Applies to BloodHound CE only Set up BloodHound Community Edition (BloodHound CE) with Docker Compose and start identifying and visualizing security risks.
Are you a blue team member looking to remediate identity risks? Request a demo of BloodHound Enterprise.

Prerequisites

To complete the quickstart, ensure you meet these system requirements. BloodHound CE deploys in a traditional multi-tier container architecture consisting of databases, application, and UI layers.
Minimum specificationsFor large environments (>50K users)
4GB of RAM96GB of RAM
4 processor cores12 processor cores
10GB hard disk space50GB hard disk space
BloodHound Community Edition is a security auditing tool that was written to test the resilience of networks against attackers. Because this tool can equally be used for evil, some anti-malware and EDR solutions flag BloodHound and its components as malware. If you encounter issues with downloads being blocked and files being prohibited from execution, you may have to shut off these protections. We recommend that you set up BloodHound on a dedicated machine so that your regular work environment remains protected. If you are planning to use BloodHound on a corporate network, please notify your Security Operations Center (SOC) ahead of time and ensure you have the required permissions to audit the network. For legal and ethical reasons, you must never use BloodHound on systems you do not own or lack explicit permission to audit.

Install BloodHound CE

  1. Install Docker Desktop. This gives you access to Docker Compose.
  2. Download the latest release of BloodHound CLI for your operating system and architecture (AMD or ARM) and unpack the file. BloodHound CLI is a utility that makes it easy to install BloodHound Community Edition in containers on your machine. To avoid the software getting blocked as malware in the browser, we recommend downloading it via command line using the following commands (substitute your architecture as appropriate): 
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
  1. Next, unpack the file:
tar -xvzf bloodhound-cli-linux-amd64.tar.gz
  1. In your terminal, enter the following command to install BloodHound Community Edition via BloodHound CLI:
./bloodhound-cli install
If you encounter Mac Error: “bloodhound-cli” Not Opened. Apple could not verify “bloodhound-cli” is free of malware that may harm your mac or compromise your privacy. In case you get this error message, you need to allow bloodhound-cli to be executed.Option 1: In the terminal
  1. Clear the quarantine flag by typing xattr -d com.apple.quarantine ./bloodhound-cli in the CLI
  2. Repeat the CLI command ./bloodhound-cli install
Option 2: In the GUI
  1. Go to System Settings (or System Preferences on older macOS versions)
  2. Navigate to Privacy & Security
  3. Scroll down to the Security section
  4. You should see a message stating that bloodhound-cli was blocked
  5. Click Allow Anyway
  6. Repeat the CLI command ./bloodhound-cli install
  7. Click Open Anyway
  8. Enter your password or use your fingerprint to confirm
If you encounter Mac Error: Malware Blocked – “com.docker.vmnetd” was not opened because it contains malware. This action did not harm your Mac. In case you get the error message, you need to uninstall and re-install Docker.
  1. Follow the Docker uninstall instructions (click tab for your operating system).
  2. Re-install Docker Desktop.
  3. Repeat the CLI command ./bloodhound-cli install
If you encounter Mac Error: “Docker is installed on this system, but the daemon is not running” In case you get the error message, you need to uninstall and re-install Docker.
  1. Simply launch Docker Desktop and proceed.
  1. The installation will now proceed. You’ll know it’s complete when you see the randomly generated password displayed on your screen. Make sure to keep your terminal open until you have changed your password in a future step. 
    [+] Checking the status of Docker and the Compose plugin...
[+] Starting BloodHound environment installation
[+] Downloading the production YAML file from https://raw.githubusercontent.com/SpecterOps/BloodHound_CLI/refs/heads/main/docker-compose.yml...
[+] Downloading the development YAML file from https://raw.githubusercontent.com/SpecterOps/BloodHound_CLI/refs/heads/main/docker-compose.dev.yml...

