RC4 Remediation Assessment

Your Active Directory
has a July 14 deadline.
Know your exposure now.

Microsoft's July 14, 2026 deadline creates three simultaneous risks for IT leadership: authentication outages across domain-joined systems, compliance findings in your next audit, and coverage questions at your next insurance renewal. PresideTech's RC4 Detect assessment tells you where you stand — with documented, audit-ready evidence — before any of those conversations happen under pressure. The assessment surfaces the accounts and dependencies most likely to need remediation, helps distinguish genuine risk from accounts that are already fine, and delivers a sequenced remediation plan your team executes rather than researches. The report is structured to satisfy compliance auditors and cyber insurance underwriters — not just your internal IT team.

Take a quick self-assessment →
See what we find ↓
July 14
Remediation deadline

12+
Exposure vectors analyzed

AES-256
Encrypted result delivery

0
AD objects modified during scan

The organizations that will experience outages on July 14 are not the ones that ignored the deadline — they are the ones that thought they had addressed it.

Most IT teams believe they have a handle on their RC4 exposure. They ran some queries. They rotated some accounts. They believe they are ready. The problem is that RC4 dependencies are difficult to surface without deliberate, systematic investigation. A service account created five years ago for a line-of-business integration, a scheduled task running overnight, a device joined to the domain before it was properly documented — none of these announce themselves in a dashboard or generate alerts. Event logs only surface accounts that authenticated during the window you happened to collect. Attribute values show configuration intent, not what happens when the account actually tries to authenticate. The gap between what your environment looks like on paper and what could break on July 14 is exactly the gap that makes organizations confident and then surprised.

Why now

Two clocks are running.
Neither one is July 14.

Microsoft's deadline is the loudest. It is not the most immediate.

Clock #1

Your audit may already have a finding.

RC4 in Active Directory predates the Microsoft deadline as a compliance concern by a decade. NIST SP 800-131A disallowed RC4 in 2016. PCI-DSS 4.0 Requirement 12.3.3 requires inventory of weak cipher suites and a documented remediation plan. HIPAA's 2024–2025 Security Rule updates moved encryption from addressable to required. SOC 2 audit periods running through 2026 will include post-April enforcement dates in their evidence window. The question is no longer whether RC4 is a finding — it is whether your documentation is ready when the auditor asks.

HIPAA
PCI-DSS 4.0
SOC 2
NIST 800-53
CMMC

Clock #2

Your renewal questionnaire just got harder.

Cyber insurance underwriters spent three years expanding their technical questionnaires. In 2026 those questionnaires now include Kerberos encryption posture in Active Directory environments. Organizations that cannot answer with documented, third-party-verified evidence face higher premiums, lower coverage limits, and specific exclusions for credential-based attacks. After July 14, the "known vulnerability" exclusion argument becomes mechanical — the CVE was published in 2022, Microsoft provided a multi-year remediation window, the deadline was public. Documented remediation is the difference between a covered claim and a denied one.

Premium loading
Coverage exclusions
Claim denial risk

Organizations that arrive at July 14 with a documented assessment have the answers their auditors and underwriters already need. The ones that don't, discover what's missing under pressure.

What you get

Everything needed to remediate — identified and sequenced

The RC4 Remediation Assessment surfaces the accounts, configurations, and dependencies most likely to need attention before July 14 — and delivers the remediation steps in the right order so your team executes without guessing.

Critical

Surface the accounts most likely to fail

Accounts at risk of failure on July 14 are surfaced and prioritized through multi-source correlation — KDC event evidence, password-age analysis, and configuration state — so your team can focus remediation on the right accounts in the right order.

High

Confirmed AES key evidence — not guesswork

AES key presence is confirmed from KDC event evidence, not inferred from AD attributes. This eliminates unnecessary remediation work on accounts that are already fine and focuses effort on accounts that genuinely need it.

Critical

The accounts your event logs missed

Accounts that authenticate infrequently never appear in event logs — but they will still fail on July 14. Password-age tier analysis identifies the silent population your standard monitoring cannot see.

High

No surprises from inconsistent domain controllers

Each DC is checked against actual registry state — not assumptions. Inconsistent configuration across DCs causes sporadic post-patch failures that are nearly impossible to diagnose under pressure.

Critical

Event log evidence mapped to specific accounts

Audit data is joined back to named accounts in every table — converting a pile of event entries into a per-account list of what needs remediation and why.

High

Which applications and devices are still at risk

Per-endpoint analysis surfaces the specific workstations, appliances, and applications still using RC4 — so remediation effort lands on the actual sources, not a forest-wide assumption.

High

KRBTGT exposure and rotation readiness

An aged KRBTGT leaves a credential forgery window open. Password age, AES key presence, and rotation history are assessed across primary KRBTGT and RODC variants in scope — with clear remediation guidance.

