EngineeringJuly 8, 20266 min read

What Is Tier Zero in Active Directory?

Tier Zero is the control plane of Active Directory. If an attacker controls Tier Zero, they can usually control the identity system and, through it, much of the environment.

What belongs in Tier Zero

Tier Zero commonly includes domain controllers, highly privileged groups, privileged admin accounts, identity synchronization systems, AD CS components, backup systems that can restore domain controllers, and cloud identities that can control the directory or its trust relationships.

The exact list depends on the environment. The principle is simple: if it can control AD, it belongs in the highest-protection tier.

Run the assessment locally

Turn identity and network evidence into a report while you test.

Zypheron Desktop keeps scan output, AD and cloud paths, notes, and report views in one local workspace for lean internal teams.

Why paths matter

Tier Zero risk is not limited to accounts already labeled admin. A standard user can become relevant if there is a chain of group membership, delegated rights, sessions, or misconfiguration that reaches Tier Zero.

That is why attack path mapping matters. It shows how control can emerge from relationships, not just from obvious admin names.

  • Find direct Tier Zero administrators.
  • Find indirect paths into those administrators.
  • Remove stale privilege and unnecessary delegation.
  • Validate that paths are actually broken after remediation.

Reporting Tier Zero risk

A Tier Zero finding should explain the path, not just name the asset. The report should make clear what the attacker starts with, what edge they use, what control they reach, and which remediation breaks the path.

Zypheron keeps the graph, evidence, and write-up together so the finding remains explainable after the assessment ends.

Sources Checked

ShareLinkedInX
Email List

Get AD security drops in your inbox

Release notes, identity attack-path research, and early access. Low volume, real signal only. Unsubscribe anytime.

Recommended next read
ZYPHERON

ZYPHERON Desktop is a cybersecurity IDE for offensive and defensive workflows. The open source CLI remains available for terminal-first users.

AUTHORIZED USE ONLY

Solutions

Infrastructure

  • CLI Source Code

Network

© 2025 ZYPHERON SYSTEMS//DESKTOP + CLI