A Purple Knight alternative with AD, Entra and limits documented without sugarcoating
This benchmark compares Purple Knight Community 5.0 and ETC Collector v3.0.8 Pro on a production Active Directory environment and a production Entra ID tenant, executed with the same access configuration on April 10, 2026. On the Active Directory side, ETC Collector covers 115 of the 119 Purple Knight indicators, matches every single one of the 49 IOEs Purple Knight flagged, and completes the median scan in 1.01 seconds against 2 minutes 55 for Purple Knight — roughly 173 times faster.
On the Entra ID side, the result is more nuanced: both tools are rate-limited by Microsoft Graph. ETC Collector still completes in a median 86 seconds against 1 minute 58 for Purple Knight, with 92 Azure-category findings emitted versus 31 Purple Knight IOEs — about 3 times more detections in roughly 40 percent less time. Purple Knight retains 6 Entra checks and 2 AD checks where it is still stronger, and this page lists all of them.
How the Purple Knight side-by-side was executed
The figures on this page come from a benchmark executed on April 10, 2026 by the same team, on a production Active Directory environment and a production Entra ID tenant. Every technical identifier (domain name, domain controllers, IP addresses, tenant ID, app registration, report paths) was removed from the public version.
On the Active Directory side, the Purple Knight report comes from an earlier run executed from the domain controller with the Administrator account and the default AD indicator selection; the timing comes straight from the Purple Knight Excel report. ETC Collector runs were launched from a Linux host, 5 times in a row, with network probes enabled. The median of the ETC runs is used (1.03s, 1.01s, 1.02s, 0.99s, 1.00s, giving 1.01s).
On the Entra ID side, both tools were executed on April 10, 2026 within a 30-minute window, with the same app registration and the same 24 Microsoft Graph permissions (Application.Read.All, Directory.Read.All, IdentityRiskEvent.Read.All, Policy.Read.All, RoleManagement.Read.Directory, UserAuthenticationMethod.Read.All, etc.). Purple Knight Community 5.0 selected 50 indicators out of 54: 4 could not run because they required additional permissions (specific PIM scopes, mailbox access and hash sync readiness). ETC Collector executed its 158 detectors with the exact same set of 24 permissions.
A few real counters from the ETC Collector run on April 10, 2026, with their Purple Knight equivalents.
When Purple Knight stops fitting the operating model
Purple Knight is still useful for periodic reviews with a Windows executive report. Teams typically look for an alternative when they want to automate, cover AD and Entra together, or exploit structured findings instead of GUI indicators.
You need a Linux or CI-friendly workflow
Purple Knight remains Windows-centric and built around an interactive GUI. Teams that run audits from Linux servers, containers, scheduled jobs or CI pipelines need a headless CLI or API.
You want deeper and more actionable Entra coverage
Purple Knight Community 5.0 does have real Entra indicators, but the benchmark shows ETC Collector with a broader catalogue, more Azure-category findings emitted, and categories like Conditional Access, guests, applications, risk protection and compliance.
You need more than PASS or FAIL categories
Purple Knight is strong at indicator grading, but many operators also need named findings, graph context and explicit object lists behind the grade.
You want to automate and repeat the review
If the security team wants to rerun the same review after a privilege clean-up or a policy change, a non-interactive collector integrates better than a GUI-first workflow.
How to seriously evaluate a Purple Knight alternative
Indicator coverage matters, but a practical evaluation must also look at match quality on the IOEs that actually fire, each tool’s own limits, platform support, Entra scope and how usable the output is for recurring operations.
Coverage of the published indicator set
The benchmark documents 115 of 119 Purple Knight AD indicators fully covered, two covered partially and two Hybrid indicators not applicable in this AD run.
Match quality on the IOEs actually found
The most decision-useful metric is the IOE match: on the AD side, ETC Collector matches all 49 indicators that were firing in the Purple Knight run.
What the alternative adds beyond grades
ADCS ESC families, attack graphs, broader Entra findings, granular ACLs, GPO detail and compliance mappings extend the review far beyond PASS or FAIL categories.
Fit with actual deployment reality
A cross-platform CLI can be installed on Linux, macOS, Windows or Docker. That changes who can operate the tool and how often the review can be rerun.
Where ETC Collector fits, and where Purple Knight keeps strengths
Purple Knight is still useful when a team wants a recognisable Windows GUI review and a polished executive report. ETC Collector becomes the better fit as soon as the requirement is automation, ADCS, Entra ID, attack graphs or structured findings.
ETC Collector fits a repeatable operational review
If the review must run from Linux, Docker, CI or API workflows, ETC Collector is simpler to industrialise.
