RUNOFF STATUS · STABLE PYTHON 3.8+
REPO SECURITY MIT
Real-Fruit-Snacks  //  AD security audit  //  stable release

RUNOFF.

queries
40+ targeted
categories
6 audit areas
abuse
quick wins
stack
Python 3.8+
01 Premise

Drain everything BloodHound swept up — ready to use.

Runoff extracts actionable intelligence from BloodHound CE databases. 40+ targeted queries across 6 audit categories reveal attack paths, misconfigurations, and privilege escalation routes with concrete abuse recommendations.

Transform graph data into prioritized findings that security teams can act on immediately.

02 Specs

What's in the box.

QUERIES
40+ targeted Cypher queries — domain admins, ACLs, trusts, Kerberos, certificates, containers
CATEGORIES
6 audit areas — high-value accounts, dangerous ACLs, trust relationships, Kerberos abuse, AD CS, containers
ABUSE
Concrete exploitation steps — PowerView commands, Rubeus usage, Certify abuse, impacket examples
OUTPUT
Multiple formats — terminal tables, JSON export, HTML reports with MITRE ATT&CK mapping
FEATURES
Risk scoring · filtering · export — prioritize findings by exploitability and business impact
STACK
Pure Python · Neo4j driver · Rich TUI · Cypher · BloodHound CE integration
03 Quickstart

Connect, query, analyze, report.

Runoff connects directly to BloodHound CE's Neo4j database to extract and analyze AD security posture.

# Install from PyPI
$ pip install runoff

# Connect to BloodHound CE database
$ runoff --uri bolt://localhost:7687 --username neo4j --password bloodhound

# Run specific audit categories
$ runoff --categories "High-Value Accounts,Dangerous ACLs" --output-dir reports/

# Export findings with abuse guidance
$ runoff --all-queries --format html --include-abuse --risk-threshold high
04 Reference

Query categories and options.

Complete reference for BloodHound analysis, query execution, and report generation.

CONNECTION

--uri <bolt://host:port>Neo4j database URI (BloodHound CE)
--username <user>Neo4j username (default: neo4j)
--password <pass>Neo4j password
--timeout <sec>Query timeout (default: 30)

QUERIES

--all-queriesRun all 40+ queries across all categories
--categories <list>Specific categories: "High-Value,ACLs,Trusts,Kerberos,ADCS,Containers"
--list-queriesShow all available queries and descriptions
--custom-query <cypher>Execute custom Cypher query

FILTERING

--risk-threshold <level>Minimum risk: low, medium, high, critical
--domain <name>Filter results by specific domain
--limit <n>Maximum results per query

OUTPUT

--format <type>Output format: table, json, html, csv
--output-dir <path>Report output directory
--include-abuseInclude concrete exploitation commands
--mitre-mappingMap findings to MITRE ATT&CK techniques
05 Architecture

Query engine with abuse guidance.

Cypher query engine connects to BloodHound's Neo4j backend, executes targeted security queries, and enriches results with exploitation context and MITRE ATT&CK mapping.

runoff/
queries/       // 40+ Cypher queries by category
├── accounts.py // high-value targets · DA paths
├── acls.py    // dangerous permissions
├── trusts.py  // domain trust analysis
├── kerberos.py // ASREPRoast · Kerberoast
└── adcs.py    // certificate services abuse
engine.py      // Neo4j driver · query execution
reporting.py   // HTML · JSON · CSV output
06 Authorization

Authorized AD assessments only.

Runoff is designed for legitimate Active Directory security assessments with proper authorization. Use only against domains you own or have explicit written permission to analyze.

Security issues should be reported through private security advisories.

Queries run read-only against BloodHound data — no modifications to AD environment.

→ GET STARTED

Turn graph data
into attack paths.

Open repo