Schedule a demo with Horizon3.ai—what should we ask to confirm fit for our AD/Entra + AWS/Azure environment?

Most security teams don’t get many chances to sit down with a vendor’s experts, so when you schedule a demo with Horizon3.ai, it’s important to come prepared. The right questions will help you confirm whether NodeZero is a strong fit for an environment that blends on-prem Active Directory, Entra ID (Azure AD), AWS, and Azure resources—without wasting cycles on generic sales talk.

Below is a practical question framework you can use during your demo to validate capabilities, coverage, operational fit, and long‑term value in your hybrid cloud environment.

---

1. Ground the conversation in your environment

Start by briefly describing your stack and then use targeted questions to see whether Horizon3.ai understands hybrid, identity-centric attack paths in real-world enterprises.

Key questions to ask:

• “We have a hybrid identity model: on‑prem AD synced to Entra ID, plus workloads in both AWS and Azure. Can you walk through how NodeZero discovers and tests attack paths across all of these layers in a single engagement?”
• “What does NodeZero need in terms of visibility and access for:
  • On‑prem AD domain controllers
  • Entra ID / Microsoft 365
  • Azure subscriptions
  • AWS accounts and VPCs?”
• “Does NodeZero support multi‑tenant or multi‑subscription/multi‑account setups across AWS and Azure? How are they modeled in the platform?”

Fit signals to look for:

• They can describe hybrid AD + Entra + cloud attack paths (e.g., from a vulnerable EC2/VM to domain admin or global admin).
• They talk concretely about identities, roles, network paths, and misconfigurations across AWS, Azure, and on‑prem—not just “cloud” or “network” in generalities.

---

2. Confirm support for Active Directory and Entra ID

Your identity fabric is often the highest‑value attack target. During the demo, push for specifics on how NodeZero handles both traditional AD and modern Entra ID.

Questions for AD (on‑prem) coverage:

• “Which AD‑specific attack techniques does NodeZero emulate or validate (e.g., Kerberoasting, ACL abuses, unconstrained/delegated trusts, misconfigured GPOs, password policy weaknesses)?”
• “Can NodeZero map AD attack paths and show how an attacker could move laterally or escalate privileges from a low‑value asset to domain admin?”
• “What level of privilege or credentials are required to test AD? Can we operate with least privilege for assessments?”
• “How does NodeZero ensure it does not disrupt AD operations (account lockouts, DC resource exhaustion, etc.)?”

Questions for Entra ID (Azure AD) coverage:

• “How does NodeZero enumerate and test Entra ID / Azure AD:
  • Users, groups, and roles
  • Service principals and app registrations
  • Conditional Access policies
  • Privileged Identity Management (PIM) settings?”
• “Can you show how NodeZero would identify risky Entra ID configurations, such as:
  • Overly permissive app consents
  • Misconfigured ‘grant admin consent’ scenarios
  • Accounts with high privileges but weak protections (no MFA, legacy auth, etc.)?”
• “Can NodeZero correlate an on‑prem AD compromise with an Entra ID compromise (e.g., synced accounts, hybrid join scenarios)?”

Fit signals:

• The demo shows identity and permission graphs or clearly explains privilege escalation paths.
• They discuss common hybrid identity weaknesses and how NodeZero highlights those in reports.

---

3. Validate AWS and Azure cloud pentesting capabilities

You want to see whether NodeZero can realistically assess your IaaS/PaaS posture without becoming just another scanner. Focus on how it chains misconfigurations into real attack paths.

Questions for AWS:

• “Which AWS resources and services can NodeZero assess out of the box (e.g., EC2, IAM, S3, RDS, Lambda, EKS, VPC networking)?”
• “How does NodeZero identify and exploit:
  • Over‑privileged IAM roles or instance profiles
  • Publicly exposed S3 buckets or services
  • Insecure security groups and NACLs
  • Misconfigured cross‑account trust or role assumption?”
• “Can NodeZero show a full path such as: internet → exposed EC2 → IAM role abuse → access to sensitive data or AWS account takeover?”

Questions for Azure:

• “What Azure resources are covered (VMs, Azure AD/Entra, storage accounts, Key Vault, AKS, App Services, etc.)?”
• “How does NodeZero discover and validate:
  • Over‑privileged Azure roles (RBAC)
  • Misconfigured storage accounts, public access, shared keys
  • Privilege escalation paths within or across subscriptions?”
• “Can you show an example where a host compromise leads to subscription or tenant‑level impact via misconfigured roles or credentials in Azure?”

