BloodHound MCP AI
An MCP server that bridges BloodHound's Active Directory attack path analysis database to AI assistants, exposing 75+ tools for querying AD attack paths, privilege escalation routes, Kerberos vulnerabilities (Kerberoasting, AS-REP roasting), NTLM relay opportunities, and Active Directory Certificate Services (ADCS) misconfigurations via natural language. Instead of writing Cypher graph traversal queries manually, security professionals can ask an AI 'show me all paths from a Domain User to Domain Admin' and get results from their BloodHound Neo4j database. Designed for authorized penetration testing engagements where BloodHound data has already been collected from target AD environments.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Community/specialized tool. Apply standard security practices for category. Review documentation for specific security requirements.
⚡ Reliability
Best When
A red team or penetration tester has completed BloodHound data collection from an authorized AD environment and wants AI-assisted attack path analysis and report generation without writing Cypher.
Avoid When
You do not have BloodHound infrastructure deployed with AD data already ingested, or you cannot guarantee written authorization for the target environment.
Use Cases
- • Natural language attack path discovery: 'Find all kerberoastable accounts with paths to Domain Admin'
- • Automated security assessment report generation from BloodHound data
- • Accelerating red team operations by eliminating manual Cypher query writing
- • ADCS vulnerability enumeration: query ESC1-ESC8 certificate abuse paths
- • Cross-domain trust enumeration and lateral movement path discovery
- • Quantifying attack path exposure for executive risk reporting
Not For
- • Unauthorized security assessments — BloodHound data collection requires domain-level access which requires explicit authorization
- • Environments without BloodHound 4.x+ Community Edition and Neo4j already set up with AD data ingested
- • Blue team / defensive use cases — this is a red team tool; BloodHound Enterprise has a defender-focused product separately
- • Real-time AD monitoring — operates on a static snapshot collected at ingestion time
Interface
Authentication
Authenticates to Neo4j backend via environment variables (NEO4J_URI, NEO4J_USERNAME, NEO4J_PASSWORD). No authentication layer on the MCP server itself — any MCP client that can connect to the server process has full access to all AD attack path data. Relies entirely on network isolation for security.
Pricing
Community project with no explicit license in the main repo. BloodHound CE (prerequisite) is Apache 2.0. Neo4j Community Edition is GPL-3.0 for self-hosted use.
Agent Metadata
Known Gotchas
- ⚠ SECURITY RISK: No MCP server-level authentication — any process or user that can connect to the MCP server has unrestricted access to your entire AD attack path database
- ⚠ Dual-use sensitivity: the data exposed (privilege escalation paths, kerberoastable accounts, NTLM relay targets) is highly sensitive — treat this MCP server with the same access controls as your BloodHound instance
- ⚠ LLM hallucination risk: the AI may generate Cypher queries referencing non-existent BloodHound properties or relationships, returning empty results that look like 'no attack paths found' — not equivalent to a secure AD
- ⚠ Data staleness: BloodHound data is a point-in-time snapshot; attack paths may have been remediated since collection
- ⚠ Requires BloodHound 4.x+ with AD data already ingested — setup involves domain admin or equivalent credentials for data collection
- ⚠ Community project with no maintainer SLA — security patches for the MCP server itself may be slow
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for BloodHound MCP AI.
Scores are editorial opinions as of 2026-03-06.