Purple Knight keeps precise checks the benchmark acknowledges
Purple Knight still differentiates itself mainly with its Windows-native review style and a few tenant-setting checks, while ETC Collector v3.0.9 closes the earlier gMSA, RODC, SAML and unresolved-member gaps.
The migration question depends on platform and scope
Most teams move when they need cross-platform execution, Entra depth or more technical detail behind the indicator layer.
EtcSec adds the operating layer on top of the collector
Historical trending, central orchestration, dashboards and remediation workflow come from EtcSec on top of ETC Collector.
What the updated Purple Knight benchmark actually shows
The Purple Knight benchmark in the ETC Collector documentation breaks down AD coverage, partials, ETC-exclusive findings, the Entra ID comparison, performance and the limits of both tools. This page reflects those data without publishing the environment identifiers.
Coverage by Purple Knight category on Active Directory
This is what makes the comparison more useful than a simple "we have more checks" claim. Purple Knight and ETC Collector overlap strongly on the AD findings that were actually firing in the published environment. The comparison therefore says something concrete about replacement feasibility on the AD side.
The published benchmark originally called out two AD gaps: standalone gMSA password reader enumeration and RODC credential caching. ETC Collector v3.0.9 now covers both with dedicated detectors, so the runtime comparison remains valid but those controls no longer separate the current catalogue.
| Purple Knight area | Total indicators | Covered | Partial | Not covered / N.A. |
|---|---|---|---|---|
| AD Delegation | 19 | 18 | 1 | 0 |
| Account Security | 34 | 34 | 0 | 0 |
| AD Infrastructure | 34 | 33 | 1 | 0 |
| Group Policy | 11 | 11 | 0 | 0 |
| Kerberos | 19 | 19 | 0 | 0 |
| Hybrid | 2 | 0 | 0 | 2 N/A |
The full AD IOE match is the strongest migration signal
Coverage percentages are useful, but the decisive operational metric is the match on indicators flagged as IOE Found. The published run shows ETC Collector aligned with every Purple Knight indicator that was actually firing on the AD side.
That difference matters because many catalogues contain PASS or N/A checks that do not change the next remediation. A full IOE match on AD shows the two tools are aligned on the real AD problems of the tested domain.
On Entra ID, the gap is about breadth, not a 170x speed gap
On Entra ID, the limiting factor for both tools is Microsoft Graph: network latency, pagination and throttling. The speed gap is 1.4x rather than 170x as on Active Directory. But within that same network budget, ETC Collector runs about 3 times more detectors and surfaces about 3 times more finding families, because it shares the object graph across detectors and parallelizes independent Graph calls aggressively.
Purple Knight Community 5.0 is not empty on Entra — it ships 57 AAD indicators in total. The benchmark question is not a 2 vs 158 gap, it is a 50 vs 158 gap on the executed set and a 31 vs 92 gap on findings actually emitted. ETC Collector additionally surfaces categories missing from the Purple Knight Community catalogue: emergency break-glass accounts and CA exclusion, B2B cross-tenant, Entra log retention, CIS and ANSSI compliance, tenant-wide app consents, external service principals, and so on.
Since ETC Collector v3.0.9, dedicated coverage also exists for SAML certificate health, unresolved privileged role members, suspicious MFA activity, unusual-location MFA signals, and several over-assigned privileged-role conditions. Purple Knight still keeps value for teams that want its Windows GUI and tenant-setting checks such as allowedToCreateTenants or MFA prompt presentation.
| Metric | Purple Knight Community 5.0 | ETC Collector v3.0.8 Pro |
|---|---|---|
| Scan duration | 1 min 58 (118s) | Median 86s across 3 runs (86.35 / 99.11 / 79.85s) |
| Detectors executed | 50 selected out of 54 (4 not selected: extra permissions required for PIM, mailbox, hash sync) | 158 Entra detectors registered, all executed with the same 24 Graph permissions |
| Findings / IOEs emitted | 31 IOEs found, 18 pass, 1 not relevant | 92 Azure-category findings with count greater than 0 |
| Detections per second | 0.42 indicator per second | 1.07 detector per second — about 2.5x more work against the same Graph endpoint |
| Severity of emitted detections | 2 critical, 15 high, 27 medium, 8 low, 2 info | 10 critical, 31 high, 44 medium, 6 low, 1 info |
| Purple Knight to ETC coverage | 31 reference IOEs | 22 directly covered, 3 partially, 6 Purple Knight specific |
| Additional ETC families | — | 61 issue families that no Purple Knight indicator covers |
| Main categories | Identity, Applications, Conditional Access, Guests, PIM, Config, Groups, Hybrid | Identity, Applications and SP, Conditional Access, Guests, PIM and emergency accounts, Config and logging, Groups, Risk Protection, Azure Compliance |
What changed since the published v3.0.8 comparison
The published benchmark was produced on ETC Collector v3.0.8. Since v3.0.9, several of the gaps documented there are closed. The cards below summarize the live state that matters when you evaluate Purple Knight against the current ETC catalogue.
