Skip to main content
Applies to BloodHound Enterprise and CE After uploading data to BloodHound, use the Explore page to search for objects and visualize their relationships. The graph displays and , helping you understand your environment and identify potential attack paths. BloodHound supports multiple data sources, including Active Directory, Azure (Entra ID), and other identity services through OpenGraph. The search methods return results for all data sources. The Explore page provides the following methods for searching for objects and visualizing their relationships:

Search

Find specific objects by name or node type

Pathfinding

Discover relationships between objects

Cypher

Perform complex search with Cypher queries
BloodHound currently supports the Search and Cypher search methods for OpenGraph data, with support for Pathfinding coming soon.
Which method you choose depends on your specific use case and what you’re trying to accomplish. This page describes each of the search methods in more detail and provides guidance on when to use each one.
You can interact with objects in the graph and customize the view to explore the data more effectively, regardless of which search method you use.
The Search tab allows you to quickly find specific nodes in the graph by name or object ID. As you type in the search text box, BloodHound automatically suggests nodes that match your search query. You can click on any of the suggestions to select and display that node in the graph.
Search supports partial matches, so you don’t need to type the full name of an object to find it.
Use cases for the search method include:
  • Object discovery: Quickly locate a known object by name or type to inspect its properties
  • Investigation prep: Find starting points for deeper exploration using Pathfinding or Cypher queries
  • Data validation: Verify specific objects are present in your environment after data ingestion
For example, if you want to find a user named “bob”, type “bob” in the search box and click the appropriate node from the suggestions.
The suggestions display the node type next to each match, making it easy to identify the correct object when multiple objects share similar or identical names. OpenGraph data also displays custom icons configured for node types in this dropdown, which can further help you identify the intended object.
An animated view showing how to search for a user named bob in the Explore page You can also constrain your search to particular built-in node types (AZ/AD) by prepending your search with the appropriate node label.
Support for OpenGraph node types are coming at a later date.
For example, use the following search query to find group nodes that contain the word “admin”: 
group:admin
Note that all suggestions for the group:admin search query include the group node type icon:A view showing how to search for group nodes containing the word admin in the Explore page

Pathfinding

The Pathfinding tab allows you to discover relationships between objects by finding paths between them. This is particularly useful for investigating potential attack paths in an environment.
BloodHound currently supports the Search and Cypher search methods for OpenGraph data, with support for Pathfinding coming soon.
Use cases for the pathfinding search method include:
  • Attack path analysis: Identify potential compromise chains between two objects
  • Relationship mapping: Understand how objects are connected within your environment
  • Filtered exploration: Focus on relevant relationships by excluding edge types or reversing path direction
For example, you can find all paths from a user named “bob” to a group containing the name “domain admins” using the previously described search method for the start and end points:
Like the search method, you can use partial matches and node labels to find your start and end points.
A view showing how to search for paths from a user named bob to groups containing the word domain admins in the Explore page Pathfinding also includes options to customize your search:
  • Reverse path —Swap your start and end points to explore paths in the opposite direction without re-entering your search queries. This is useful for finding how high-value targets connect back to entry points.
  • Filter edges —Select which edge types to include in the results. By default, all edge types are selected; deselect any you don’t want included in the paths to focus on relevant relationships.

Cypher

The Cypher tab allows you to perform complex searches using queries. Cypher is a powerful query language for graph databases. It enables you to manipulate and examine BloodHound data in custom ways to help you further understand your network or identify interesting relationships.
See Search with Cypher for more information.

Graph view

The graph on the Explore page provides a visual representation of the objects in your data based on your search criteria. You can interact with the graph by clicking on nodes and edges to view detailed information about them in the Entity panel, and by using various visualization options to customize the graph view. The following example shows a graph based on the example in the Pathfinding section above, which finds paths from a user named “bob” to a group named “domain admins”. An example graph view on the Explore page The graph displays the nodes and edges that connect user BOB@PHANTOM.CORP to group DOMAIN ADMINS@PHANTOM.CORP, allowing you to visually explore the relationships between objects.

Visualization options

Use the graph visualization options at the bottom of the Explore page to customize how the graph is displayed based on your preferences. This can be useful for large, complex graphs with many nodes and edges. A view showing the graph visualization options on the Explore page
  1. Reset graph view—Restore the graph view to its default layout and zoom level
  2. Hide Labels—Toggle the visibility of labels on nodes and edges to reduce clutter and focus on the structure of the graph (also useful for obfuscating sensitive information before sharing graph images)
  3. Layout—Choose from the following layout options to organize the graph visually:
    • Organic
    • Stacked Enterprise Edition
    • Sequential
    • Standard
    • Table
  4. Export—Download the current graph view as a JSON file for further analysis or sharing
  5. Search—Quickly identify specific objects among the nodes displayed in the graph
Graph visualization options are available across all search methods. The Table layout is available for Cypher searches only.

Object interaction

You can interact with nodes and edges in the graph to view detailed information about them in the Entity panel. For nodes, you can right-click to perform more actions using the context menu.

Context menu

Right-click on any node in the graph to access the context menu. Options in the context menu include:
  • Set as starting node—Set the node as the starting point in the Pathfinding tab and immediately draw a new graph showing paths between that node and the current ending node
  • Set as ending node—Set the node as the ending point in the Pathfinding tab and immediately draw a new graph showing paths between the current starting node and that node
  • Add to/Remove from Tier Zero—Mark or unmark the node as a member of the Tier Zero privilege zones. Adding is immediate; removing requires manually editing the zone rule to remove the object.
  • Add to/Remove from Owned—Mark or unmark the node as compromised in the Privilege Zones page. Adding is immediate; removing requires manually editing the label rule to remove the object.
  • Copy—Copy the node’s name, object ID, or a Cypher query to your clipboard for use in other searches or documentation

Entity panel

The Entity panel on the Explore page displays detailed object properties and relationships. The information is displayed in an accordion format based on the selected node or edge, which can vary depending on your data source.
For built-in node and edge types (AD/AZ), BloodHound displays structured data organized into the accordions described below. For OpenGraph data, BloodHound displays all values from the properties object as a flat list, without the structured accordions.
For nodes, expanding each accordion reveals more detail and dynamically updates the graph. For example, expanding the Sessions accordion shows all computers where the node has active sessions and updates the graph. BloodHound displays the following information in the Entity panel when you click on a node (if the information is available in your data):
AccordionDescription
Object InformationDisplays the collected properties and attributes of a selected object

See node reference for details about each node type
SessionsList of objects where the selected node has active sessions
MembersList of objects that are members of the selected node
Member OfList of objects where the selected node is a member
Local Admin PrivilegesList of objects where the selected node has local administrator privileges
Execution PrivilegesList of objects where the selected node has execution privileges
Inbound Object ControlList of objects that can control the selected node
Outbound Object ControlList of objects that the selected node can control
BloodHound displays the following information in the Entity panel when you click on an edge (if the information is available in your data):
AccordionDescription
Relationship InformationSystem details about the relationship between two nodes connected by a selected edge
GeneralA detailed description of the relationship between the two nodes connected by a selected edge
AbuseStep-by-step guidance, tools, and techniques for abusing the relationship represented by an edge to compromise or gain control over a target principal
OPSECOperational security implications and detection risks associated with abusing a particular edge
ReferencesLinks to publicly available resources used to create the above information
This information is also available for each edge in the reference documentation.