AD Hardening Snapshot
Focused assessment for Microsoft-centric environments: Tier 0, privileged groups, AD CS, Domain Controllers, legacy authentication and a prioritized 30/60/90-day roadmap.
ADTier 0Roadmap
AD & Windows Security Hardening
Reduce AD takeover risk.
I help CISOs, IT security leads and infrastructure teams turn messy AD, Windows and firewall findings into prioritized remediation work without breaking operations: Tier 0, privileged access, AD CS, Domain Controllers, NGFW rules and pentest findings that need to stay fixed.
- AD Hardening Snapshot with 30/60/90-day roadmap
- Tier 0, AD CS and privileged access paths
- Firewall/NGFW and pentest remediation with evidence
17+
Years of IT business responsibility
150+
Firewall/network migrations and designs
3+
Months typical project duration
Remote
On-site kickoff when useful
Positioning
Clean remediation, not security theatre.
For organizations that do not need another abstract security conversation. They need to know which AD, Windows and firewall paths are actually risky, who owns them, and how to close them safely.
Pentest Remediation Sprint
Close findings so they stay closed in retest: owners, evidence, validation queries, rollout paths and technical implementation without guesswork.
RetestEvidenceRemediation
Firewall / NGFW Rulebase Review
Clean up rules, VPNs and segmentation: owner, reason, expiry, logging, risk and safe cleanup steps instead of inherited exceptions.
NGFWSegmentationLogging
Windows & Microsoft Security Hardening
Practical hardening of Windows and Microsoft security controls: admin workstations, Credential Guard, Defender/EDR, NTLM reduction and baselines.
WindowsDefenderBaseline
CISO / IT Security Sparring
Technical assessment of critical findings, architecture decisions and roadmaps for leaders who need to know what should really be prioritized.
CISO SupportReviewPriorities
Project Contracting
Remote-first freelance support for projects from roughly three months. Direct collaboration with CISO, IT security, infrastructure and operations.
FreelanceRemote3+ months
Offers
Three entry points for real security projects
Clear scope, clear evidence, clear next steps. No black-box consulting.
AD Hardening Snapshot
Trigger: When an audit, pentest or internal review has surfaced Active Directory risk.
Output: Executive summary, prioritized finding register, Tier-0 exposure, AD CS risks, quick wins and 30/60/90-day roadmap.
Tier 0AD CSDomain ControllersPrivileged Access
Firewall / NGFW Rulebase Review
Trigger: When rules have grown over time, nobody knows the owner, or segmentation is no longer defensible.
Output: Risky rules, missing owners, logging gaps, remote-access paths and a safe cleanup backlog.
NGFWVPNSegmentationRule cleanup
Pentest Remediation Sprint
Trigger: When findings need to be closed and must not reopen during retest.
Output: Owner, fix path, validation query, rollout plan, rollback option and evidence pack for retest and management.
RetestEvidenceAD FindingsFirewall Findings
Engagement model
Senior support without overhead
Engagements are usually project-based and start at roughly three months. Full-time, part-time or advisory retainer setups are possible. Remote first across DACH, with on-site onboarding when it benefits the project.
- Fast technical onboarding into complex Microsoft, network and security stacks
- Direct communication with management, CISOs, IT leadership and operational teams
- Delivery of findings, prioritization, roadmaps and hands-on implementation support
Locked Shields
Live-fire cyber defense at international level
Participation in Blue Team 01 at Locked Shields '26, the world's largest and most complex live-fire cyber defense exercise simulating an armed conflict. The NATO exercise involves roughly 42 nations, more than 4,000 participants and around 8,000 systems including special systems from critical infrastructure environments. I was responsible for a domain including a domain controller in a critical-infrastructure scenario, with particular focus on domain hardening and active defense against ongoing attacks under extreme time and decision pressure. The role covered monitoring, analysis of network- and host-based indicators, containment of malicious activity, system hardening, restoration of compromised services and continuity of critical infrastructure components.
Further details are intentionally kept general because exercise and operational information is sensitive.
- Active defense against ongoing red-team attacks on an AD-adjacent domain under high time pressure
- Hardening of Windows and AD-adjacent components
- Collaboration with Bundeswehr and various "3-letter agencies" from Germany and abroad
Project experience
Experience from security-critical environments
Critical infrastructure / energy
External IT security consultant for continuous penetration testing, AD risk reduction, firewall/proxy/IPS improvements, vulnerability management and audit preparation.
Logistics / incident recovery
Security Incident Lead coordinating incident response, forensics, insurance, executive stakeholders and technical rebuild of hybrid infrastructure.
Retail / AD pentest
Lead pentester for Active Directory security assessments, internal penetration testing, internal web apps, reporting and ongoing remediation support.
