Domain Trust Map

A Domain Trust Map is a visual representation or graph illustrating the trust relationships between different Active Directory (AD) domains and forests to identify network paths for lateral movement. These maps display how one domain allows users and resources in another to authenticate and access data.  

It visualizes Active Directory domain relationships to help identify:

  • Domain hierarchy (root, child, unknown)
  • Trust relationships (secure, suspicious, unknown)
  • Expose paths and risks within forest environments

Key Functional Capabilities of Domain Trust Map

Feature Area

Explanation

Forest  and Domain Visualization

Up to 5 forests can be selected at a time for trust mapping

Legends
Node Colors
  • Dark Blue indicates root domain
  • Light Blue indicates child domain
  • Yellow indicates the unknown domain, indicating there is no agent installed.

Trust Types
  • Parent-child
  • Shortcut
  • Suspicious trust
  • There are two types of forest trusts: Inter-Forest Trusts (which include both forest trust and external trust) and Intra-Forest Trusts (which encompass parent-child trust, tree-root trust, and shortcut trust).

Risk Insights Panel

It provides more information about the misconfigurations related to a specific trust and domain, the recommended actions to correct these misconfigurations, and the various attributes associated with a trust and domain.

Rule Types
  • Trust based
  • Domain based

Data Visualization Behavior

UI Element

What It Shows

Domain Boundary

Virtual boundary representing each forest structure

Relationship Lines

Trust direction and type between domains

Warning Alerts

Suspicious trust or misconfiguration indicators

Selectable Elements
  • Domains with agent: detailed security insight
  • Trust edges: configuration and rule evaluation data

Risk Insights on Nodes and Relationships

Risk analytics includes Node-based and Edge-based rules:

Target

Rules Executed

Risk Details

Domain (Clickable)

Node rules

Password policy, lockout policies, security configs, etc.

Trust Relationship (Clickable)

Edge rules

Misconfigurations on trust attributes

Rule violations show:

  • Rule name
  • Description
  • Remediation guidance
  • Criticality

The Attack Paths window helps you understand how attackers could move through your Active Directory (AD) environment by abusing relationships, permissions, and excessive privileges. It visually maps potential paths an attacker can take from an initial access point to a high-value target. 

This view is designed to support proactive risk analysis and privilege hygiene by showing how individual AD objects are connected from an attacker’s perspective. 

With the help of Domain Trust Map, you can:

  • Identify possible attack paths between two AD objects.
  • Understand privilege escalation and lateral movement risks.
  • Discover hidden or unintended access relationships.
  • Prioritize remediation based on real attack feasibility, not just isolated misconfigurations.

Initiate Domain Trust Map

For visualizing the Domain Trust Map, follow the given steps:

  1. Go to ETM Identity> Risk Management tab > Attack Path Analysis > Domain Trust Map tab.
  2. Use the drop-down to select the Domain you want to analyze.

    Enter the domain(s) for which you want to plot the trust map. If you want to display all domains in your environment, leave this field blank.

    View DTM.

 

Details on the Domain Trust Map

Environment Summary

This summary gives a quick snapshot of the size and complexity of your AD trust environment. It is displayed on the top-right of the window

  • Forests – Total number of forests detected
  • Domains – Total number of domains in scope
  • Relationships – Total trust relationships identified

Main Visualization Area

Forest and Domain Grouping

  • Dotted boundary boxes represent Active Directory forests.
  • Each forest contains one or more domains.
  • Domain labels appear at the top of each grouped section.

Domain Nodes represent

  • Each node (globe icon) represents an individual AD domain.
  • Warning or alert indicators highlight domains that may have risk-relevant trust relationships.

Trust Relationships

Lines between domains indicate trust relationships. Labels on the lines specify the trust type, such as:

  • Parent-Child Trust
  • Tree Root Trust
  • Forest Trust
  • External Trust
  • Shortcut Trust

These labels help you understand how authentication flows between domains.

Directional Flow

  • Arrowed lines show the direction of trust.
  • Red-highlighted paths emphasize high-risk or exploitable trust relationships that could be abused for lateral movement.

Graph Options

Graph options include functionalities for zooming in and out, as well as a full-screen view for enhanced data visualization.

These controls help you navigate large or complex environments. Located in the bottom-left corner of the visualization:

  • Zoom In (+) – Magnify the map for detailed inspection
  • Zoom Out (–) – Reduce the zoom level
  • Fit to Screen – Automatically adjusts the map to fit the available view
  • Layout Controls – Adjust how the trust map is displayed for better readability

Maximizing the Benefits of This View

  • Review cross-forest trusts carefully, as they can enable attackers to move between environments.
  • Look for unnecessary external or shortcut trusts.
  • Use this view alongside Attack Paths to understand how trust relationships contribute to real attack scenarios.
  • Prioritize remediation for trusts connected to privileged or critical domains.

The Domain Trust Map transforms complex Active Directory trust relationships into a clear, visual security map, helping you quickly assess cross-domain exposure and reduce attack surface caused by excessive or misconfigured trusts. 

Use Case

The following scenario demonstrates how inter-domain and inter-forest trust relationships can unintentionally expand the attack surface, allowing a compromise in one domain to impact multiple trusted environments.

Domain Trust Map Overview

Let us take an example to understand how the Domain Trust Map helps visualize trust-based risk across Active Directory environments.

In this scenario, the organization operates multiple forests and domains due to mergers, regional expansion, and partner integrations.

Selected Scope
  • Domains: partnernet.biz, phoenix.pixelvision.tru
  • Forests: Multiple forests including corp.root, partnernet.biz, alpha.local, and pixelvision.tru
Trust Relationship Analysis

The Domain Trust Map visually displays:

  • Forest boundaries, grouping related domains
  • Domain-to-domain trust relationships, including:
    • Parent-Child Trusts
    • Tree Root Trusts
    • Forest Trusts
    • External and Shortcut Trusts
  • Directional trust flows, indicating how authentication and access can traverse domains

Highlighted trust paths indicate high-risk or security-relevant trust relationships that could be abused for lateral movement.

Example Risk Scenario

  • A low-security domain within the partnernet.biz forest is compromised.
  • Due to an existing forest trust, authentication is allowed into the alpha.local forest.
  • From alpha.local, additional parent-child and shortcut trusts enable access to domains within the pixelvision.tru forest.
  • As a result, an attacker can move across forests, potentially reaching domains that host critical business systems—even though no direct administrative permissions were intended.
Observations from the Domain Trust Map
  • Multiple cross-forest trust relationships exist, increasing lateral movement opportunities.
  • Some domains act as trust hubs, connecting several forests together.
  • Indirect trust chains make it difficult to assess blast radius without a visual map.
  • Trust relationships that were created for operational convenience now pose security risk.
Impact

A compromise in a single domain could:

  • Cascade across multiple trusted forests
  • Bypass traditional network segmentation
  • Increase the blast radius of an identity-based attack
  • Undermine assumptions about domain isolation

These risks are visually emphasized in the Domain Trust Map through connected trust paths.

Taking Remediation Actions

Using insights from the Domain Trust Map, administrators can:

  • Review and justify cross-forest and external trusts
  • Remove or restrict unnecessary shortcut trusts
  • Harden authentication scopes between trusted domains
  • Prioritize remediation for trusts connected to high-value or privileged domains

The map provides the context needed to decide which trust relationships matter most.

The Domain Trust Map helps you see how trust can be misused, not just permissions. It works alongside Attack Path analysis by showing potential starting points for attacks, even before looking at specific object-level paths.

Together, these views help teams shift from reactive cleanup to proactive identity risk reduction.

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026