Risky Business Soap Box: Graph the Planet!
Podcast: Risky Business
Host: Patrick Gray
Guest: Jared Atkinson (CTO, SpecterOps/Bloodhound)
Date: December 11, 2025
Episode Overview
This episode dives deep into Bloodhound’s evolution from an Active Directory (AD) attack and defense tool to a platform supporting Open Graph, aimed at mapping complex identity and permissions relationships across modern, hybrid environments. Patrick Gray and Jared Atkinson discuss challenges with privilege management, the explosion of identity systems, SSO's double-edged sword, community contributions to Open Graph, and real-world red team insights from mapping attack paths across diverse enterprise systems.
Key Discussion Points & Insights
1. Origins and Evolution of Bloodhound
-
Red Team Roots:
- Bloodhound started at SpecterOps as a tool for red team operations, solving the "Google Maps" problem for lateral movement in large AD environments.
“Bloodhound came about almost as like Google Maps, the Google Maps equivalent for navigating your way through a domain environment.” — Jared Atkinson [02:27]
- Bloodhound started at SpecterOps as a tool for red team operations, solving the "Google Maps" problem for lateral movement in large AD environments.
-
Transition to Defense:
- Recognized that defenders could flip the offensive perspective to protect assets by identifying all possible attack paths to critical resources.
“Defenders can do like kind of the inverse... What are all the different routes that attackers can take from anywhere in the environment to get to this thing that I consider to be really important?” — Jared Atkinson [02:55]
- Recognized that defenders could flip the offensive perspective to protect assets by identifying all possible attack paths to critical resources.
2. Identity and Privilege Management Today
-
The Problem with Hybrid Environments:
- Modern enterprises blend AD with Entra (Azure AD), Okta, GitHub, etc., creating tangled webs of identity, federation, and permissions.
“Every enterprise worth its salt now... is kind of what you would call a hybrid environment.” — Patrick Gray [05:42]
- Modern enterprises blend AD with Entra (Azure AD), Okta, GitHub, etc., creating tangled webs of identity, federation, and permissions.
-
Unmanaged Identities as the New Attack Surface:
- Unmanaged or improperly mapped identities (linked across systems) are emerging as the key weakness, analogous to unpatched machines of the past.
“It seems like now an unmanaged identity is what's going to get you... It can be used in all sorts of ways that it was never intended to be used.” — Patrick Gray [15:19]
- Unmanaged or improperly mapped identities (linked across systems) are emerging as the key weakness, analogous to unpatched machines of the past.
-
Least Privilege Remains Elusive:
- Despite "least privilege" being around since 1975, most organizations practice "enough privilege"—accumulating access but never removing it after needs change.
“Most people are doing enough privilege... you never go back... Now let's go back and take away everything that they don't actually need.” — Jared Atkinson [16:37]
- Despite "least privilege" being around since 1975, most organizations practice "enough privilege"—accumulating access but never removing it after needs change.
3. Why Open Graph?
-
The Extensibility Problem:
- As Bloodhound expanded to Azure, GitHub, etc., the original architecture made adding new attack paths or platforms increasingly difficult.
“Product wasn’t built originally to be super extensible... It would take quite an effort to actually like add new attack paths…” — Jared Atkinson [06:47]
- As Bloodhound expanded to Azure, GitHub, etc., the original architecture made adding new attack paths or platforms increasingly difficult.
-
Open Graph Solution:
- Open Graph introduces an open schema and plugin framework, making it easy for anyone to map arbitrary relationships and add new platforms.
“What if we create a schema that’s kind of like an open schema... You output your data in this specified format and you’re able to build arbitrary edges, arbitrary nodes in the graph.” — Jared Atkinson [09:48]
- Open Graph introduces an open schema and plugin framework, making it easy for anyone to map arbitrary relationships and add new platforms.
4. SSO & Interconnected Attack Surfaces
-
The Lifecycle Challenge:
- SSO (Single Sign-On) and SCIM provisioning enable centralized access and offboarding but inadvertently expand attack paths across platforms (e.g., AD ↔️ Entra ↔️ GitHub).
“Anyone that can get control over your Azure environment now has control over your GitHub environment.” — Jared Atkinson [13:25]
- SSO (Single Sign-On) and SCIM provisioning enable centralized access and offboarding but inadvertently expand attack paths across platforms (e.g., AD ↔️ Entra ↔️ GitHub).
-
Federations Can Introduce Unnoticed Risk:
- Nested identity federations often leave gaps between teams and systems, resulting in ambiguous responsibility and surprising attack surface expansion.
“Those gaps between systems—almost nobody's responsible for it... It's just this big mess.” — Jared Atkinson [14:32]
- Nested identity federations often leave gaps between teams and systems, resulting in ambiguous responsibility and surprising attack surface expansion.
5. Community Response & Extensions Built
-
Immediate Community Engagement:
- Within 24 hours of launch, the community built the first extension (“AnsibleTowerHound”), demonstrating rapid adoption and creativity.
“The very first extension was within 24 hours of us releasing it… Ansible Tower Hound.” — Jared Atkinson [23:13]
- Within 24 hours of launch, the community built the first extension (“AnsibleTowerHound”), demonstrating rapid adoption and creativity.
-
Diverse Extension Ecosystem:
- Notable extensions include:
- RunZeroHound: Asset discovery
- PingOne/PingIdentity: SaaS identity provider
- CyberArk: Privileged access management
- vCenterHound: Virtualization infrastructure
- 1PasswordHound: Password manager relationships
- Various in-house modules: SCCM Hound, MS-SQL Hound
- Notable extensions include:
-
Secret Scanning with TruffleHog:
- Extensions like “SecretHound” connect secrets found in GitHub to potential lateral movement paths, even when the secrets' full impact isn’t initially known.