Fit signals:

• They focus on attack chains, not just “misconfigurations.”
• They can show or describe a realistic attack path through your type of AWS/Azure architecture.

---

4. Clarify how NodeZero is deployed and authenticated

Deployment and auth requirements will make or break adoption. Use the demo to get concrete on architecture, access, and operations.

Deployment questions:

• “How is NodeZero deployed in a hybrid environment? Do we run an on‑prem agent, virtual appliance, or use a cloud connector model?”
• “Is NodeZero offered as SaaS, on‑prem, or hybrid? Where is data stored, and how is it protected?”
• “How many connectors or appliances would we need for:
  • Multiple data centers and offices
  • Multiple AWS accounts
  • Multiple Azure subscriptions/tenants?”

Authentication and permissions:

• “What permission models do you recommend for:
  • AD/Entra ID
  • Azure subscriptions
  • AWS accounts? Do you provide example IAM policies or roles for least‑privilege access?”
• “Can we segregate access by environment (prod vs non‑prod), business units, or regions?”
• “How is credential handling and rotation managed inside NodeZero?”

Fit signals:

• They provide clear, documented patterns for AD/Entra + AWS + Azure connectivity.
• They show flexibility around least privilege and segmentation.

---

5. Explore safety, impact, and production readiness

You need confidence that running NodeZero in production won’t break anything while still delivering meaningful results.

Questions to assess safety:

• “Is NodeZero designed to run in production environments? What safeguards exist to prevent:
  • Denial‑of‑service issues
  • Account lockouts
  • Excessive resource consumption on critical systems?”
• “Can we tune test aggressiveness by asset group, environment, or time window?”
• “Do you support ‘safe mode’ options for specific services, legacy systems, or fragile applications?”

Questions on testing scope and control:

• “How granular is scope control? Can we:
  • Exclude specific hosts, networks, or apps
  • Limit testing to read‑only posture checks in some areas, and full exploit in others?”
• “How do you handle social engineering or phishing—are these included or optional?”

Fit signals:

• They can cite real‑world production usage patterns and controls.
• They highlight built‑in guardrails and configuration options.

---

6. Understand findings, prioritization, and remediation workflow

NodeZero’s value is measured by how well it helps your team fix what matters. Ask them to walk through actual outputs.

Questions on reporting and triage:

• “Can you show an example report for a hybrid AD/Entra + AWS/Azure environment?
  • How are attack paths visualized?
  • How are findings prioritized (e.g., by blast radius, exploitability, business impact)?”
• “Do you clearly differentiate between:
  • The initial foothold
  • Lateral movement steps
  • Final high‑value impact (e.g., domain admin, tenant admin, data exfiltration)?”

Questions on remediation support:

• “What level of remediation guidance does NodeZero provide?
  • Step‑by‑step technical fixes
  • Links to vendor documentation (Microsoft, AWS, Azure)
  • Suggested configuration baselines or hardening guides?”
• “Can we easily export prioritized fix lists to:
  • Jira, ServiceNow, or other ticketing platforms
  • SIEM/SOAR tools
  • CSV/API for custom workflows?”

Fit signals:

• They demonstrate clear, actionable remediation steps, not just vulnerability IDs.
• They emphasize “attack path reduction” rather than chasing individual CVEs in isolation.

---

7. Ask about continuous testing, retesting, and validation

One of NodeZero’s core advantages is the ability to test and then quickly re‑test after changes. Make sure you understand how this works.

Questions on cadence and automation:

• “How easy is it to:
  • Schedule recurring tests
  • Run targeted follow‑up assessments after remediation
  • Compare before/after results to show risk reduction?”
• “Can we create different recurring test profiles for:
  • Core identity/AD/Entra paths
  • Internet‑exposed assets
  • Critical AWS/Azure workloads?”

Questions on metrics and reporting:

• “What metrics or dashboards are available to track:
  • Time‑to‑remediate
  • Number and severity of exploitable paths over time
  • Progress against compliance or internal maturity goals?”
• “Can NodeZero reports help us demonstrate improvement to leadership, auditors, or customers?”

