Active Directory security · pre-registered study

The remediation ranking problem

Security teams are routinely advised to rotate credentials, lock down delegation, and segment the network, but rarely told in what order. We applied each of these interventions at graded coverage on a live Active Directory forest and measured the real change in attack surface. At full coverage, all three completely close the reachable-and-undetected surface — they are equally effective. Because the effects are equal, the only thing that distinguishes them is implementation cost, and on that basis credential rotation removes the same risk as network segmentation for roughly a sixth of the effort.

oracle 196 real before-and-after measurements lab live GOAD forest on Azure engine validated counterfactual

01The question

The standard hardening advice for Active Directory is a list, not a ranking. A team with limited time has to choose what to do first, and the usual instinct is to rank by raw impact — to lead with the intervention that closes the most attack paths. We wanted to test whether that instinct is right, by measuring the actual effect of each intervention and weighing it against what it costs to deploy.

02How we measured it

We used a validated counterfactual engine to apply three interventions — credential rotation, delegation lockdown, and network segmentation — at graded coverage across the held-out defensive postures on a live forest. For each, we executed the real attack before and after and recorded the change in the reachable-and-undetected surface. We scored cost using a coarse implementation-effort tier: low counts as one unit, medium as three, high as six. The value of an intervention is its risk reduction divided by its effort.

03What we found

At full coverage, every intervention drove the reachable-and-undetected surface to zero. Their absolute effects are identical. This is the key observation: because the interventions are equally effective, ranking them by impact is uninformative, and the decision collapses entirely onto cost.

credential rotation1.00risk reduction per unit of effort · low cost
delegation lockdown0.33risk reduction per unit of effort · medium cost
network segmentation0.17risk reduction per unit of effort · high cost
1.00per effortcredential rotation
low cost — best value
0.33per effortdelegation lockdown
medium cost
0.17per effortnetwork segmentation
high cost
credential rotation's value advantage over segmentation

Ranked by value — risk reduction per unit of effort — the order is clear and well separated.

credential rotation · low1.00
delegation lockdown · medium0.33
network segmentation · high0.17
effect and effort-adjusted value at full coverage
interventioneffort tiermean risk reductionper unit effortn
credential rotationlow (1)1.001.00026
delegation lockdownmedium (3)1.000.33343
network segmentationhigh (6)1.000.1672

The interventions also differ in how they respond to partial deployment. Credential rotation and delegation lockdown are linear in coverage: hardening a third of the accounts closes about a third of the surface, so partial work buys proportional protection. Segmentation, by contrast, is effectively all-or-nothing.

coverage 33%0.33
coverage 67%0.67
coverage 100%1.00

04What this means

When two remediations achieve the same result, the only rational basis for choosing between them is cost. A program that leads with network segmentation spends its most expensive resource — a network re-architecture — to achieve a closure it could have obtained from a password rotation. The linear dose-response adds a practical point: because credential rotation pays off proportionally, a team does not need to finish to benefit, which is rarely true of segmentation.

Read together with our structural study, the recommendation is consistent. The reachable surface is driven by permission and delegation density, and credential rotation closes the credential-reuse portion of it at the lowest cost available. It is a reasonable default to do first.

05Limitations

scope

The segmentation arm has only two environments, so its full-coverage result is sound but its dose-response is unmeasured. Because the full-coverage effects are deterministic — every intervention closes the surface completely, with no variance — a standardized effect size is not meaningful here, and we rank by effort-adjusted value instead.

scope

The cost tiers are a coarse heuristic, not measured person-hours, so the value ranking inherits that coarseness. Absolute risk reduction is also specific to this forest and will not transfer unchanged to an environment with a different baseline surface. Only these three interventions are validated counterfactuals; others would be estimates.

reproducibility

Real before-and-after attack execution on a live multi-domain forest. The model is a frozen black box, and the analysis plan was committed before the run. Every measurement is reconstructable from the per-environment records.