Security auditor for Active Directory and Microsoft Entra ID — single static Go binary, 498 detectors, 9 compliance frameworks, audits a 800-object DC in ~1 second.
ETC Collector audits an entire AD forest in about a second and outputs a single JSON document with framework-tagged compliance scores ready for ANSSI, CIS, NIST, DISA, HDS, RGPD and NIS2 reporting. No agent. No Microsoft .NET dependency. No telemetry by default.
Cross-platform single binary covering ADCS escalation paths (ESC1–ESC11), Kerberos delegation abuse, AdminSDHolder tampering and Tier-0 privilege escalation — runs natively on Linux, macOS and Windows.
- Why this tool
- At a glance
- Architecture
- Quick start
- Install
- Operating modes
- Detection coverage
- Compliance frameworks
- CLI reference
- Configuration
- Permissions
- Output JSON schema
- REST API
- Build from source
- Documentation
- Editions
- License
- Support
A senior identity-security engineer should immediately see what stands out:
- Cross-platform single binary — pure Go, ~50 MB on disk, no .NET, no Python, no JVM. Linux / macOS / Windows × amd64 / arm64.
- AD + Microsoft Entra ID in one run — emit a single JSON document covering both directories with consistent scoring.
- Framework-tagged findings — every detection carries the official compliance controls it satisfies (e.g.
compliance: [{framework: "ANSSI_PA099", control: "R28"}]), and a per-framework score is computed insummary.complianceScores[]. - 24 structured LDAP error codes — instead of opaque Go runtime errors, classified codes such as
LDAP_TLS_IP_SAN_MISSING,LDAP_BIND_INVALID_CREDENTIALS,LDAP_REFERRAL_BAD_BASE_DNare emitted with a fix suggestion and a doc anchor. - Three operating modes from one binary — CLI one-shot for CI/CD, embedded HTTPS server with web UI, or long-running daemon enrolled with the EtcSec SaaS.
- Stable JSON schema — designed to be consumed downstream (SaaS dashboards, custom dashboards, SIEM ingestion).
All numbers are as of v3.1.12 (April 2026), fact-checked against etc-collector audit list runtime output.
| Metric | Value |
|---|---|
| Detectors (Pro) | 498 across 23 categories |
| Detectors (Community) | 472 across 19 categories |
| Active Directory | 340 detectors (324 Community + 16 Pro) |
| Microsoft Entra ID | 158 detectors (148 Community + 10 Pro) |
| Compliance frameworks | 9 scored per audit (PA-099, BP-039, Guide d'hygiène, HDS, RGPD, NIS2, CIS, NIST, DISA) |
| LDAP error codes | 24 structured codes |
| Binary size | ~10 MB compressed, ~50 MB on disk |
| Runtime dependencies | none — pure Go static binary |
| Build target Go version | 1.22+ |
| Supported OS / arch | linux/amd64, linux/arm64, darwin/amd64, darwin/arm64, windows/amd64 |
ETC Collector ships one binary that runs in three distinct modes:
┌───────────────────────────────────────────────────────────────────────┐
│ ETC Collector v3.1.12 │
├───────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌─────────────────────┐ │
│ │ 1. CLI │ │ 2. Server │ │ 3. SaaS Daemon │ │
│ │ one-shot │ │ standalone │ │ long-running poll │ │
│ ├────────────────┤ ├────────────────┤ ├─────────────────────┤ │
│ │ etc-collector │ │ etc-collector │ │ etc-collector │ │
│ │ audit ad ... │ │ server │ │ daemon │ │
│ │ │ │ │ │ │ │
│ │ → stdout JSON │ │ → HTTPS API │ │ → enrolls with SaaS │ │
│ │ → exit 0/1 │ │ :8443 + GUI │ │ → polls schedule │ │
