BloodHound CE → Tenable Identity Exposure
BloodHound CE ↔ Tenable Identity Exposure: integration to migration path.
BloodHound CE deploys alongside Tenable Identity Exposure first — it stands up on a Tier-0 jump host as a side-channel and proves it reproduces Tenable IE's top findings before anyone relies on it. Then it takes over the design-time attack-path role in phases, while Tenable IE keeps continuous detection running the whole time. No flag day, no detection gap, and every phase rolls back in minutes.
The honest line we lead with: this is not a Tenable IE retirement. BloodHound replaces attack-path analysis, never the continuous IoA stream. Both tools stay in production — that is the point.
The idea
Snapshot graph beside continuous detection.
The topology that makes this zero-downtime is simple: Tenable IE stays the production, SLA-bearing system — its Directory Listener replicates Trail Flow from every DC, evaluates the IoE pack continuously, and streams IoA alerts to your SIEM. BloodHound CE runs in parallel on a hardened Tier-0 jump host as the design-time and red-team tool, fed by SharpHound and AzureHound collections that defenders query with Cypher. The two never share a control plane — they share only the same DCs as observation targets and the same SIEM downstream — so adding BloodHound cannot perturb the detection you already depend on.
The phases
Six steps. Each one reversible.
Baseline & inventory
We read your environment without touching it: per-forest DC count and OS mix, Tenable IE Directory Listener health, the full IoE deviance list with severities, a 90-day IoA volume baseline, Tier-0 group membership, and the candidate Tier-0 jump host BloodHound will live on.
Stand up BloodHound CE in audit mode
BloodHound CE (Postgres + Neo4j + UI) deploys on the hardened Tier-0 jump host, restricted to Tier-0 admins, with no collections ingested yet. Tenable IE is completely unchanged.
First collection, validated against Tenable IE
The first SharpHound and AzureHound run is ingested and Tier-0 groups are tagged high-value. We prove that BloodHound's shortest-path queries reproduce Tenable IE's top critical IoE findings before anyone relies on it.
Parallel reporting; Tenable IE stays paging
Steady-state cadence begins (weekly All, nightly DCOnly plus Session, daily AzureHound). Tenable IE IoA remains the only paging source; BloodHound shortest-path findings feed a non-paging exposure backlog in Jira or ServiceNow.
Add the graph-delta exporter (optional)
A scheduled job diffs each new graph against the prior one and emits one SIEM event per newly-created shortest path to a Tier-0 target, routed to the non-paging exposure index. Configuration drift becomes a first-class, auditable signal.
Reach steady state — both tools stay
We document the role boundary in writing: Tenable IE owns IoA detection, the IoE catalogue and Trail Flow; BloodHound CE owns ad-hoc Cypher and the optional drift feed. No Tenable IE deactivation happens — there is deliberately no retirement phase.
Feature parity
Where BloodHound matches Tenable IE, and where it cannot.
