> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Analysis Process

> Understand how the BloodHound Enterprise analysis process works to surface findings and prioritize risk.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=b682a26b342bde12302ec829e265bdb6" alt="Applies to BloodHound Enterprise only" width="225" height="45" data-path="assets/enterprise-edition-pill-tag.svg" />

BloodHound Enterprise's analysis process includes several key steps that work together to surface findings and prioritize risk.

## Choke point analysis

BloodHound Enterprise generates one <Tooltip tip="An aggregate view of the graph for a selected environment and privilege zone. It simplifies large volumes of nodes and edges into a compact visualization optimized for readability." cta="Learn more" href="/analyze-data/findings/attack-paths">choke point view</Tooltip> view per environment, such as an Active Directory domain or Azure tenant. The choke point view organizes findings by category and shows the number of exposed principals in each, helping you quickly understand where risk concentrates.

<Note>
  [Exposure and impact](/analyze-data/findings/attack-paths#exposure-and-impact) metrics are calculated from this analysis and surfaced with findings.
</Note>

## Relationships and zone boundaries

Attack Path analysis includes both relationship-driven path analysis and principal-level risky configuration findings.

BloodHound evaluates how abusable relationships connect principals across privilege boundaries and flags principals with configurations that increase risk.

This includes boundaries between Tier Zero and user-defined [Privilege Zones](/analyze-data/privilege-zones/overview). A path that crosses zones can represent a stepping stone into higher-privilege assets, which is why zone-specific findings can differ in severity and priority.

## Post-processing

BloodHound does not rely only on directly collected relationships. During **post-processing**, it derives additional relationships that are relevant to Attack Path analysis. One result is a **composite edge**.

A composite edge is a derived relationship between two nodes that represents a group of underlying relationships condensed into a single, meaningful connection.

BloodHound uses composite edges to simplify understanding of that complexity and surface Attack Paths that are not visible from any single relationship alone. Some attack techniques require a combination of permissions before they can be abused, so BloodHound models those combined conditions as one simplified relationship.

For example, the [DCSync](/resources/edges/dc-sync) edge requires a combination of permissions to create an abusable path. BloodHound models this as a composite edge, which allows it to surface Attack Paths that would otherwise be invisible if analysis relied only on directly collected relationships.

<Accordion title="Show post-processed edges">
  BloodHound creates the following edges during post-processing:

  * [`ADCSESC1`](/resources/edges/adcs-esc1)
  * [`ADCSESC3`](/resources/edges/adcs-esc3)
  * [`ADCSESC4`](/resources/edges/adcs-esc4)
  * [`ADCSESC6a`](/resources/edges/adcs-esc6a)
  * [`ADCSESC6b`](/resources/edges/adcs-esc6b)
  * [`ADCSESC9a`](/resources/edges/adcs-esc9a)
  * [`ADCSESC9b`](/resources/edges/adcs-esc9b)
  * [`ADCSESC10a`](/resources/edges/adcs-esc10a)
  * [`ADCSESC10b`](/resources/edges/adcs-esc10b)
  * [`ADCSESC13`](/resources/edges/adcs-esc13)
  * [`AddMember`](/resources/edges/add-member)
  * [`AdminTo`](/resources/edges/admin-to)
  * [`AZAddOwner`](/resources/edges/az-add-owner)
  * [`AZRoleApprover`](/resources/edges/az-role-approver)
  * [`CanPSRemote`](/resources/edges/can-ps-remote)
  * [`CanRDP`](/resources/edges/can-rdp)
  * [`CoerceAndRelayNTLMToADCS`](/resources/edges/coerce-and-relay-ntlm-to-adcs)
  * [`CoerceAndRelayNTLMToLDAP`](/resources/edges/coerce-and-relay-ntlm-to-ldap)
  * [`CoerceAndRelayNTLMToLDAPS`](/resources/edges/coerce-and-relay-ntlm-to-ldaps)
  * [`CoerceAndRelayNTLMToSMB`](/resources/edges/coerce-and-relay-ntlm-to-smb)
  * [`DCSync`](/resources/edges/dc-sync)
  * [`EnrollOnBehalfOf`](/resources/edges/enroll-on-behalf-of)
  * [`EnterpriseCAFor`](/resources/edges/enterprise-ca-for)
  * [`ExecuteDCOM`](/resources/edges/execute-dcom)
  * [`ExtendedByPolicy`](/resources/edges/extended-by-policy)
  * [`GoldenCert`](/resources/edges/golden-cert)
  * [`HasTrustKeys`](/resources/edges/has-trust-keys)
  * [`IssuedSignedBy`](/resources/edges/issued-signed-by)
  * [`OwnsLimitedRights`](/resources/edges/owns-limited-rights)
  * [`ProtectAdminGroups`](/resources/edges/protect-admin-groups)
  * [`SyncLAPSPassword`](/resources/edges/sync-laps-password)
  * [`SyncedToADUser`](/resources/edges/synced-to-ad-user)
  * [`SyncedToEntraUser`](/resources/edges/synced-to-entra-user)
  * [`TrustedForNTAuth`](/resources/edges/trusted-for-nt-auth)
  * [`WriteOwnerLimitedRights`](/resources/edges/write-owner-limited-rights)
</Accordion>

## Remediation

After reviewing findings on the **Attack Paths** page, you can:

* **Remediate** to sever the edges that create the risk and improve your environment's security posture.
* **Accept** when risk is known and temporarily tolerated.

For acceptance workflow steps, see [Risk Acceptance](/analyze-data/findings/risk-acceptance).

To track remediation progress over time, see [Posture](/analyze-data/findings/posture).