│ └───────┬────────┘ └───────┬────────┘ └─────────┬───────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ stdout / file localhost:8443 api.etcsec.com │
│ web UI + REST │
│ │
└───────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────┐
│ Detector │
│ Registry │
│ (498 Pro) │
└────────┬────────┘
│
┌────────────────────┼────────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ AD provider │ │ Entra ID │ │ Future : │
│ ldap:// │ │ MS Graph SDK │ │ Exchange, │
│ ldaps:// │ │ Tenant ID + │ │ Intune, │
│ + SMB SYSVOL│ │ Client cred │ │ Workspace │
└──────────────┘ └──────────────┘ └──────────────┘
| Mode | Best for | Network | Persistence |
|---|---|---|---|
| CLI | CI/CD pipelines, ad-hoc audits, air-gapped environments | Outbound to DC only | None — JSON to stdout |
| Server | Local team dashboard, ad-hoc API integration | Outbound to DC + inbound HTTPS :8443 | Local SQLite (audit history) |
| Daemon | Centrally managed at scale via EtcSec SaaS | Outbound to DC + outbound HTTPS to api.etcsec.com | Local config + enrollment token |
# 1. Pull the Docker image
docker pull etcseccom/etc-collector:latest
# 2. Audit Active Directory (one-shot)
docker run --rm \
-e LDAP_URL=ldaps://dc01.example.com:636 \
-e LDAP_BIND_DN="CN=svc-audit,CN=Users,DC=example,DC=com" \
-e LDAP_BIND_PASSWORD="$LDAP_BIND_PASSWORD" \
-e LDAP_BASE_DN="DC=example,DC=com" \
etcseccom/etc-collector:latest \
audit ad -o /dev/stdout > audit.json
# 3. Inspect the result
jq '.audit.summary | {findings: .objects.findings, score: .risk.score, frameworks: [.complianceScores[].framework]}' audit.jsonA successful audit completes in 1–3 seconds for a 1k-object domain. See docs/configuration/ad-getting-started.md for a guided walkthrough including DC certificate extraction and 5 connection scenarios.
Every release ships a checksums.sha256 file alongside the binaries.
VERSION=3.1.12
BASE=https://github.com/etcsec-com/etc-collector/releases/download/v${VERSION}
# Download the binary + the checksums
curl -LO ${BASE}/etc-collector-${VERSION}-linux-amd64.tar.gz
curl -LO ${BASE}/checksums.sha256
# Verify
sha256sum -c checksums.sha256 --ignore-missing
# → etc-collector-3.1.12-linux-amd64.tar.gz: OKVERSION=3.1.12
curl -LO https://github.com/etcsec-com/etc-collector/releases/download/v${VERSION}/etc-collector-${VERSION}-linux-amd64.tar.gz
tar -xzf etc-collector-${VERSION}-linux-amd64.tar.gz
sudo install -m 0755 etc-collector /usr/local/bin/etc-collector
etc-collector --versionARCH=$(uname -m | sed 's/x86_64/amd64/')
VERSION=3.1.12
curl -LO https://github.com/etcsec-com/etc-collector/releases/download/v${VERSION}/etc-collector-${VERSION}-darwin-${ARCH}.tar.gz
tar -xzf etc-collector-${VERSION}-darwin-${ARCH}.tar.gz
sudo install -m 0755 etc-collector /usr/local/bin/etc-collector
# If Gatekeeper blocks the binary
sudo xattr -rd com.apple.quarantine /usr/local/bin/etc-collector$Version = "3.1.12"
$Base = "https://github.com/etcsec-com/etc-collector/releases/download/v$Version"
Invoke-WebRequest -Uri "$Base/etc-collector-$Version-windows-amd64.zip" -OutFile etc-collector.zip
Expand-Archive etc-collector.zip -DestinationPath "C:\Program Files\ETCSec" -Force
# Optional : install as Windows service
& "C:\Program Files\ETCSec\etc-collector.exe" installThe Windows binary is code-signed with an Authenticode certificate.
