Set up BloodHound Community Edition (BloodHound CE) with Docker Compose and start identifying and visualizing security risks.

Are you a blue team looking to remediate security risks? Request a demo of BloodHound Enterprise.

Prerequisites

To complete the quickstart, ensure you meet these system requirements. BloodHound CE deploys in a traditional multi-tier container architecture consisting of databases, application, and UI layers.

Minimum specificationsFor large environments (>50K users)
4GB of RAM96GB of RAM
4 processor cores12 processor cores
10GB hard disk space50GB hard disk space

Install BloodHound CE

To install BloodHound CE:

  1. Install Docker Desktop. This gives you access to Docker Compose.

  2. Download the Docker Compose YAML file and save it to a directory where you’d like to run BloodHound.

curl -L https://ghst.ly/getbhce > .\docker-compose.yml

The YAML configuration file sets up the app database (Postgres), the graph database (neo4j), and the BloodHound web service.

  1. Go to the directory with the saved docker-compose.yml file and run:

    docker compose pull && docker compose up

    To run BloodHound CE without needing to maintain the terminal interface, add the flag d and run docker compose logs to see the most recent logs from the environment.

    This pulls all the Docker images needed and runs Docker Compose to start up the services from the YAML configuration file.

  2. In the terminal log output of Docker Compose, find and copy the randomly generated password from Initial Password Set To.

    This password cannot be regenerated. If you lose it, run docker compose down -v and then docker compose up to reset your databases.

  3. Go to http://localhost:8080/ui/login and log in with the username admin and the password generated from the logs.

    The default docker-compose.yml example binds only to localhost (127.0.0.1). To access BloodHound outside of localhost, follow the instructions in examples/docker-compose/README.md to configure host binding for the container.

  4. Reset the password as prompted.

You’re now logged in to a locally hosted BloodHound CE tenant running with Docker Compose.

Get data into BloodHound

To get data into BloodHound, ingest sample data or run a data collector.

Option 1: Ingest sample data

Sample collection data helps you explore and test BloodHound CE functionality before using your own data.

To ingest the BloodHound sample data:

  1. Go to Example Data and download sample data.

  2. From the BloodHound CE UI, go to settings (⚙️) → AdministrationUpload Files.

The default admin email address is spam@example.com. You may notice this show up as the user who’s ingesting the data.

Option 2: Ingest your data with data collectors

BloodHound CE analyzes data collected by its two collector services, each collecting from a specific directory:

  • Active Directory, collected by SharpHound CE
  • Entra ID and Azure, collected by AzureHound CE

Download collectors

Each collector is a standalone binary. Download collectors using one of these methods:

Run a collector

Run the SharpHound or AzureHound collector. During collection, JSON files are generated and compressed into a ZIP file.

# Run SharpHound CE
C:\> SharpHound.exe

For Azure argument definitions, see All AzureHound Community Edition Flags, Explained.

Ingest data into BloodHound

Use the BloodHound CE API or the BloodHound CE UI to ingest collected data into BloodHound.

To ingest collected data with the API, use the BloodHound CE endpoint /api/v2/file-upload/. See the BloodHound API documentation for details.

To ingest collected data with the BloodHound CE UI, go to settings (⚙️) → Administration → Data Collection → select File Ingest → click UPLOAD FILES and upload your files.

BloodHound CE accepts .zip archives or JSON files, with no size limit. Your browser’s ability to package the uploaded file is a limiting factor in uploading large datasets directly through the UI.

Explore attack paths

To look at identified attack paths in the graph, go to the Explore page in the BloodHound CE UI.

1

Search for a user

  1. In the Search bar, search nodes for a user like user:bob.
  2. Select the user and click on the node that appears.
  3. Explore information about the user’s sessions and memberships.
2

Pathfind

Review the path from one user to another on the Pathfinding tab. For example, pathfind from BOB to ADMINISTRATOR.

3

Explore Cypher queries

Explore the pre-saved Cypher queries on the Cypher tab.

Learn more in Explore → Search for Objects.

Next steps

BloodHound Enterprise QuickstartBloodHound Enterprise Security Overview