| Capability | BloodHound CE | Tenable Identity Exposure | Parity |
|---|---|---|---|
| AD collection | SharpHound / AzureHound / BloodHound.py collectors with tunable collection methods | Directory Listener replicating Trail Flow (DCE-RPC + LDAP) per forest | Partial |
| Attack-path graph analysis | BloodHound shortestPath / allShortestPaths Cypher over the full graph | Topology view plus a canned attack-path explorer; no free-form query language exposed | Partial |
| Continuous vs snapshot detection | Per-collection snapshot; HasSession stale within roughly an hour | Continuous Trail Flow change-stream with no cadence knob | SaaS only |
| Real-time IoA (Pass-the-Hash / DCSync) | Models the DCSync right; zero runtime telemetry | Continuous IoA stream (DCSync, Golden Ticket, Kerberoasting, PtH/PtT) on the wire | SaaS only |
| Identity-to-endpoint correlation | No endpoint or session-to-device join; built by hand | Trail Flow is identity-plane; endpoint correlation is SIEM-side | Partial |
| Exposure indicators (IoE) | SpecterOps customqueries.json, unmaintained relative to the vendor pack | Vendor-curated IoE catalogue with Critical/High/Medium/Low severities | Partial |
| Remediation guidance | None native | IoE deviance maps to a remediation command or script plus offending-object lists | SaaS only |
| Hybrid / Entra coverage | AzureHound plus SharpHound in one Cypher graph; no add-on cost | Tenable IE Entra add-on as a separate SKU | Partial |
| SIEM / SOAR integration | REST graph export; wire it yourself (the topology 1.3 delta exporter) | Pre-built syslog (LEEF/CEF) plus SOAR connectors with maintained content | Partial |
| ATT&CK mapping (TA0006) | Edge and property inference (DCSync edge, hasspn) | IoA mapped to ATT&CK technique IDs (T1003.006, T1558.001/003) | Partial |
| Owned-principal / what-if modelling | owned: true mutable property; mutate the snapshot and re-run shortest path | Privileged-account tagging, but no red-team what-if simulation | OSS only |
| Deployment model | Self-hosted Postgres + Neo4j bundle on a Tier-0 jump host | SaaS-first (or on-prem) Directory Listener VM per forest | Partial |
| Cost model | Free, source-available, owned data plane | Per-AD-user-account subscription | Partial |
| Data sovereignty | Graph stays on-prem; nothing leaves the org | SaaS sends Trail Flow metadata to the Tenable cloud | OSS only |
| Compliance evidence | Posture artifacts; snapshots are not audit logs (SOC 2 CC6.3 / HIPAA) | Trail Flow is vendor-attested within the vendor SOC 2 boundary | SaaS only |
What we're honest about
The caveats most vendors leave out.
BloodHound never replaces continuous detection
BloodHound CE is a point-in-time graph analyser with zero runtime telemetry. It models the DCSync right but cannot see DCSync, Golden Ticket, Pass-the-Hash or Kerberoasting happening on the wire. Tenable IE's continuous IoA stream is mandatory and stays in production indefinitely — this is an integration, not a retirement.
The graph goes stale between collections
A HasSession edge is stale within roughly an hour and ACL edges within days, so the org can look safe in BloodHound while a Tenable IE IoA is firing. We document the freshness boundary explicitly and never use a BloodHound snapshot to dismiss a Tenable IE alert.
The vendor IoE catalogue and remediation have no OSS parity
Tenable Research maintains the IoE pack with Critical-to-Low severities and ties each deviance to a remediation command plus offending-object lists and pre-built SOAR connectors. The closest OSS equivalent, SpecterOps customqueries.json, is community-maintained and trails the vendor pack — and BloodHound has no native remediation workflow at all.
The collector host becomes a Tier-0 target
SharpHound's broad LDAP read makes its service account a lateral-movement prize. We run it only from a hardened Tier-0 jump host with a dedicated vaulted account and a SOC alert on any non-scheduled SharpHound execution. BloodHound snapshots are also not audit logs — Trail Flow plus WEF plus Sysmon remains your audit-defensible chain.
Why this beats a flag day
Reversible in minutes, soaked for a month.
Every phase that adds BloodHound is a cron job or a side-channel, so each one rolls back in under 15 minutes by disabling collection — Tenable IE detection is never touched and never goes dark. And because this is an integration rather than a cutover, the steady state is gated by a ≥30-day soak with both tools healthy and an on-call IR engineer signing off that Tenable IE remains the runtime detection source. There is deliberately no phase that cancels the Tenable IE contract.
See whether BloodHound earns a seat beside Tenable IE.
A call with a senior identity engineer. We map your forests, your Tenable IE IoE baseline, and your Tier-0 jump-host options, then tell you honestly where ad-hoc Cypher adds value — and where Tenable IE's continuous IoA stream stays non-negotiable.
Map my migration →