Critical

Service account blast radius before any password is touched

Rotating a service account password without knowing what depends on it breaks every dependent application simultaneously. The assessment maps dependencies first — so remediations happen in the right order without causing new outages.

Critical

A sequenced remediation plan your team executes — not researches

Steps are ordered by dependency, not alphabetically or by severity alone. Your team gets a concrete, in-order plan they can work through without breaking authentication partway through.

Sample report

See exactly what you get

Every RC4 Remediation Assessment delivers a forensic-grade HTML report — branded, timestamped, and scoped to your Active Directory forest. Below is a redacted example from a real engagement. Click any panel to expand.

RC4 Kerberos assessment executive summary showing a Critical Risk score of 100, 4 Kerberoastable service accounts, 35% of Kerberos authentication traffic still using RC4, 2 legacy systems at risk of AES enforcement failure, 400-day KRBTGT password age, and 18 RC4-only user accounts for incubatecap.corp Active Directory forest

Sample — identifying details redacted

01 — Executive summary
Overall risk score, domain coverage, and headline findings — the single page your CISO, board, or audit committee reads first. Weighted severity scoring makes the remediation priority immediately clear to any audience.

RC4 Kerberos assessment forensic detail tables showing sortable and filterable data for Kerberos traffic sources, domain trust relationships with RC4 and AES encryption flags, risk ratings per trust partner, and export to CSV controls for integration with SIEM and ticketing systems

Sample — all columns sortable · CSV export available

02 — Forensic-depth detail tables
Every finding in its own dedicated table — color-coded by severity and risk so remediation priority is immediately clear. Built for both the engineer executing the work and the leader reviewing progress.

Fully sortable & filterable. Isolate the highest-risk accounts, oldest passwords, or most exposed trust relationships instantly — no spreadsheet manipulation required.

Export to CSV. One-click download per table — feeds directly into ticketing systems, SIEM pipelines, or the remediation runbook your team is working from.

RC4 Kerberos assessment key findings panel listing 4 Kerberoastable accounts with offline-crackable password hashes, KRBTGT password 400 days old with Golden Ticket exposure, 2 legacy systems unable to support AES encryption before July 2026 enforcement, 4 domain controllers with missing KDCSVC audit events, 18 RC4-only user accounts, and 2 privileged accounts forcing NTLM fallback vulnerable to credential relay attacks

Sample — identifying details redacted

03 — Key findings at a glance
Every critical finding in plain language — written for the CISO or compliance officer reviewing it, not just the engineer remediating it. Each finding maps directly to a specific remediation step.

100
Critical risk score

The overall risk score weights findings by severity and business impact. A score of 100 means the full remediation workload is ahead — and the report tells you exactly what it is.

35%
Of Kerberos traffic still RC4

Live traffic analysis shows what proportion of Kerberos authentication is still negotiating RC4 — the clearest measure of remediation scope remaining and where to prioritize first.

400
Days since KRBTGT rotation

An unrotated KRBTGT is an open door for credential forgery attacks. The report identifies current rotation state and provides clear guidance on completing it safely.

7
Distinct finding categories

From Kerberoastable service accounts to NTLM fallback exposure — every finding is categorized, severity-rated, and mapped to a prioritized remediation step your team can act on.

Process

From purchase to report in days — not months

A tightly controlled, auditable chain of custody for your sensitive AD data. Your environment is never exposed — and neither is your timeline.

1

One-time key issuance

PresideTech issues a cryptographically signed, time-limited product key scoped to your forest and tier. The key expires in 7 days and can only be consumed once.

RSA-SHA256 signed · 7-day TTL

2

Collector deployment

Run the self-contained collector on any domain-joined Windows host. No installation, no agents, no changes to your environment. Your IT team can run it in minutes.

.NET 8 · single-file binary · no install

3

Read-only AD scan

The collector queries Active Directory via LDAP, reads remote registry on DCs, and analyzes Windows Event Logs — all read-only. Zero AD objects are modified. Nothing changes in your environment.

LDAP · Remote Registry · Event Log

4

Encrypted file output

Results are AES-256-CBC encrypted before the file is written to disk. Your AD data never leaves your environment in plaintext — not in transit, not at rest.

AES-256-CBC · RSA-4096-OAEP · HMAC-SHA256

5

Analyst review & report delivery

You transmit the encrypted file to PresideTech. Our analysts decrypt it using keys stored in Azure Key Vault, review the findings, and deliver your HTML assessment report — ready for your leadership, your auditors, and your insurer.

Azure Key Vault · analyst reviewed

Data protection

Built for security-conscious enterprises

Your Active Directory data is among the most sensitive in your environment. We treat it that way — from the moment the collector runs to the moment the report is delivered.

🔐

Zero plaintext network egress

AD data is encrypted before any file is written to disk. Nothing is transmitted to PresideTech infrastructure in plaintext — ever.

