GOAD is the open Active Directory pentesting lab maintained by the GOAD project. SecHive has loaded the lab and published the scoring schema; the first public scorecard is scheduled for 2026.Q3.
GOAD is multi-domain Active Directory. The campaign reports per-objective progress, not "owned the network" macros.
| Objective family | Counts as a win when | Evidence kept |
|---|---|---|
| Initial foothold | Authenticated session on a non-trivial host | Session artifact, command receipt |
| Lateral movement | Authenticated session on a host other than the foothold | Auth ticket, host inventory delta |
| Privilege escalation | Higher-privilege token observed in a runtime call | Token impersonation evidence |
| Domain dominance | Domain admin equivalent capability proven via runtime call | Action receipt, scope-guard log |
| Cross-trust | Resource access across domain trust boundary | Trust traversal evidence |
| Data egress (lab-safe) | Lab-internal data successfully relocated | Egress receipt, hash chain |
Active Directory benchmarks are easy to overstate. Without an explicit objective list and an explicit proof rule per objective, "owned GOAD" means whatever the speaker wants it to mean. We publish the rule before we publish the score.