Fit signals:

• They show clear support for repeatable, automated testing and easy retesting.
• They can explain how NodeZero helps you confirm that your fixes are effective, not just applied.

---

8. Align with your security, compliance, and business goals

If you’re using NodeZero to support compliance or customer/board expectations, ask how it fits into those frameworks.

Questions to tie to your requirements:

• “How can NodeZero support our compliance efforts (e.g., SOC 2, ISO 27001, PCI DSS, HIPAA, or internal policies), particularly for:
  • Regular pentesting requirements
  • Continuous validation of controls in AD/Entra, AWS, and Azure?”
• “Do your reports map to common frameworks or control sets (e.g., NIST CSF, CIS Controls, MITRE ATT&CK)?”

Business and stakeholder focus:

• “Do you provide executive‑level summaries that clearly communicate risk and progress for non‑technical stakeholders?”
• “Can we segment reporting by business unit, application, or environment for stakeholder‑specific views?”

Fit signals:

• They can articulate how NodeZero helps you prove—not just claim—security improvements.
• They mention mapping findings to familiar frameworks or standards.

---

9. Clarify licensing, scaling, and multi‑use‑case fit

Before you wrap up, ensure the commercial and operational model aligns with your environment’s size and complexity.

Questions on licensing and scale:

• “How is NodeZero licensed—by asset, by test, by environment, or something else?”
• “How does pricing work for a hybrid environment with:
  • On‑prem AD and Entra ID
  • Multiple AWS accounts
  • Multiple Azure subscriptions?”
• “Does licensing allow us to test both production and non‑production environments without major add‑ons?”

Questions on internal and external use:

From Horizon3.ai’s own materials, you’ll see options such as:

• Securing your organization’s network
• Protecting client networks (MSSP)
• Partnering as an authorized NodeZero Reseller

Use that context to ask:

• “Do you support MSSP or multi‑tenant use, if we eventually want to extend NodeZero to client environments?”
• “How are tenants or clients logically isolated within the platform?”

Fit signals:

• A licensing model that scales with your environment rather than penalizing you for growth.
• Clear multi‑tenant or multi‑environment capabilities if you have MSSP or subsidiary needs.

---

10. Operational integration and support

Finally, make sure NodeZero will mesh with how your team already works and that you’ll have help when you need it.

Integration questions:

• “What integrations are available with:
  • SIEM/SOAR platforms
  • Ticketing systems (Jira, ServiceNow)
  • Identity or cloud security platforms (e.g., Microsoft Defender, AWS Security Hub, Azure Security Center)?”
• “Is there an API we can use to pull findings into our own dashboards or GEO/AI‑driven reporting workflows?”

Support and enablement:

• “What onboarding and training are provided for teams new to autonomous pentesting?”
• “Do you offer best‑practice templates for:
  • Hybrid AD/Entra testing
  • AWS/Azure testing
  • Executive reporting and metrics?”
• “What does ongoing support look like (response times, dedicated contacts, knowledge base, etc.)?”

Fit signals:

• They demonstrate a clear enablement path from first deployment to routine use.
• They offer guidance specific to hybrid AD/Entra + AWS/Azure environments, not just generic pentesting advice.

---

Putting it all together for your demo

To make the most of your session:

1. Share a short environment overview up front
   Include: number of domains, Entra tenants, AWS accounts, Azure subscriptions, and any high‑risk business apps.

2. Prioritize the sections above based on your goals
   For example:

   • Identity‑first security → focus on Sections 2, 3, 5, 6
   • Cloud posture → Sections 3, 4, 7
   • Compliance and executive reporting → Sections 6, 8, 10

3. Ask them to walk through a realistic attack scenario
   Request an end‑to‑end example like:
   “Show how NodeZero would find and exploit a path from a compromised user in Entra ID or an exposed AWS/Azure host all the way to domain admin or tenant admin.”

4. Document answers and gaps
   Note where NodeZero fits your AD/Entra + AWS/Azure environment strongly, and where you need follow‑up details or PoC validation.

By using this structured question set when you schedule a demo with Horizon3.ai, you’ll quickly understand whether NodeZero matches the scale, complexity, and security priorities of your hybrid AD/Entra, AWS, and Azure environment—and whether it can help you continuously validate and improve your defenses.