposure (IOEs). Lightning Intelligence, on the other hand, offers a fully automated experience. It continuously runs scans on a scheduled basis, reporting security scores directly in a unified dashboard. With support for multi-forest and multi-tenant environments, it provides a comprehensive view of all connected AD forests and tenants, displaying security scores, misconfigurations, and vulnerabilities for each environment. Continuous updates to IOEs ensure that users always have access to the most up-to-date information, without any manual intervention.

A unified dashboard displaying all indicators of exposure (IOEs) and associated risk scores across all connected forests

Lightning Intelligence features a weekly security score trend, which makes it easy for users to track changes and see how their scores improve over time.

Weekly score trend helps users track changes over time

Indicators of exposure and compromise

Lightning Intelligence displays IOEs in the dashboard. Depending on the criticality of the IOE, some indicators are checked hourly, while others are assessed daily or weekly.

The Lightning Intelligence dashboard highlights various IOEs with details such as severity level, result, category, and the date and time each was detected

From the IOEs shown, you can also dive deeper into the results to identify the root cause of each exposure. In this example, there is an IOE that monitors whether the Built-in Administrator account in AD has been used within the past two weeks. Regular use of this account is not recommended, as it lacks a personal identity, which makes it difficult to trace who made specific changes in AD.

Example of an IOE alert in Lightning Intelligence, showing recent use of the Built-in Administrator account within the last two weeks

Security report

Within the Lightning Intelligence dashboard, you can download a security report with a single click that will show all IOEs for each specific environment.


The security posture overview report in Lightning Intelligence provides a summary of the security assessment results for a selected Active Directory environment

Each week, once Lightning Intelligence has completed a full cycle of all IOE checks across the environment, you can download a security report to review any misconfigurations or vulnerabilities identified. Another huge plus is you can download security reports and run scans on-demand at any time. This allows you to track security scores and monitor progress over time.

Lightning Intelligence helps meet Five Eyes report directives

The Five Eyes alliance released in 2024 a report on spotting AD breaches by looking for attacks such as Kerberoasting, Golden Ticket, and DCSync. Lightning Intelligence aligns with the Five Eyes report recommendations by providing continuous scanning for AD misconfigurations and vulnerabilities. This proactive and automated approach to detecting weaknesses in AD makes it harder for some common attacks to succeed.

Lightning Intelligence helps small teams quickly find and fix AD security vulnerabilities

Lightning Intelligence is a versatile tool that benefits organizations of all sizes, but especially small and medium-sized businesses with limited resources and staff to focus on the security posture of AD and Entra ID. For managed service providers (MSPs) that manage multiple AD forests across various clients, it provides a single, unified dashboard to monitor security posture across all environments, with automated scans and on-demand reporting to easily track and address IOEs. Enterprises with more complex, multi-forest setups can use it to gain visibility across their entire AD infrastructure, identifying and resolving vulnerabilities and misconfigurations in real-time.

The most significant benefit in my opinion is Lighting Intelligence’s continuous scanning capabilities to ensure their AD environments are regularly checked for misconfigurations and potential risks. Unlike Purple Knight, which long-time users know requires manual operation, Lightning Intelligence runs automatically to deliver proactive security insights without additional overhead.

More resources