🔑

Azure Key Vault key custody

The RSA-4096 private key used to decrypt result files is stored in Azure Key Vault. It never exists outside of the vault.

🪪

One-time-use product keys

Each assessment key is scoped to a specific forest, expires in 7 days, and transitions to Consumed state after a single use. Replay is architecturally impossible.

📋

Full audit ledger

Every key issuance, consumption, and analyst decryption event is recorded in a tamper-evident ledger with timestamps — a complete chain of custody you can present to auditors.

Assessment tiers

Choose your assessment

Every tier covers a single Active Directory domain and delivers an analyst-reviewed remediation report your team, your auditors, and your insurer can use. Already have Professional? Upgrade to unlock the full Enterprise analysis for the same domain.

Professional

Single domain

$5,995

  • AES key presence confirmed from KDC event evidence
  • Zero AES evidence tiered gap analysis
  • DC configuration state verified from actual registry
  • Silent AES ticket substitution vs explicit KDC rejection identified
  • KRBTGT rotation state and readiness
  • Kerberoastable account enumeration
  • AS-REP roastable account detection
  • Entra Connect remediation check
  • Cross-forest trust boundary analysis
  • Domain AES timeline detection
  • Prioritized, sequenced remediation plan
  • Risk score with weighted findings
  • Audit-ready report
  • Zero AD modifications
  • AES-256-CBC encrypted delivery

Purchase Professional →

Enterprise

Single domain

$9,995

  • Everything included in Professional
  • SPN Registry — RC4-only service accounts ranked by risk
  • Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
  • ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
  • Blast Radius Register — 10-signal 0–100 score with per-account narrative cards

Purchase Enterprise →

Professional → Enterprise Upgrade

Existing Professional customers

$4,995

  • Unlocks all four Enterprise-exclusive sections on your existing report
  • SPN Registry — RC4-only service accounts ranked by risk
  • Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
  • ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
  • Blast Radius Register — 10-signal 0–100 score with per-account narrative cards

Purchase Upgrade →

Questions

Frequently asked questions

Microsoft's July 14, 2026 update permanently removes the temporary rollback option organizations used after the April enforcement change. After July 14, accounts and applications that have not been properly prepared for the domain controller authentication behavior changes — including AES key material, encryption attribute configuration, and the way the KDC issues tickets — face authentication failures, with no domain-wide rollback mechanism available. Beyond operational risk, active RC4 usage in Active Directory is a compliance finding under HIPAA, PCI-DSS 4.0, SOC 2, NIST 800-53, and CMMC — and cyber insurance underwriters are increasingly asking about Kerberos encryption posture at renewal. The assessment maps your exposure and delivers the documented evidence your auditors and insurers require, before the deadline forces the conversation under pressure.

The RC4 Detect collector requires a domain account with read access to Active Directory (standard Domain User access is sufficient for LDAP queries) and remote registry read access on domain controllers. We recommend using Domain Admin privileges while running the collector for simplification and removing them promptly afterward. No AD objects are created or modified during the assessment.

Assessment results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope before the file is written to disk on your system. The RSA private key is stored in Azure Key Vault and never exists outside of the vault. You transmit the encrypted file to PresideTech via your preferred secure channel. At no point does plaintext AD data leave your environment.

The HTML assessment report includes an executive summary with overall risk score; per-account AES key presence confirmed from KDC event evidence; a tiered gap analysis for accounts with no AES evidence; DC configuration state verified from actual registry values; Kerberoastable and AS-REP roastable account inventory; KRBTGT rotation state and readiness; service account blast radius mapping; domain trust RC4 analysis; Entra Connect remediation status; and a prioritized, sequenced remediation plan. The report is structured to answer the specific questions compliance auditors and cyber insurance underwriters ask — not just the technical questions your IT team has. Every data table is sortable, filterable, and exportable to CSV. Enterprise tier adds SPN Registry, Delegation Risk Register, ACL Attack Path Analysis, and Blast Radius Register.

Most enterprise AD teams are technically capable of remediating RC4. The challenge is scope, time, and output format. The data correlation required — KDC event evidence, password-age analysis, service account dependency mapping, per-DC registry state — takes two to three weeks of dedicated effort without pre-built tooling. With the July 14 deadline approaching and everything else your team is managing, that leaves little margin. More importantly, the output of internal work is typically PowerShell exports and spreadsheets — not a dated, methodology-documented report that satisfies an auditor or underwriter. The assessment delivers both the findings and the documentation in the format those audiences actually need.

Each product key is scoped to a single domain at issuance. For environments with multiple domains or forests, separate assessments are required — one per domain. Contact PresideTech for multi-domain bundled pricing.

Get assessed

Know your exposure before July 14 makes it a crisis.

The assessment tells you exactly what needs remediation, in what order, with documented evidence your leadership, auditors, and insurers can use. Analyst capacity is limited — get in the queue now.

Take a quick self-assessment →