What belongs in Tier Zero
Tier Zero commonly includes domain controllers, highly privileged groups, privileged admin accounts, identity synchronization systems, AD CS components, backup systems that can restore domain controllers, and cloud identities that can control the directory or its trust relationships.
The exact list depends on the environment. The principle is simple: if it can control AD, it belongs in the highest-protection tier.
Run the assessment locally
Turn identity and network evidence into a report while you test.
Zypheron Desktop keeps scan output, AD and cloud paths, notes, and report views in one local workspace for lean internal teams.
Why paths matter
Tier Zero risk is not limited to accounts already labeled admin. A standard user can become relevant if there is a chain of group membership, delegated rights, sessions, or misconfiguration that reaches Tier Zero.
That is why attack path mapping matters. It shows how control can emerge from relationships, not just from obvious admin names.
- Find direct Tier Zero administrators.
- Find indirect paths into those administrators.
- Remove stale privilege and unnecessary delegation.
- Validate that paths are actually broken after remediation.
Reporting Tier Zero risk
A Tier Zero finding should explain the path, not just name the asset. The report should make clear what the attacker starts with, what edge they use, what control they reach, and which remediation breaks the path.
Zypheron keeps the graph, evidence, and write-up together so the finding remains explainable after the assessment ends.