This quickstart guide walks you through installing BloodHound Community Edition (BloodHound CE) using the BloodHound CLI (BH-CLI), which is a wrapper around Docker Compose. After installation, you’ll learn how to ingest data into BloodHound CE and explore attack paths in your environment.

Are you a blue team member looking to remediate identity risks? Request a demo of BloodHound Enterprise.

Prerequisites

BloodHound CE deploys in a traditional multi-tier container architecture consisting of database, application, and UI layers. To complete the quickstart, ensure you meet the following system requirements:

Minimum specifications	For large environments (>50K users)
4GB of RAM	96GB of RAM
4 processor cores	12 processor cores
10GB hard disk space	50GB hard disk space

BloodHound Community Edition is a security auditing tool that was written to test the resilience of networks against attackers. Because this tool can equally be used for evil, some anti-malware and endpoint detection and response (EDR) solutions flag BloodHound and its components as malware.If you encounter issues with downloads being blocked and files being prohibited from execution, you may have to shut off these protections. We recommend that you set up BloodHound on a dedicated machine so that your regular work environment remains protected. If you are planning to use BloodHound on a corporate network, please notify your Security Operations Center (SOC) ahead of time and ensure you have the required permissions to audit the network.For legal and ethical reasons, you must never use BloodHound on systems you do not own or lack explicit permission to audit.

Install BloodHound CE

Installing BloodHound CE with the BloodHound CLI is the easiest way to get started. The CLI handles downloading the necessary Docker images and creating the docker-compose.yml file with standard defaults.

Install Docker Desktop

For ease and convenience, we recommend installing Docker Desktop to run BloodHound CE containers on your local machine.

Download BloodHound CLI

Download the latest release of BloodHound CLI for your operating system and architecture (AMD or ARM).BloodHound CLI is a utility that makes it easy to install BloodHound CE in containers on your machine.

To avoid the software getting blocked as malware in the browser, we recommend downloading it using the command line.

wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz

Unpack the file

Change to the directory where you downloaded the file and unpack it.

tar -xvzf bloodhound-cli-linux-amd64.tar.gz

Run the install command

In your terminal or PowerShell, navigate to the directory where you unpacked the BloodHound CLI and install BloodHound CE:

./bloodhound-cli install

Encountering issues? See troubleshooting.

Wait for installation to complete

Keep your terminal open until you see the randomly generated password displayed. Save this password for the next step.

[+] BloodHound is ready to go!
[+] You can log in as `admin` with this password: <Password>

If you lose the password, reset it with:

./bloodhound-cli resetpwd

In a browser, go to http://localhost:8080/ui/login and log in with the admin username and the randomly generated password.

The default docker-compose.yml file binds only to localhost (127.0.0.1). To access BloodHound outside localhost, follow the instructions in examples/docker-compose/README.md.

Reset your password

Reset your password as prompted on first login.

Get data into BloodHound

To get data into BloodHound, ingest sample data or run a data collector.

Option 1: Sample data (faster)
Option 2: Data collectors (more realistic)

Use sample data to quickly explore BloodHound CE without setting up a SharpHound or AzureHound data collector.

Download sample data

Download sample data for Active Directory or Azure.Active Directory Sample Data generated with SharpHound includes:

3 collected domains with trusts between them
Additional, visible, trusted domains without collections
Coverage for local permissions
Multiple ADCS escalation paths

Azure Sample Data generated with AzureHound includes:

Full collection of an Azure environment
Support for user-sync hybrid paths when ingested alongside the example AD data

Upload sample data to BloodHound CE

Log in to the BloodHound CE UI.
In the left menu, click Quick Upload
Click the Upload Files modal to open a file system dialog or drag and drop the downloaded sample data ZIP file.
Click Upload to begin the data ingest process.

The default admin email is [email protected] and will appear as the user ingesting the data.

