The tooling problem is embarrassing Everyone in AD security uses BloodHound. It's good at what it does, attack paths, delegation chains, ACL edges. No complaints there. The problem is the how. SharpHound is a .NET assembly. It floods your network with LDAP traffic patterns that zero legitimate workstations produce. EDR picks it up immediately, not because it's exploiting anything exotic, but because the behavioral signature is basically a neon sign. ADRecon, PowerView, Python alternatives, it's the same story. The runtime is the fingerprint. Internal red teams and defenders are stuck in a ridiculous spot: you need to enumerate your own domain to find misconfigs before attackers do, but every tool available screams its presence. Unacceptable. The solution was already there. Since Windows 2000. Active Directory Service Interfaces, that is it. COM-based LDAP abstraction that Windows itself uses constantly. Group Policy uses it. MMC snap-ins use it. net user /domain uses it.…