AD / SI000083 — gMSA password readers
ETC Collector v3.0.9 now ships a standalone GMSA_PASSWORD_READERS detector in addition to the existing gMSA takeover edges in the attack graph. Teams that wanted a direct per-(principal, gMSA) finding no longer need Purple Knight for that specific control.
AD / SI000022 — RODC credential caching
ETC Collector v3.0.9 now detects privileged credential caching on Read-Only Domain Controllers through the RODC_PRIVILEGED_CACHING finding. If you operate RODCs, this gap is no longer a reason to keep Purple Knight on its own.
Entra / SI000206 — App name and geolocation on MFA push
Purple Knight checks whether Microsoft Authenticator is configured to show the target application name and the geographic location of the sign-in request in push notifications. ETC Collector does not flag this specific Authenticator setting.
Entra / SI000235 — Certificate-Based Authentication persistence
ETC Collector v3.0.9 adds dedicated certificate-based authentication coverage on applications and SAML certificate health, which narrows the certificate-governance gap materially even though Purple Knight keeps its own tenant-side presentation.
Entra / SI000207 — Non-admin tenant creation
Purple Knight reads the allowedToCreateTenants flag on the authorization policy. ETC Collector checks allowedToCreateApps via AZ_APP_REGISTRATION_OPEN but not tenant creation.
Entra / SI000093 — Report suspicious activity disabled
ETC Collector v3.0.9 now adds MFA_SUSPICIOUS_ACTIVITY and MFA_UNUSUAL_LOCATION. That does not exactly mirror Purple Knight’s tenant-flag check, but it does close much of the practical detection gap for suspicious MFA behaviour.
Entra / SI000215 — SAML SSO certificate review
ETC Collector v3.0.9 now adds SAML_CERTIFICATE_EXPIRED, SAML_CERTIFICATE_EXPIRING_SOON and SAML_CERTIFICATE_LONG_LIFETIME, giving SAML enterprise applications dedicated certificate-health coverage.
Entra / SI000237 — Unresolved privileged role members
ETC Collector v3.0.9 now adds UNRESOLVED_PRIVILEGED_MEMBERS, which closes the previously documented gap on privileged role assignments that no longer resolve to a live principal.
The extra depth comes from ADCS, attack graphs, Entra, ACLs and GPOs
ADCS ESC1 to ESC11 taxonomy
Purple Knight Community ships 3 generic ADCS checks (SI000090, SI000156, SI000157) which all returned Pass in this run — in other words, Purple Knight gave an A+ to the certificate infrastructure while ETC Collector identified 6 families of SpecterOps exploitation primitives and 24 instances: ESC1 (EnrolleeSuppliesSubject on a template with client auth), ESC2 (Any Purpose EKU on 3 templates), ESC3 (Enrollment Agent without restrictions on 4 templates), ESC4 (dangerous ACLs on 12 templates), ESC6 (EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA), ESC11 (RPC enforcement bypass). Each ESC class has its own remediation — which the A+ grade from Purple Knight does not say.
Attack graph with BFS and ACL chains
ETC Collector documents 58 attack paths on the tested domain: 8 critical and 50 high, with 50 ACL_ABUSE chains (GenericAll, WriteDACL, WriteOwner) and 8 DCSYNC chains. Average 1.1 hops, maximum 3 hops, 41 distinct privileged targets reached. Purple Knight does not model attack paths: its 119 indicators are scored individually, without chaining. If you want that level of detail with Purple Knight, you need a separate tool such as BloodHound or Forest Druid.
ETC-specific Entra depth
With the same 24 Graph permissions, ETC Collector surfaced 61 finding families that no Purple Knight Community indicator covers: 944 service principals from third-party tenants, 935 without owner, 1,099 orphaned Entra groups, 38 apps without owner, 29 apps with implicit flow, 22 tenant-wide consents, 14 multi-tenant apps, 14 unremediated risky sign-ins, 9 unremediated risky users, no break-glass accounts, no guest access reviews, a guest with a privileged role, no CA policy blocking legacy auth, 6 CA policies stuck in report-only, and so on.
Full-domain ACL and GPO granularity
ETC Collector produced 6,029 ACL-related finding instances on the tested domain, broken down into 14 detector types: 1,193 ACL_WRITEDACL, 1,193 ACL_WRITEOWNER, 1,160 ACL_GENERICALL, 1,193 EVERYONE_IN_ACL, 100 COMPUTER_ACL_GENERICALL, 97 WRITESPN_ABUSE, and more. It is the raw material of the attack graph. On the GPO side, 21 finding types fired, covering credential protection (WDigest, LSA, Credential Guard), registry hardening (LLMNR, NBT-NS, Hardened UNC, NetCease), Defender ASR, firewall policy and dangerous logon scripts. Purple Knight flagged 1 GPO IOE (SI000032) and 11 GPO indicators in total.