Research / VPN & ZTNA
Pre-study, comparison matrix and management decision paper for VPN/ZTNA solutions including network design recommendations.
GitHub / Proof of work
Tools instead of claims
Three public repositories as technical work samples: built around the same AD, SMB and firewall problems that show up in real environments.
secrets_find0r
Multithreaded SMB share crawler for finding exposed credentials, tokens and secrets in authorized assessments.
SMBSecretsAD Exposure
april26_ad_check0r
Read-only PowerShell checks for the April 2026 Kerberos RC4/AES change: SPN accounts, KDC events and likely breakpoints before cutover.
KerberosRC4AD Hardening
Sophos-XGS-Live-Log-Viewer
Windows app for near-real-time Sophos XGS log visibility over SSH, including filter presets, incident capture and demo mode.
SophosNGFWLogs
AD Hardening Snapshot
See the sample report
I help companies turn messy Active Directory risk into a clear, prioritized hardening roadmap - especially around Tier 0, privileged access, AD CS, and Domain Controller protection.
Most organizations do not need more fear. They need clarity. This fictional sample report shows the kind of output an AD Hardening Snapshot produces: executive summary, prioritized findings, Tier-0 exposure view, AD CS risk notes, and a practical 90-day roadmap.
Fictional sample - no real client data
Fictional sample - no real client data
Bring one AD concern. Leave with a clearer next step.
Good AD hardening is not about changing every setting at once. It is about understanding what controls the domain, which paths matter most, and which remediation steps are safe for real IT teams.
- executive risk summary
- prioritized AD finding register
- Tier-0 exposure overview
- AD CS risk notes
- 30/60/90-day roadmap
Anonymized proof library
The patterns that hurt in real environments
No client data. No drama. Just recurring findings that show how I turn risk into workable remediation.
Domain Admin logon on member server
- Risk
- A local server issue becomes a domain-control path.
- Evidence
- Privileged logons, local admins, server role and EDR traces.
AD CS template nobody owns
- Risk
- Certificate templates become identity risk when enrollment rights and EKUs are wrong.
- Evidence
- Templates, enrollment rights, EKUs, owner and change alerts.
Firewall rule without expiry
- Risk
- A temporary exception becomes a permanent attack path.
- Evidence
- Owner, reason, hit count, logging, expiry and change reference.
Pentest finding closed without proof
- Risk
- The ticket is closed, but retest opens it again.
- Evidence
- Validation query, scope, owner, rollout state and exceptions.
Credentials
Certifications with practical signal
The certifications show a clear focus on hands-on offensive security, Active Directory, penetration testing and reliable security advisory.
OSCP+
OffSec Certified Professional+
OffSec · Active
OSCP
Offensive Security Certified Professional
OffSec · Active
PNPT
Practical Network Penetration Tester
TCM Security · Active
CEH Master
Certified Ethical Hacker Master
EC-Council · Active
CEH Practical
Certified Ethical Hacker Practical
EC-Council · Active
CEH
Certified Ethical Hacker
EC-Council · Active
THM PT1
Jr Penetration Tester
TryHackMe · Active
eJPT
Junior Penetration Tester
INE Security · Active
CRTP
Certified Red Team Professional
Altered Security · In progress
OSEP
OffSec Experienced Penetration Tester
OffSec · In progressBackground
From IT entrepreneur to specialized security consultant
-
2002-2005
Diploma in business informatics at Rheinische FH Köln, focused on multimedia networks.
-
2006-2023
Managing partner of an MSP and managed cloud service provider.
-
Since 2023
IT freelancer under SafeLink IT focused on offensive and defensive cybersecurity.
Blog
AD Security, Hardening and Project Practice
Technical notes on Active Directory security, hardening, incident readiness and measurable risk reduction.
Security News
Current Security Advisories
Concise but actionable advisories on relevant Microsoft, Windows and Active Directory topics: concrete impact, risks and next steps without alarmism.
Contact
Clarify project demand
For project requests, retainer advisory or a quick technical assessment: contact directly or choose a Microsoft Bookings slot.
YouTube
Practice videos from the SafeLink IT channel
The four most viewed videos from the SafeLink IT YouTube channel: concise context on Active Directory security, lateral movement, password attacks and security fundamentals.
SO bewegen sich Hacker durch Dein Netzwerk - Lateral Movement mit Ligolo-NG
4.3K+ views
So cracken Hacker Deine Passwörter.
1.5K+ views
Angriff auf Active Directory in 2026 - Zum Domainadmin in 15 Minuten
1.5K+ views
Hacking 101: Einführung in Shells und Reverse Shells
830+ views