“What he's doing is integrating that and then he's drawing nodes and edges as a result.” — Jared Atkinson [19:18]
- Extensions like “SecretHound” connect secrets found in GitHub to potential lateral movement paths, even when the secrets' full impact isn’t initially known.
6. Mapping Real-World Entropy
- The Garden Metaphor:
- Organizational “graph entropy” increases as configuration drift accumulates—a clean environment (few attack paths) is not the norm, ongoing upkeep is essential.
“We think of the graph as being representation of entropy... Making configuration changes over time, it's very difficult to understand what the net effect of that is going to be.” — Jared Atkinson [33:08]
- Organizational “graph entropy” increases as configuration drift accumulates—a clean environment (few attack paths) is not the norm, ongoing upkeep is essential.
7. Red Team Wins & Hybrid Attack Paths
-
Case Studies:
- Red teams leverage Open Graph’s flexibility to quickly map only what's needed. For example, mapping out how misconfigured OIDC between GitHub and AWS let multiple users assume high-privilege AWS roles.
“If you have the ability based on AWS policies... access to those GitHub repositories would allow you to assume roles in the context of AWS... It was extensive.” — Jared Atkinson [36:05]
- Red teams leverage Open Graph’s flexibility to quickly map only what's needed. For example, mapping out how misconfigured OIDC between GitHub and AWS let multiple users assume high-privilege AWS roles.
-
Discovering Unseen Paths:
- Without a graph, many attack paths remain invisible—even attackers sometimes miss opportunities simply because connections aren’t obvious.
“You can't just surface these types of configuration issues without a graph because... there's no way to see them.” — Patrick Gray [37:39]
- Without a graph, many attack paths remain invisible—even attackers sometimes miss opportunities simply because connections aren’t obvious.
8. Open Source vs. Enterprise Bloodhound
- Open Graph is Open Source-first:
- Open Graph’s initial MVP is targeted at open source users, supporting data ingestion and Cypher queries in both open and enterprise versions, with more automation and findings coming to enterprise soon.
“Currently... Open Graph is really targeted at the open source version, although it works in both.” — Jared Atkinson [40:40]
- Open Graph’s initial MVP is targeted at open source users, supporting data ingestion and Cypher queries in both open and enterprise versions, with more automation and findings coming to enterprise soon.
Notable Quotes & Memorable Moments
-
On Bloodhound’s Inception:
“Bloodhound came about almost as like Google Maps... to where you would say, let's get initial access... and you can start to build out relationships and understand which path you want to take before you even start moving.”
— Jared Atkinson [02:27] -
The SSO Tradeoff:
“Nobody's really responsible. You might have somebody who's responsible for Active Directory... another for Entra... what they're not paying attention to are the attack paths from Active Directory into Entra...”
— Jared Atkinson [14:36] -
Identity as the New Perimeter:
“It seems like now an unmanaged identity is what's going to get you... It's just kind of fallen through the cracks. It can be used in all sorts of ways that it was never intended to be used.”
— Patrick Gray [15:19] -
On Least Privilege (from 1975!):
“Most people are doing enough privilege... you never go back and take away everything that they don't actually need.”
— Jared Atkinson [16:37] -
Open Graph Philosophy:
“We had long had this idea that we should try to change this to be more extensible. And that's kind of where this open graph idea came from...”
— Jared Atkinson [09:48] -
Mapping Entropy:
“We think of the graph as being a representation of entropy... Over time what happens is you're making configuration changes... and it's very difficult for you to understand what the net effect of that is going to be.”
— Jared Atkinson [33:08] -
On Real-World Red Teaming:
“Occasionally the red team has some target that takes them into uncharted territory, so to speak, they're bushwhacking their way through...”
— Jared Atkinson [35:07] -
The Danger of SSO, in Practice:
“Once you start seeing how everything is tied in, you're like, oh boy... It makes me second guess whether SSO is a good thing for security.”
— Jared Atkinson [37:54]
Timestamps of Important Segments
- [01:07-03:48] — Bloodhound origins, red and blue use cases
- [05:20-08:05] — Evolution of privilege, changing identity landscape
- [09:10-10:36] — Hurdles with mapping non-AD systems (GitHub)
- [11:39-14:28] — SSO, federation, and risks when identity is distributed
- [15:15-17:20] — Unmanaged identities vs. unmanaged machines; least privilege
- [18:32-21:31] — SecretHound, trufflehog integration, and secrets graphing
- [23:10-25:15] — Community extensions: AnsibleTowerHound, 1PasswordHound, more
- [30:23-32:51] — Surprising customer extensions: RunZero, Ping Identity, CyberArk, vCenterHound
- [34:08-34:54] — Environmental entropy, configuration drift
- [35:05-37:33] — Red team case studies, AWS and GitHub misconfigurations
- [40:40-42:00] — Open Graph in open source and enterprise Bloodhound
Conclusion
Bloodhound’s Open Graph marks a pivotal evolution, enabling both defenders and red teamers to keep pace with the growing complexity of hybrid, federated environments. The Open Graph schema and extension ecosystem have unlocked creativity by the security community, helping illuminate formerly invisible attack paths. In today’s world, where hybrid identity is the new perimeter and configuration entropy is the enemy, tools that let you “graph the planet” are not just useful—they’re essential.