Prove you can lock down Kerberos, map attack paths in BloodHound and run a Tier 0 response β in a 15-minute AI oral that cuts through buzzword CVs.
The Plume Active Directory Security badge validates your real-world ability to harden, audit and defend a Windows domain. In a 15-minute AI oral (OpenAI Realtime), you are questioned on concrete scenarios: spotting DCSync traces on a domain controller, rolling out a Tier 0/1/2 model, countering Kerberoasting and AS-REP Roasting, and prioritizing attack paths surfaced by BloodHound or PingCastle. This is not a multiple-choice test. The AI follows your answers, drills into vague areas, and scores your actual technical depth.
Unlike a generic certification or a self-declared LinkedIn skill, this badge is built on a recorded oral session analyzed by Claude Opus, which produces a score from 0 to 100 and a level (Novice, Proficient, Advanced, Expert). The detailed report breaks down strengths and gaps across every dimension: Kerberos mastery, ACL management, SIEM and EDR integration, your stance on NTLM deprecation and recent CVEs. Recruiters and CISOs can access your badge via a public URL and listen to the recording if you allow it.
This badge is built for security engineers, IAM consultants, Active Directory administrators and pentesters working in on-premise or hybrid environments (AD plus Entra ID). Whether you are preparing for a large-scale enterprise engagement, a CISO interview, or simply want to benchmark your level before upskilling, the badge gives you a credible, timestamped and verifiable proof of your Active Directory security expertise.
What this badge evaluates
Here are the concrete dimensions the AI examines during the 15-minute oral.
Kerberos protocol and its weaknesses
Explain the AS-REQ, TGT and TGS flows, identify accounts vulnerable to Kerberoasting and AS-REP Roasting, and describe concrete countermeasures: AES-only encryption, Protected Users group, gMSA service accounts.
AD incident detection and response
Correlate Windows events 4624, 4768, 4769 and 4776 in a SIEM, identify DCSync traces (EventID 4662), Golden Ticket artefacts or Pass-the-Hash indicators, and lead containment and eradication on a compromised DC.
Tiering model design and rollout
Classify critical assets into Tier 0 (DCs, PKI, ADFS), define dedicated admin accounts per tier, enforce logon restrictions via GPO and RBAC, and drive operational buy-in from infrastructure teams resistant to new constraints.
ACL audit and attack path prioritization
Use BloodHound to map compromise paths, PingCastle and Purple Knight for risk scoring, prioritize dangerous delegations (GenericAll, WriteDACL, DCSync rights) and build an actionable remediation plan.
GPO hardening and AD configuration
Deploy security GPOs (LAPS, Credential Guard, Restricted Groups, SMB signing), phase out NTLM, enable LDAP signing and channel binding, and track ANSSI and Microsoft Secure Score AD recommendations.
Hybrid AD and Entra ID integration
Configure Entra Connect synchronization, assess the expanded attack surface introduced by password hash sync, pass-through authentication and seamless SSO, and define a Zero Trust strategy alongside a legacy AD.
Privileged account management (PAM)
Deploy a PAM solution (CyberArk, Thycotic, Microsoft MIM), implement just-in-time access, automate secret rotation for service accounts, and control admin sessions on Tier 0 assets.
Keeping up with recent changes
Factor in post-CVE-2022-37967 Kerberos patches (PAC Privilege Attribute Certificate), Microsoft's announced NTLM deprecation timeline, and the impact of new LDAP signing requirements on legacy applications.
How this badge is scored
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Kerberos and AD attack technical depth
35% of score
Depth of explanation on Kerberos internals (AS-REQ, PAC, delegation types), accuracy of attack descriptions (Kerberoasting, DCSync, Golden Ticket) and relevance of countermeasures cited (AES-only, Protected Users, SID filtering).
Operational experience and real-world cases
25% of score
Ability to describe concrete engagements with specific details: domain size, incident type, tools actually used. The AI assesses the plausibility and richness of the examples shared.
Auditing, tooling and risk prioritization
20% of score
Relevant use of BloodHound, PingCastle, Purple Knight and Windows event logs. Method for prioritizing attack paths and ability to translate technical findings into an actionable remediation plan.
Architecture vision and hybrid integration
12% of score
Understanding of AD/Entra ID hybrid challenges, Zero Trust positioning, knowledge of Entra Connect synchronization risks (password hash sync, federation) and cloud-specific attack surfaces.
Clarity and structure of answers
8% of score
Ability to explain complex concepts (Kerberos, tiering, ACLs) in a clear, structured and accessible way, even under follow-up pressure from the AI examiner.
How the oral exam unfolds
A Plume session takes about 20 minutes, from tech check to badge delivery.
1
Step 1
Tech check (1 min)
Before starting, the AI checks that your microphone works, your connection is stable and you are in a quiet space. No tools, documentation or screens are allowed during the oral.
2
Step 2
Warm-up and context (2 min)
The AI examiner asks you to introduce yourself and describe your most recent Active Directory security engagement: company type, domain size, scope of your involvement.
3
Step 3
In-depth questioning (10-12 min)
The core of the exam: the AI works through the major themes (Kerberos, tiering, ACLs, incident detection, hybrid integration, recent changes). It adjusts the depth of its follow-up questions to your answers and drills into gaps.