BloodHound CE analyzes data collected by its two collector services, each collecting from a specific directory:

Active Directory, collected by SharpHound CE
Entra ID (formerly Azure AD), collected by AzureHound CE

Extend BloodHound’s analysis beyond Active Directory and Entra ID with additional data collectors. The OpenGraph Library showcases collectors built by the community and SpecterOps employees for platforms like AWS, GitHub, Snowflake, and more.

Download a collector

Each collector is a standalone binary. Download collectors using one of the following methods:

BloodHound CE UI
GitHub
Source

Download the collectors directly from the BloodHound CE UI:

Log in to the BloodHound CE UI.
In the left menu, click Download Collectors.
Click one of the links in the Community Collectors section to download the SharpHound or AzureHound binary.

Run a collector

Start the collector to generate and compress JSON files into a ZIP archive.

# Run SharpHound CE from a domain-joined Windows system
C:\> SharpHound.exe

For optional command flags, see:

Ingest data into BloodHound

Use the BloodHound CE API or the BloodHound CE UI to ingest collected data into BloodHound.To ingest collected data with the API, use the BloodHound CE endpoint /api/v2/file-upload/. See the BloodHound API documentation for details.To ingest collected data with the BloodHound CE UI, go to Administration > Data Collection > File Ingest and click Upload File(s) to upload your files.

BloodHound CE accepts .zip archives or JSON files, with no size limit. Your browser’s ability to package the uploaded file is a limiting factor in uploading large datasets directly through the UI.

Explore attack paths

To look at identified attack paths in the graph, go to the Explore page in the BloodHound CE UI.

Search for a user

In the Search bar, search nodes for a user like user:bob.
Select the user and click on the node that appears.
Explore information about the user’s sessions and memberships.

Pathfind

Review the path from one user to another on the Pathfinding tab. For example, pathfind from BOB to ADMINISTRATOR.

Explore Cypher queries

Explore the pre-saved Cypher queries on the Cypher tab.

Learn more in Explore → Search for Objects.

Update BloodHound CE

The easiest way to update your instance of BloodHound Community Edition is via bloodhound-cli.

./bloodhound-cli update

Next steps

Troubleshooting

If you encounter issues during installation, refer to the following common problems and solutions.

"bloodhound-cli" Not Opened - Apple security check

When running ./bloodhound-cli install, you may see an error stating that Apple could not verify the binary is free of malware. This is a standard macOS security check for unsigned or unnotarized applications.Terminal (Quick Fix)

Clear the quarantine flag by running:

xattr -d com.apple.quarantine ./bloodhound-cli

Repeat the CLI command: ./bloodhound-cli install

System Settings (GUI)

Go to System Settings (or System Preferences on older macOS versions)
Navigate to Privacy & Security
Scroll down to the Security section
You should see a message stating that bloodhound-cli was blocked
Click Allow Anyway
Repeat the CLI command: ./bloodhound-cli install
Click Open Anyway when prompted
Enter your password or use your fingerprint to confirm

Malware Blocked - "com.docker.vmnetd" contains malware

This error occurs when macOS blocks Docker’s networking component. Resolve it by reinstalling Docker:

Follow the Docker uninstall instructions (select your operating system tab)
Re-install Docker Desktop
Repeat the CLI command: ./bloodhound-cli install

Docker daemon is not running

If you see an error stating “Docker is installed on this system, but the daemon is not running”:

Simply launch Docker Desktop from your Applications folder
Wait for Docker to fully start
Repeat the CLI command: ./bloodhound-cli install

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

BloodHound Community Edition Quickstart

Prerequisites

Install BloodHound CE

Get data into BloodHound

Explore attack paths

Update BloodHound CE

Next steps

Troubleshooting

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Prerequisites

​Install BloodHound CE

​Get data into BloodHound

​Explore attack paths

​Update BloodHound CE

​Next steps

​Troubleshooting

Prerequisites

Install BloodHound CE

Get data into BloodHound

Explore attack paths

Update BloodHound CE

Next steps

Troubleshooting