docker pull etcseccom/etc-collector:v3.1.12
docker run --rm \
-e LDAP_URL=ldaps://dc01.example.com:636 \
-e LDAP_BIND_DN="CN=svc-audit,CN=Users,DC=example,DC=com" \
-e LDAP_BIND_PASSWORD="$LDAP_BIND_PASSWORD" \
-e LDAP_BASE_DN="DC=example,DC=com" \
-v /etc/ssl/certs:/etc/ssl/certs:ro \
etcseccom/etc-collector:v3.1.12 \
audit ad -o /dev/stdoutservices:
etc-collector:
image: etcseccom/etc-collector:v3.1.12
container_name: etc-collector
restart: unless-stopped
ports:
- "8443:8443"
command:
- server
- --ldap-url=ldaps://dc01.example.com:636
- --ldap-bind-dn=CN=svc-audit,CN=Users,DC=example,DC=com
- --ldap-bind-password=${LDAP_BIND_PASSWORD}
- --ldap-base-dn=DC=example,DC=com
volumes:
- collector-data:/app/data
- ./keys:/app/keys:ro
volumes:
collector-data:Best for CI/CD, ad-hoc audits, and air-gapped environments. The binary connects, audits, prints JSON, exits.
etc-collector audit ad --ldap-url ldaps://dc:636 ... -o audit.json
echo "exit=$?"Exit codes :
0— audit completed (findings may exist)1— audit failed (LDAP error, network error, file write error...)
Local HTTPS API + embedded GUI. No cloud, no enrollment.
etc-collector server --port 8443
# → https://localhost:8443
# → REST API at /api/v1/*A web UI is served at the root; a REST API allows scripting audits and pulling job results. JWT auth required.
The collector enrolls with the EtcSec SaaS platform, polls for audit commands, and uploads results to your dashboard. Configuration and scheduling are managed centrally.
etc-collector enroll YOUR_TOKEN --saas-url https://api.etcsec.com
sudo systemctl enable --now etcsec-collectorThe daemon also serves the local admin GUI alongside SaaS operations. By default the GUI listens on 127.0.0.1:8443. Use --gui-host 0.0.0.0 to expose it (and configure firewall + access token).
→ See docs/modes/ for the full mode comparison.
| Category | Total | Severity distribution | Edition |
|---|---|---|---|
| accounts | 34 | 3🔴 / 15🟠 / 14🟡 / 2🔵 | Community |
| password | 11 | 5🔴 / 2🟠 / 4🟡 | Community |
| kerberos | 14 | 4🔴 / 5🟠 / 4🟡 / 1🔵 | Community |
| computers | 33 | 9🔴 / 10🟠 / 11🟡 / 3🔵 | Community |
| groups | 17 | 1🔴 / 7🟠 / 8🟡 / 1🔵 | Community |
| permissions | 21 | 1🔴 / 10🟠 / 10🟡 | Community |
| gpo | 34 | 6🔴 / 9🟠 / 14🟡 / 4🔵 | Community |
| monitoring | 9 | 4🟠 / 5🟡 | Community |
| network | 15 | 7🟠 / 7🟡 / 1🔵 | Community |
| trusts | 7 | 4🟠 / 3🟡 | Community |
| advanced | 50 | 9🔴 / 17🟠 / 19🟡 / 3🔵 | 48 Community + 2 Pro (ADCS) |
| compliance | 81 | 4🔴 / 32🟠 / 37🟡 / 4🔵 | Community |
| adcs (ESC1–ESC11) | 11 | 3🔴 / 6🟠 / 2🟡 | Pro |
| attack-paths | 3 | 2🔴 / 1🟠 | Pro |
| Category | Total | Notes |
|---|---|---|
| identity | 29 | MFA, SSPR, hybrid sync, lifecycle, legacy auth, password policy |
| applications | 28 | App registrations, service principals, OAuth consent, SAML certs |
| privileged-access | 24 | PIM, role assignments, eligible vs active, role thresholds |
| conditional-access | 20 | CA policy coverage, exclusions, gaps |
| guest-external | 15 | B2B, invitation policy, stale guests |
| groups | 12 | Role-assignable, dynamic membership, owner gaps |
| config | 12 | Tenant settings, security defaults, user consent |
| compliance (azureCompliance) | 8 | Access reviews, P2 license usage, CIS gaps, terms of use |
| risk-protection | 10 | Identity Protection, leaked credentials, sign-in/user risk policies — Pro only |
→ Full catalogs: docs/vulnerabilities/active-directory/ (340 entries) and docs/vulnerabilities/azure/ (158 entries).