CIS, NIST, ANSSI and DISA STIG compliance
ETC Collector ships 23 dedicated compliance detectors that score the domain against CIS Microsoft Windows Server Benchmark, NIST 800-53 Rev 5 / 800-171, the ANSSI AD guide and DISA STIG Windows Server. Each compliance finding is reported with the control identifier it violates. Purple Knight tags some indicators with MITRE ATT&CK TTPs and ANSSI references in the report columns, but does not score the domain against a complete framework. For a regulated organisation, this is the most structuring delta.
Licensing and open source model
Purple Knight Community is a closed binary distributed under Semperis EULA — the source code is not public, no modification allowed. ETC Collector Community is published under Apache 2.0 with full source on GitHub: commercial use allowed, modifications allowed, redistribution allowed, audit of the code running on your DCs possible. ETC Collector Pro adds the ADCS ESC1 to ESC11 detectors, attack graphs and the 10 Entra ID Risk Protection detectors under a separate proprietary license.
Speed and delivery model change who can run the review
A Windows GUI is not a flaw by itself, but it narrows who can operate the tool. If the identity review is carried by a very Windows-heavy team and run occasionally, Purple Knight may stay comfortable. If the workflow has to run on servers, containers or CI, that model becomes friction quickly.
The speed difference mainly changes the AD cadence. A median run at 1.01 seconds is fast enough to become a validation step after hardening or a change, not just a periodic ritual. On Entra, the main benefit is breadth of checks rather than raw speed.
| Question | Purple Knight | ETC Collector |
|---|---|---|
| Observed AD runtime | 2 min 55 | Median 1.01s |
| Observed Entra runtime | 1 min 58 | Median 86s |
| Primary model | Windows GUI | Cross-platform CLI |
| Linux/macOS support | No | Yes |
| Headless automation | Limited | Yes |
| ADCS ESC taxonomy | Generic / partial | ESC1 to ESC11 on Pro |
| Entra depth | Real Entra indicators, several PK-only | Broader catalogue and more granular findings |
When Purple Knight still makes sense, and when ETC becomes stronger
Purple Knight still makes sense when a team values a familiar Windows GUI, category grades and specific checks more than automation or scope extension. ETC becomes stronger when the review must run outside of Windows, when the organisation wants more object-level detail, or when the same workflow must cover AD and Entra with structured output.
The real question is therefore not "which brand is better", but whether the operating model and programme scope have moved beyond what a Windows GUI indicator review can support comfortably.
- Keep Purple Knight if the main requirement is a Windows GUI, category-driven review or if the PK-only checks listed above are blocking.
- Choose ETC Collector if you need automation, cross-platform execution, ADCS ESC, attack graphs or broader Entra depth.
- Use EtcSec when the collector must also provide dashboard, history, scheduling and a central remediation view.
Frequently asked questions
How much of Purple Knight does ETC Collector cover?
On the AD side, the benchmark documents 115 of 119 Purple Knight indicators fully covered, 2 partial, 2 Hybrid N/A, and all 49 Purple Knight IOEs matched by ETC Collector.
What is the most important metric?
On AD, the full IOE match: ETC Collector matches every Purple Knight indicator in IOE Found in the published run. On Entra, the most useful metric is the combination of breadth and limits: 92 Azure-category findings on the ETC side, with 22 Purple Knight IOEs directly covered, 3 partially and 6 PK-only.
What does ETC Collector add beyond Purple Knight?
The benchmark highlights ADCS ESC1 to ESC11 analysis, attack graphs, broader Entra coverage, granular ACL and GPO findings, a cross-platform CLI/API model and compliance mappings.
When does Purple Knight still fit?
It still fits teams that prefer a Windows GUI, a polished executive report or a Semperis-native operator experience. The historical gMSA, RODC, SAML and unresolved-member gaps documented in the benchmark are now closed in ETC Collector v3.0.9.
Related identity security pages
See the broader AD coverage behind the technical findings referenced in this comparison.
Review the cloud depth and the structured Entra findings referenced in this benchmark.
Understand the collector modes, API surface and why the CLI operating model matters.
Compare the collection engine to the SaaS trending and tracking layer.
Compare your current Purple Knight workflow against ETC Collector
Use the AD IOE match, the Entra metrics and the documented limits of each tool as a baseline, then test whether a cross-platform collector fits your operating model better than a Windows GUI review.