[… downloading lots of files …]

Network root_default  Creating
Network root_default  Created
Volume "root_postgres-data"  Creating
Volume "root_postgres-data"  Created
Volume "root_neo4j-data"  Creating
Volume "root_neo4j-data"  Created
Container root-graph-db-1  Creating
Container root-app-db-1  Creating
Container root-app-db-1  Created
Container root-graph-db-1  Created
Container root-bloodhound-1  Creating
Container root-bloodhound-1  Created
Container root-app-db-1  Starting
Container root-graph-db-1  Starting
Container root-app-db-1  Started
Container root-graph-db-1  Started
Container root-app-db-1  Waiting
Container root-graph-db-1  Waiting
Container root-app-db-1  Healthy
Container root-graph-db-1  Healthy
Container root-bloodhound-1  Starting
Container root-bloodhound-1  Started
[+] BloodHound is ready to go!
[+] You can log in as `admin` with this password: 1WBhSFbPTurX1xBrUPUky5eqxv4wtZ26
[+] You can get your admin password by running: bloodhound-cli config get default_password
[+] You can access the BloodHound UI at: http://127.0.0.1:8080/ui/login
    If you lose the password, you can reset it locally using BloodHound CLI: 
    ./bloodhound-cli resetpwd
  2. Go to http://localhost:8080/ui/login, and log in with admin and the randomly generated password from the last installation step.
    The default docker-compose.yml example binds only to localhost (127.0.0.1). To access BloodHound outside of localhost, follow the instructions in examples/docker-compose/README.md to configure host binding for the container.
  3. Reset the password as prompted.
You’re now logged in to a locally hosted BloodHound CE tenant running with Docker Compose.

Get data into BloodHound

To get data into BloodHound, ingest sample data or run a data collector.

Option 1 (Faster): Ingest sample data

Sample collection data helps you explore and test BloodHound CE functionality before using your own data. To ingest the BloodHound sample data:
  1. Download sample data for Active Directory or Azure Active Directory Sample Data generated with SharpHound includes:
    • 3 collected domains with trusts between them
    • Additional, visible, trusted domains without collections
    • Coverage for local permissions
    • Multiple ADCS escalation paths
    Azure Sample Data generated with AzureHound includes:
    • Full collection of an Azure environment
    • Support for user-sync hybrid paths when ingested alongside the example AD data
  2. From the BloodHound CE UI, go to settings (⚙️) → AdministrationUpload Files.
The default admin email address is spam@example.com. You may notice this show up as the user who’s ingesting the data.

Option 2 (More Realistic): Ingest your data with data collectors

BloodHound CE analyzes data collected by its two collector services, each collecting from a specific directory:
  • Active Directory, collected by SharpHound CE
  • Entra ID and Azure, collected by AzureHound CE

Download collectors

Each collector is a standalone binary. Download collectors using one of these methods:

Run a collector

Run the SharpHound or AzureHound collector. During collection, JSON files are generated and compressed into a ZIP file. 
# Run SharpHound CE
C:\> SharpHound.exe
For Azure argument definitions, see All AzureHound Community Edition Flags, Explained.

Ingest data into BloodHound

Use the BloodHound CE API or the BloodHound CE UI to ingest collected data into BloodHound. To ingest collected data with the API, use the BloodHound CE endpoint /api/v2/file-upload/. See the BloodHound API documentation for details. To ingest collected data with the BloodHound CE UI, go to settings (⚙️) → Administration → Data Collection → select File Ingest → click UPLOAD FILES and upload your files. BloodHound CE accepts .zip archives or JSON files, with no size limit. Your browser’s ability to package the uploaded file is a limiting factor in uploading large datasets directly through the UI.

Explore attack paths

To look at identified attack paths in the graph, go to the Explore page in the BloodHound CE UI.
1

Search for a user

  1. In the Search bar, search nodes for a user like user:bob.
  2. Select the user and click on the node that appears.
  3. Explore information about the user’s sessions and memberships.
2

Pathfind

Review the path from one user to another on the Pathfinding tab. For example, pathfind from BOB to ADMINISTRATOR.
3

Explore Cypher queries

Explore the pre-saved Cypher queries on the Cypher tab.
Learn more in Explore → Search for Objects.

Update BloodHound CE

The easiest way to update your instance of BloodHound Community Edition is via bloodhound-cli. 
./bloodhound-cli update

Next steps