PKI Security Assessment · Microsoft ADCS
Built in Canada.
No cloud.
No nonsense.
Truvald™ checks your entire Active Directory Certificate Services infrastructure — every CA, every template, every group policy — against 80+ security controls. Runs entirely in your environment. No telemetry, no SaaS, no cloud sync. Priced in CAD: $1,499/year, or $499 for a one-time 30-day license.
80+ controls. Automatic.
Run a complete PKI security evaluation in minutes. ESC attack paths, CA configuration, OS hardening, and role-specific checks — all measured against authoritative controls.
Learn more →Live CA health at a glance.
CRL freshness, CDP endpoint reachability, pending certificate requests, CertFinder search, and end-of-life certificate tracking — your PKI mission control.
Learn more →Every template, fully exposed.
Discover all published templates, map their ESC attack surfaces, review enrollment permissions, and export to PDF or Excel. Template sprawl, meet its match.
Learn more →Conflicts caught before they bite.
Truvald™ reads GPO data directly from SYSVOL — no Remote Registry required. Conflict detection, OS-inappropriate settings, and risk acceptance with full audit trail.
Learn more →Air-gapped? Not a problem.
Copy the Truvald™ executable to any isolated server, run it in collector mode, and import the AES-256 encrypted package back at your workstation. Even your offline Root CA gets assessed.
Learn more →From assessment to boardroom.
Generate branded Word assessment reports, PDF and Excel template exports, and CSV data files. Pair with 26-question governance survey for complete PKI program documentation.
Learn more →Your PKI doesn't get to
have secrets from Truvald™.
Truvald™'s assessment engine checks over 80 security and health controls across every ADCS role — Issuing CA, Root CA, OCSP, NDES, CDP, and management workstations. Controls are organized by category, each with a consistent ID, a clear description of what was found, and an actionable recommendation to fix it.
Every control gets an answer. You are never left wondering "was this actually checked?" Green is your friend. Red is your assignment.
- ESC-001 through ESC-016 — all SpecterOps Certified Pre-Owned attack paths
- CA controls — certificate validity, chain, audit policy, CRL, HSM, and more
- OS hardening — WDigest, SMB signing, RDP, LSA, local admins, and firewall
- Risk acceptance — PIN-verified, documented, fully audited
- 100% read-only — Truvald™ never modifies your environment
Mission control for your
live PKI infrastructure.
Not every interaction with your PKI is a full security assessment. The Operations tab is your daily health dashboard — it's where you go first thing in the morning, or any time something stops working and you want to confirm whether PKI is involved.
CRL expiry is one of the most operationally catastrophic PKI events — VPN fails, smart card logon breaks, code signing stops. Truvald™ watches it so you don't have to.
- Real-time CA connectivity and certificate status
- CRL freshness monitoring with expiry warnings
- AIA and CDP endpoint reachability checks
- CertFinder — search certificates across all CAs by subject, SAN, or serial
- End-of-life certificate tracking and pending request queues
- One-click CRL publication from the dashboard
Your offline Root CA
finally gets assessed.
Run Truvald.exe --collect on any isolated server.
It packages everything into an AES-256 encrypted .truvaldpkg file,
you move it to your workstation (USB, sneakernet — yes, that's the correct term),
and Truvald™ imports and assesses it as if the server were online.
Works in air-gapped environments, segmented networks, cloud-only deployments, or anywhere your assessment workstation can't directly reach your CA servers.
- No separate installer or agent — same Truvald™ executable, collector mode flag
- AES-256-CBC encrypted package — safe to transfer across any medium
- Auto-detects all ADCS roles on the target server
- Full parity with live assessment — no controls skipped
From terminal to
boardroom in minutes.
Assessment results don't live in Truvald™ forever — they need to go somewhere. Truvald™ generates professional Word assessment reports, PDF and Excel certificate template exports, and CSV data files for any downstream processing you need.
Pair with the 26-question Operational Readiness Survey to produce a complete PKI program posture document — technical and governance coverage in one place.
- Full assessment report as .docx — bringable to Word
- Custom Word template support — your org's branding, Truvald™'s data
- Certificate template PDF and Excel exports
- CSV export from CertFinder and event log viewer
- 26-question governance survey — SRV-001 through SRV-026
- Statistics matrix — severity breakdown by role for executive reporting
Your PKI is ready for its close-up.
Download Truvald™ and run your first assessment — typically in under an hour. No agents, no infrastructure changes, no guesswork. Just the truth about your PKI. (Exceptionally large environments may take longer.)