Cyber Record: NodeZero Solves GOAD in 14 Minutes
- Photo Info
- Download
Cyber Record: NodeZero Solves GOAD in 14 Minutes
- The Game of Active Directory (GOAD) is a well-known benchmark that recreates how attackers break into and move through large Windows networks.
- Expert penetration testers usually need 12–16 hours of focused effort to complete it. NodeZero did it in just 14 minutes. 50x faster than humans.
- Because Active Directory is used in nearly every organisation worldwide — including the vast majority of the Fortune 1000 — the risks demonstrated in GOAD reflect real exposures in production environments.
London, 27 August 2025 – Horizon3.ai has set a new benchmark in cybersecurity. Its autonomous penetration testing platform, NodeZero, completed the “Game of Active Directory” (GOAD) challenge in 14 minutes – a task that typically takes human experts around twelve to sixteen hours. Operating at machine speed, NodeZero uncovers attacker pathways and exposes critical weaknesses faster than traditional methods allow.
GOAD is a deliberately vulnerable Active Directory environment designed as a safe training ground for penetration testers and red teams – specialists who attack IT networks to expose security gaps. It allows them to practise advanced hacking techniques without risk to live systems. The objective is to adopt an attacker’s perspective in order to uncover the misconfigurations, weaknesses and attack paths commonly found in corporate networks.
Active Directory is deployed millions of times worldwide as the central system for managing identities and access rights in Windows-based IT environments. Once compromised, it can provide near-unrestricted access to an organisation’s network. More than 90% of the Fortune 1000 and millions of mid-sized businesses worldwide rely on Microsoft Active Directory as the secure repository for their employees’ login credentials.
“If an AI system like NodeZero can defeat GOAD in just 14 minutes, it shows how quickly attackers using similar methods could do the same in real world environments,” said Keith Poyser, Vice President for EMEA at Horizon3.ai. “NodeZero didn’t rely on exploiting software vulnerabilities – simply uncovering configuration errors and linking them together was enough to gain access and compromise the environment. Exactly as attackers do. And it had no insider knowledge or prior information about the target, yet still succeeded, 50x faster than humans normally do.” Node Zero was designed to give enterprises exactly this: the attackers perspective. It enables organisations to “go hack yourself” before attackers do – then fix those weaknesses and prove fixed, testing frequently to ensure you are more secure this week and this month than last. It is safe to run in production systems and is used by more than 3,000 enterprises and public sector organisations worldwide, having won numerous awards.
Background for specialists: https://horizon3.ai/intelligence/blogs/nodezero-vs-goad-technical-deep-dive/
About Horizon3.ai and NodeZero: Horizon3.ai provides a cloud-based platform, NodeZero, enabling organisations and public authorities to simulate self-attacks on their IT infrastructure to assess their cyber resilience through penetration testing (pentesting). Thanks to its cloud model, the platform offers affordable, regular pentesting, making it accessible to mid-sized companies. Horizon3.ai continuously monitors the cybercrime landscape to ensure that newly discovered vulnerabilities are swiftly integrated into the cloud system. NodeZero not only identifies security flaws but also offers tailored recommendations for remediation. Through this platform, Horizon3.ai helps organisations meet rising regulatory demands for cyber resilience in Governance, Risk & Compliance (GRC), with guidelines recommending an internal self-attack at least once a week.
Trademark notice: NodeZero is a trademark of Horizon3.ai
Further information: Horizon3.AI Europe GmbH, Prielmayerstrasse 3, 80335 Munich, Web: www.horizon3.ai
PR Agency: euromarcom public relations GmbH, Tel. +49 611 973150, Web: www.euromarcom.de, E-Mail: team@euromarcom.com
- - - -