4
Step 4
Big-picture question (1-2 min)
The examiner asks you to step back: in what situations would you recommend migrating to Entra ID rather than continuing to harden an on-premise AD? What limits of AD hardening have you hit in practice?
5
Step 5
Score and badge delivery (under 10 min)
Claude Opus analyzes the transcript, assigns a score from 0 to 100 and a level (Novice, Proficient, Advanced, Expert), and generates a detailed per-criterion report. Your badge is available immediately with a shareable URL.
The 4 proficiency levels
Your score out of 100 translates into a level a recruiter can grasp at a glance.
Novice
Score 0-39
You know the basics of Active Directory (users, groups, GPOs) but have not yet worked on AD security challenges in a professional context. You are not yet familiar with Kerberos internals, BloodHound or tiering models.
Proficient
Score 40-59
You have taken part in AD audits or hardening engagements, you understand the main attacks (Kerberoasting, DCSync) and you know how to run an initial scan with PingCastle or BloodHound. You can describe a tiering model even if you have not deployed one end-to-end.
Advanced
Score 60-79
You have designed and deployed secure AD architectures in production, including tiering, LAPS, Credential Guard and gMSA service accounts. You use BloodHound to prioritize attack paths and you know how to respond to a DCSync or Golden Ticket incident.
Expert
Score 80-100
You are the go-to AD security reference in your organization or for your clients. You drive long-term hardening strategy, integrate AD with Entra ID and a PAM solution, track Kerberos CVEs and the NTLM deprecation roadmap, and mentor other engineers on AD security.
Who this badge is for
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
Offensive security consultant (pentester)
You attack AD environments during red team exercises and penetration tests, and you want to prove you also master the defensive and hardening side, not just Kerberoasting exploitation or misconfigured delegation abuse.
Security engineer or SOC analyst
You monitor AD events in a SIEM (4624, 4768, 4769) and want to validate your ability to detect an AD compromise and respond to an incident involving a DC or a Tier 0 account.
Active Directory administrator
You manage Windows domains day to day and want to benchmark your level on security topics (LAPS, Credential Guard, hardening GPOs, tiering) that you apply or still need to implement.
CISO or IAM architect candidate
You are applying for a role that requires deep AD expertise and want a concrete proof point to bring to the interview, beyond general certifications like OSCP or CISSP.
Freelance IAM or security consultant
Your enterprise clients ask for proof of competence before engaging you on an AD hardening project. The badge provides a verifiable URL and an objective score you can share upfront.
Concrete use cases
Where and how your Active Directory Security badge will help you day to day.
RFP response
A consulting firm includes links to their consultants' Active Directory Security badges in a bid for a critical infrastructure AD hardening contract. The Expert score immediately backs up the team's claimed expertise.
Job interview
A candidate for a security engineer role shares their badge before the technical interview. The hiring manager listens to the audio excerpt and arrives with targeted questions, cutting 30 minutes off the qualification process.
Freelance engagement
An independent IAM consultant sends their Advanced badge to a CTO before kicking off an AD-to-Entra ID migration project, proving they understand hybrid security risks without needing a prior technical screening call.
Skills benchmarking
A Proficient-level AD admin receives a report pinpointing gaps in ACL auditing and Kerberos attack knowledge. They use it to target their training and retake the badge six months later to measure progress.
Internal audit and team planning
A CISO has their entire AD team take the badge to objectively map individual levels before setting the annual training plan. Scores reveal who is ready for Tier 0 ownership and who needs BloodHound coaching.
Freelance platform profile
A security expert adds their Active Directory Security badge URL (Expert level, score 91/100) to their Toptal or LinkedIn profile. Clients can verify the result in one click without scheduling a technical test.
Prerequisites
A few minutes to check you have everything you need.
At least one year of hands-on experience with Active Directory in a professional context (administration, auditing or penetration testing).
Working knowledge of Kerberos fundamentals (TGT, TGS, SPNs) and the main AD attacks (Kerberoasting, DCSync, Pass-the-Hash).
Practical experience with at least one AD auditing tool: BloodHound, PingCastle or Purple Knight.
A good-quality microphone, a stable internet connection and a quiet room for the full 15-minute session.
Readiness to discuss real engagements or incidents with concrete details about context, tools used and decisions made.
What you take away
At the end of your session you don't just get a score β here's everything that awaits you.
0-100 score and certified level
You receive a precise score out of 100 and a level (Novice, Proficient, Advanced, Expert) based on the AI's analysis of your actual mastery of Kerberos, tiering, ACLs and AD incident response.
Detailed feedback report
Claude Opus generates a per-criterion report that highlights your strengths (e.g., strong grasp of Kerberos attack chains) and your growth areas (e.g., ACL delegation depth, PAM integration knowledge).
Private audio recording
Your full 15-minute oral session is recorded and stored securely. You decide whether to grant recruiters and clients access to the audio or keep it private.
Shareable and verifiable badge
You get a unique public URL displaying your level and score. Add it to LinkedIn, your CV or a client proposal: anyone can verify your result in one click, no account needed.
Frequently asked questions about the Active Directory Security badge
The oral is calibrated for professionals with at least one year of hands-on AD experience in a real environment (administration, auditing or penetration testing). If you have never worked with BloodHound, tiering or Kerberos professionally, you are likely to score at the Novice level. The badge is not an introduction to AD security: it is a validation of operational skills.
Other Cybersecurity & GDPR badges
Discover related skills you can validate with Plume.