| Category | Count | Examples |
|---|---|---|
| ADCS (AD) | 11 | ESC1 – ESC11 certificate template abuse paths |
| ADCS advanced (AD) | 2 | ADCS_WEAK_PERMISSIONS, ADCS_EDITF_ATTRIBUTESUBJECTALTNAME2 |
| Attack-paths (AD) | 3 | PATH_CERTIFICATE_ESC, PATH_GPO_TO_DA, PATH_TRUST_LATERAL |
| Risk Protection (Azure) | 10 | RISK_LEAKED_CREDENTIALS, RISK_HIGH_RISK_USERS_ACTIVE, ... |
ETC Collector tags every finding with the compliance controls it satisfies, then computes per-framework scores in summary.complianceScores[]. Nine frameworks ship in v3.1.12, all referenced against their official publication identifiers.
| Framework key (in JSON) | Coverage | Official publication |
|---|---|---|
ANSSI_PA099 |
90 detectors | ANSSI-PA-099 v1.0 — Recommandations pour l'administration sécurisée des SI reposant sur Microsoft Active Directory (02/10/2023) |
ANSSI_BP039 |
3 detectors | ANSSI-BP-039 v1.0 — Mise en œuvre des fonctionnalités de sécurité de Windows 10 reposant sur la virtualisation (11/2017) |
ANSSI_GUIDE_HYGIENE |
18 detectors | ANSSI Guide d'hygiène informatique (40 mesures essentielles) |
HDS_v1_1 |
40 detectors | Référentiel HDS v1.1 — Hébergement Données de Santé (Agence du Numérique en Santé) |
RGPD |
21 detectors | RGPD article 32 — Sécurité du traitement (UE 2016/679) |
NIS2_FR |
42 detectors | Directive UE 2022/2555 (NIS2), transposition FR loi 2024-449 |
CIS_v8 |
19 detectors | CIS Controls v8.1 (May 2024) + CIS Microsoft Windows Server 2022 Benchmark v3.0.0 |
NIST_800_53 |
20 detectors | NIST SP 800-53 Rev.5 (Sept 2020, patch 2023) — AC, AU, IA control families |
DISA_STIG |
8 detectors | DISA STIG — Active Directory Domain V3R3 |
Each framework also exposes a scope profile so you can run only the detectors relevant to it:
etc-collector audit ad ... --scope-profile compliance-anssi
etc-collector audit ad ... --scope-profile compliance-cis
# ... compliance-anssi-bp039, compliance-anssi-hyg, compliance-hds,
# compliance-rgpd, compliance-nis2, compliance-nist, compliance-disa→ See docs/configuration/compliance.md for the full mapping table and a per-control breakdown.
