Applies to BloodHound Enterprise and CE Understand the terminology used in BloodHound software and documentation.

Attack Path

Attack paths are chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users. In BloodHound, attack paths are visualized in the graph by nodes and edges. Learn more in What is Attack Path Management.

Attack Path Management (APM)

Attack Path Management is the process of identifying, analyzing, and managing the attack paths that an adversary might exploit to reach high-value objects or compromise the network’s security. BloodHound helps visualize and manage attack paths through Attack Path Management.

Choke Point

A choke point is a privilege or user behavior (called edges) that, like the driveway to a house, connects the rest of the environment through an object or collection of objects (called nodes). For example, any Edge into the collection of Tier Zero nodes is a Tier Zero Choke Point. This is a privilege or user behavior the adversary must abuse to compromise a Tier Zero object. Choke points are significant points of control and defense in the network security architecture. They represent the optimal location to block the largest number of attack paths. BloodHound Enterprise calculates exposurefor all choke points.

Cypher

Cypher is a graph query language used to interact with BloodHound’s database. It’s similar to SQL for traditional databases. To use it, see Searching with Cypher.

Collector / Client

A Collector, Collector Client, or Data Collector is software that collects attack path-related data from a directory. For example, SharpHound and AzureHound.

Directory

A directory of identities or an identity provider, like Active Directory (AD) and Entra ID (formerly Azure Active Directory).

Edge

An edge is part of the graph construct and represents a relationship between two nodes, indicating some form of interaction. See About BloodHound Edges.

Enterprise Access Model (EAM)

A security framework developed by Microsoft that defines a privileged access strategy[1] with the ultimate goal of preventing privilege escalation through identity-based attack paths. In most cases, EAM supersedes and replaces tiering.

Exposure

The percentage of principals in a directory with a Tier Zero attack path. It encompasses both principals with one-step paths (UserA -[ForceChangePassword]-> TierZero), and multi-step paths (UserA -[ForceChangePassword]-> UserB -[GenericAll]-> TierZero). BloodHound Enterprise calculates Exposure for all choke points.

FOSS

Stands for Free and Open Source Software. For example, “BloodHound CE is a FOSS project.”

Graph

The graph database used by BloodHound. It stores the relationships between nodes and edges and feeds BloodHound functionality like visualizing and understanding complex attack paths and environment risks.

Identity-based Attack Path

An attack path is based on identity/an already authenticated principal. BloodHound’s main goal is to help visualize and manage attack paths.

Node

A node is part of the graph construct and refers to an entity in the network, such as a user, computer, group, or domain. Two nodes can be connected by an edge. See About BloodHound Nodes.

Principal

An entity that authenticates and is assigned permissions within the network, also known as a security principal. Examples of principals include users and computers in Active Directory and users, virtual machines, and service principal objects in Entra and Azure. They play a central role in identity attack path mechanisms.

Privilege

A level of access or permission a principal has on a specific object within the infrastructure.

Remediation

The process of fixing or mitigating security risks identified during the analysis of attack paths with BloodHound.

Tenant

A BloodHound Enterprise tenant is hosted and managed by SpecterOps (SasS), while BloodHound CE is self-hosted and self-managed.

Tier Zero/High Value

Tier Zero and High Value refer to the most critical and sensitive objects in the network, typically including domain controllers and other core infrastructure components. The term stems from tiering.

Tiering/Tier Model

Refers to categorizing objects and privileges based on their criticality and importance to the organization. The term stems from Microsoft’s Active Directory tier model, which in most cases is superseded and replaced by the Enterprise Access Model. See Enterprise Access Model (EAM).