Glossary of BloodHound terminology

This article applies to BHCE and BHE

Review the definitions for terminology used in the BloodHound software and documentation.

Attack Path

Attack Paths are the chains of abusable privileges and user behaviors that create direct and indirect connections between computers and users. In BloodHound, Attack Paths are visualized in the graph by Nodes and Edges. Learn more by reading What is Attack Path Management.

Attack Path Management (APM)

"Attack Path Management" is the process of identifying, analyzing, and managing the Attack Paths that an adversary might exploit to reach high-value objects or compromise the network's security. BloodHound assists in visualizing and managing these attack paths through Attack Path Management (APM).

Choke Point

A "Choke Point" is a privilege or user behavior (named Edges) that, like the driveway to your house, connects the rest of the environment through an object or collection of objects (named Nodes). For example, any Edge into the collection of Tier Zero nodes is a Tier Zero Choke Point — a privilege or user behavior the adversary must abuse to compromise a Tier Zero object. Choke points are significant points of control and defense in the network security architecture and therefore represent the optimal location to block the largest number of Attack Paths. BloodHound Enterprise calculates Exposure for all Choke Points.

Cypher

Cypher is Neo4j’s graph query language that lets you interact with BloodHound's database. It is similar to SQL for traditional databases. See Searching with Cypher.

Collector / Client

Collector, Collector Client, or Data Collector is software that collects attack path-related data from a directory. For example, SharpHound and AzureHound.

Directory

Directory refers to a directory of identities or an Identity Provider, such as Active Directory (AD) and Entra ID (formerly Azure Active Directory).

Edge

An Edge is part of the graph construct and represents a relationship between two nodes, indicating some form of interaction. See About BloodHound Edges.

Enterprise Access Model (EAM)

A security framework developed by Microsoft that defines a privileged access strategy[1] which has the ultimate goal of preventing privilege escalation through Identity-based Attack Paths. In most cases, EAM supersedes and replaces Tiering/Tier Model.

Exposure

The percentage of principals in a directory with a Tier Zero attack path. It encompasses both principals with one-step paths (UserA -[ForceChangePassword]-> TierZero), and multi-step paths (UserA -[ForceChangePassword]-> UserB -[GenericAll]-> TierZero). BloodHound Enterprise calculates Exposure for all Choke Points.

FOSS

Stands for "Free and Open Source Software", as in "BloodHound CE is a FOSS project."

Graph

Graph refers to the graph database used by BloodHound. It stores the relationships between nodes and edges which can be seen in BloodHound's Explore page to visualize and understand complex attack paths.

High Value

High Value objects are critical resources, data, or systems in the network that are particularly valuable to the organization. See Tier Zero.

Identity-based Attack Path

An Attack Path is based on identity/an already authenticated principal. BloodHound's main goal is to assist in visualizing and managing attack paths. See Attack Path.

Node

A Node is part of the graph construct and refers to an entity in the network, such as a user, computer, group, or domain. Two nodes can be connected by an Edge. See About BloodHound Nodes.

Object

In BloodHound, an "Object" is a broad term used to refer to various entities within the Active Directory and Entra ID directory (formerly Azure Active Directory), such as users, groups, computers, organizational units (OUs), domains, and trusts. Each object represents a distinct element contributing to the network's overall structure and security posture. An object can also be referred to as an "Asset".

Principal

In BloodHound, a "Principal" refers to an entity that can authenticate and be assigned permissions within the network, also known as a security principal. Principals can be users, groups, or computer objects in Active Directory, and they play a central role in the access control mechanisms of the network.

Privilege

In BloodHound, "Privilege" refers to a level of access or permission a principal has on a specific object within the infrastructure.

Remediation

Remediation refers to the process of fixing or mitigating security risks identified during the analysis of attack paths with BloodHound

Right

See Privilege.

Tenant

A BloodHound Enterprise tenant is hosted and managed by SpecterOps (SasS), while BloodHound CE is self-hosted and self-managed.

Tier Zero

Tier Zero refers to the most critical and sensitive objects in the network, typically including domain controllers and other core infrastructure components. The term stems from Tiering.

Tiering/Tier Model

Refers to categorizing objects and privileges based on their criticality and importance to the organization. The term stems from Microsoft's Active Directory Tier Model, which in most cases is superseded and replaced by the Enterprise Access Model. See Enterprise Access Model (EAM).

Updated