The full command tree (output of etc-collector --help v3.1.12):
etc-collector
├── audit Run a one-shot security audit
│ ├── ad Audit Active Directory (LDAP / LDAPS / StartTLS)
│ ├── azure Audit Microsoft Entra ID
│ ├── exchange Audit Exchange Online (mailbox delegation, forwarding)
│ ├── intune Audit Microsoft Intune (device compliance, encryption)
│ ├── google Audit Google Workspace (2FA, OAuth, drive sharing)
│ └── list List available detector categories, profiles and IDs
├── discover List assets without running detectors (read-only preview)
├── server Manage the local admin GUI & API server
├── daemon Run in daemon mode (SaaS)
├── enroll Enroll this collector with the SaaS platform
├── unenroll Remove enrollment
├── status Show enrollment status
├── trial Run a one-shot anonymous trial session
├── install Install ETC Collector as a system service
├── uninstall Uninstall the system service
├── upgrade Upgrade the etc-collector binary out-of-process (v3.1.15+)
├── service Manage the running service
├── gui-token Manage GUI access token
├── license Display the software license
├── help Help about any command
└── completion Generate shell autocompletion (bash, zsh, fish, powershell)
Output verified verbatim against etc-collector audit ad --help v3.1.12:
LDAP connection
--ldap-url string ldap:// or ldaps:// URL (REQUIRED)
--ldap-bind-dn string Bind DN (DN, UPN or NetBIOS form) (REQUIRED)
--ldap-bind-password string Bind password (REQUIRED)
--ldap-base-dn string Search base DN (REQUIRED)
TLS
--ldap-tls-verify Verify LDAP TLS certificates (default true)
--ldap-ca-cert string Path to a PEM file with the CA chain
--ldap-tls-min-version string Min TLS version: 1.0 / 1.1 / 1.2 / 1.3
--ldap-start-tls Upgrade ldap:// (port 389) to TLS via StartTLS
Audit scope
--scope-profile string quick | compliance | pentest |
compliance-anssi | compliance-anssi-bp039 |
compliance-anssi-hyg | compliance-hds |
compliance-rgpd | compliance-nis2 |
compliance-cis | compliance-nist | compliance-disa
--scope-include-categories strings Categories to include (comma-separated)
--scope-exclude-categories strings Categories to exclude
--scope-include-detectors strings Detector IDs to include
--scope-exclude-detectors strings Detector IDs to exclude
--exclusions string Path to an exclusions.yaml file
--exclusions-dry-run Compute exclusions without applying them
Network probes
--enable-network-probes Enable HTTP/HTTPS reach probes for ADCS, DNS AXFR
Output
--format string json | json-pretty (default json)
--include-details Include affected entities (default true)
-o, --output string Output file path (default stdout)
Global
--config string Path to config.yaml
-V, --verbose Enable verbose/debug output
ETC Collector reads configuration in this priority (highest first):
- CLI flags
- Environment variables
config.yaml(searched in./,~/.etc-collector/,/etc/etc-collector/)- Built-in defaults
# Server mode settings (only needed for `etc-collector server`)
server:
host: "127.0.0.1"
port: 8443
tls:
cert: /etc/etc-collector/server.crt
key: /etc/etc-collector/server.key
# Active Directory connection (used by `etc-collector audit ad`)
ldap:
url: ldaps://dc01.example.com:636
bind_dn: "CN=svc-etccollector,CN=Users,DC=example,DC=com"
bind_password: ${LDAP_BIND_PASSWORD} # env var expansion
base_dn: "DC=example,DC=com"
tls_ca_cert: /etc/etc-collector/rootca.pem
tls_verify: true
# Microsoft Entra ID
azure:
tenant_id: ${AZURE_TENANT_ID}
client_id: ${AZURE_CLIENT_ID}
client_secret: ${AZURE_CLIENT_SECRET}
# Default audit scope
audit:
scope_profile: compliance| Variable | Purpose |
|---|---|
LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_BASE_DN |
LDAP connection |
AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET |
Entra ID app registration |
AUDIT_INCLUDE_CATEGORIES, AUDIT_EXCLUDE_CATEGORIES |
Equivalent to --scope-* flags |
AUDIT_PROFILE |
Equivalent to --scope-profile |
SERVER_PORT, AUTH_JWT_SECRET |
Server mode |
→ Full reference: docs/configuration/environment-variables.md
A standard Domain Users member is enough for the full audit: LDAP read on objects, SMB read on \\<domain>\SYSVOL (default for Authenticated Users), and read access to audit policy via the registry-replicated GPO objects.
# Create a dedicated, non-rotating, non-delegated read-only account
New-ADUser -Name "svc-etccollector" `
-SamAccountName "svc-etccollector" `
-UserPrincipalName "svc-etccollector@example.com" `
-AccountPassword (Read-Host -AsSecureString "Password") `
-Enabled $true `
-PasswordNeverExpires $true `
-CannotChangePassword $true
Set-ADAccountControl -Identity svc-etccollector -AccountNotDelegated $trueDo not put this account in Domain Admins, Backup Operators, or any privileged group — read-only is the entire model.
APP_NAME="ETC-Collector-Audit"
az ad app create --display-name "$APP_NAME"
APP_ID=$(az ad app list --display-name "$APP_NAME" --query "[0].appId" -o tsv)
az ad app credential reset --id "$APP_ID" --append --years 2
for PERM in \
"User.Read.All" \
"AuditLog.Read.All" \
"UserAuthenticationMethod.Read.All" \
"Directory.Read.All" \
"Application.Read.All" \
"Policy.Read.All" \
"RoleManagement.Read.All" \
"IdentityRiskyUser.Read.All"
do
az ad app permission add --id "$APP_ID" \
--api 00000003-0000-0000-c000-000000000000 \
--api-permissions $(az ad sp show --id 00000003-0000-0000-c000-000000000000 \
--query "appRoles[?value=='$PERM'].id | [0]" -o tsv)=Role
done
az ad app permission admin-consent --id "$APP_ID"→ Step-by-step: docs/configuration/permissions.md
A single audit produces one JSON document with this top-level shape:
Every finding object embeds its compliance mapping:
{
"type": "NTLMV1_ALLOWED",
"severity": "high",
"category": "advanced",
"title": "NTLMv1 Authentication Allowed",
"description": "...",
"count": 1,
"compliance": [
{"framework": "ANSSI_PA099", "control": "R22"},
{"framework": "RGPD", "control": "art.32(1)(a)"},
{"framework": "NIS2_FR", "control": "Art.21(2)(h)"},
{"framework": "CIS_v8", "control": "§2.3"}
],
"affectedEntities": []
}On error, the document includes a structured code that matches one of the 24 LDAP error codes documented in docs/configuration/ad-troubleshooting.md:
{
"success": false,
"error": {
"code": "LDAP_TLS_IP_SAN_MISSING",
"message": "LDAP URL uses an IP address but the certificate has no IP SAN",
"resolution": "Use the DC FQDN listed in the certificate SAN.",
"raw": "tls: failed to verify certificate: x509: cannot validate certificate for 10.0.0.10 because it doesn't contain any IP SANs"
}
}When running in server mode, ETC Collector exposes a REST JSON API at https://<host>:8443/api/v1/. JWT bearer auth.
HOST=https://localhost:8443
# 1. Mint a JWT from the GUI bootstrap token
JWT=$(curl -sk -X POST $HOST/api/v1/auth/tokens \
-H "Authorization: Bearer $(etc-collector gui-token show)" | jq -r .token)
# 2. Trigger an async audit
JOB_ID=$(curl -sk -X POST $HOST/api/v1/audit \
-H "Authorization: Bearer $JWT" \
-d '{"async": true, "provider": "ldap"}' | jq -r .jobId)
# 3. Poll job status
curl -sk $HOST/api/v1/jobs/$JOB_ID -H "Authorization: Bearer $JWT" | jq '.status'
# 4. Retrieve the result
curl -sk $HOST/api/v1/jobs/$JOB_ID/result -H "Authorization: Bearer $JWT" > result.json
# 5. Liveness probe (no auth)
curl -sk $HOST/health→ Full endpoint reference: docs/API.md
Requires Go 1.22+.
git clone https://github.com/etcsec-com/etc-collector.git
cd etc-collector
# Build
make build
# OR manually
go build -o etc-collector ./cmd/etc-collector/
# Cross-compile for every supported target
mkdir -p dist
for target in linux/amd64 linux/arm64 darwin/amd64 darwin/arm64 windows/amd64; do
OS=${target%/*}; ARCH=${target#*/}
EXT=""; [ "$OS" = "windows" ] && EXT=".exe"
GOOS=$OS GOARCH=$ARCH CGO_ENABLED=0 go build \
-ldflags="-s -w" \
-o dist/etc-collector-$OS-$ARCH$EXT \
./cmd/etc-collector/
doneBuild flags:
CGO_ENABLED=0— pure-Go static binary (no glibc dependency)-ldflags="-s -w"— strip debug info, ~30% smaller binary
| Topic | File |
|---|---|
| Getting started (admin walkthrough) | docs/configuration/ad-getting-started.md |
| AD connection modes (LDAP/LDAPS/StartTLS) | docs/configuration/ad-connection-modes.md |
| AD TLS certificate extraction (5 methods) | docs/configuration/ad-tls-certificates.md |
| AD troubleshooting runbook (24 error codes) | docs/configuration/ad-troubleshooting.md |
| Audit scope (categories / IDs / profiles) | docs/configuration/audit-scope.md |
| Compliance frameworks (mapping table) | docs/configuration/compliance.md |
| Permissions (AD account & Azure app setup) | docs/configuration/permissions.md |
| Configuration reference | docs/configuration/ |
| AD vulnerability catalog (340 entries) | docs/vulnerabilities/active-directory/AD_VULNERABILITY_CATALOG.md |
| Azure vulnerability catalog (158 entries) | docs/vulnerabilities/azure/AZURE_VULNERABILITY_CATALOG.md |
| Operating modes (Standalone vs SaaS daemon) | docs/modes/ |
| Features overview | docs/features/ |
| REST API reference | docs/API.md |
| Editions (Community vs Pro) | docs/EDITIONS.md |
| Community | Pro | |
|---|---|---|
| Detectors | 472 | 498 |
| AD audit | ✅ 324 detectors | ✅ 340 detectors (+16 Pro) |
| Microsoft Entra ID audit | ✅ 148 detectors | ✅ 158 detectors (+10 Pro) |
| REST API + embedded GUI | ✅ | ✅ |
| Standalone server mode | ✅ | ✅ |
| SaaS daemon mode | ✅ | ✅ |
| ADCS — ESC1–ESC11 | ❌ | ✅ |
| Attack-paths — privilege escalation graphs | ❌ | ✅ |
| Azure Risk Protection | ❌ | ✅ |
→ docs/EDITIONS.md for the full breakdown.
ETC Collector is licensed under the ETC Collector License v1.0 (Sustainable Use). You are free to use, modify and distribute this software for internal business or non-commercial purposes. Commercial redistribution is not permitted. See the LICENSE file for full terms.
For commercial use cases (managed services, SaaS resale, OEM bundling), contact support@etcsec.com.
- Documentation — etcsec.com
- Issues — github.com/etcsec-com/etc-collector/issues for bug reports and feature requests
- Discussions — GitHub Discussions for questions and design proposals
- Security —
security@etcsec.com(responsible disclosure, 48-hour acknowledgment) - Commercial / Pro / SaaS —
support@etcsec.com
{ "success": true, "provider": "ldap", "audit": { "metadata": { "version": "3.1.12", "timestamp": "2026-04-22T20:21:00Z", "duration": "1.08s", "domain": "example.com", "ldapUrl": "ldaps://dc01.example.com:636" }, "summary": { "objects": { "users": 546, "computers": 100, "groups": 154, "findings": 270 }, "risk": { "score": 33, "rating": "high" }, "complianceScores": [ { "framework": "ANSSI_PA099", "score": 40.4, "rating": "high", "controlsTotal": 52, "controlsPassed": 21, "controlsFailed": 31, "failedControls": ["R1", "R2", "R6", "R22", "R28"], "maturityAxes": [ {"name": "Politique de mot de passe", "level": 3, "coverage": 0.6}, {"name": "Comptes privilégiés", "level": 2, "coverage": 0.4}, {"name": "Authentification", "level": 4, "coverage": 0.8}, {"name": "Délégation", "level": 1, "coverage": 0.2}, {"name": "Supervision & audit", "level": 3, "coverage": 0.6} ] } ] }, "accounts": { "findings": [/* ... */] }, "computers": { "findings": [/* ... */] }, "groups": { "findings": [/* ... */] }, "permissions": { "findings": [/* ... */] }, "adcs": { "findings": [/* ... */] }, "gpoSecurity": { "findings": [/* ... */] }, "trustsAnalysis":{ "findings": [/* ... */] }, "attackGraph": { "totalPaths": 65, "paths": [/* ... */] } } }