Download & Licensing
Get Truvald™.
Your PKI is waiting.
Start with the Evaluation — all features (less reporting/exports), no CA server limit, no expiry. No credit card. No sales call. Just download, run, and find out what your PKI has been hiding.
-
Download the installer — a single Windows executable, fully self-contained. No additional runtimes or dependencies required.
-
Run as administrator — required to read the local certificate stores and register the application. No services or drivers are installed.
-
Configure your settings — enter your organization details, add your PKI servers (hostname or FQDN + ADCS role), set your PIN, and optionally configure SMTP for email notifications.
-
Run your first assessment — click Run Assessment on the Assessment tab. For servers that aren't directly reachable, use the Offline Collector first (see Features for the workflow).
-
Review your findings — start with Critical and High. Everything is documented in-app with control descriptions and remediation recommendations. Your CISO will appreciate the PDF export.
| Feature | Trial | 30-Day $499 one-time |
Annual $1,499/yr |
+ Assessment $12,000/yr |
|---|---|---|---|---|
| Duration | Indefinite | 30 days | 365 days | 365 days |
| Servers Monitored | Unlimited | Unlimited | Unlimited | Unlimited |
| Security Assessment (80+ controls) | Yes | Yes | Yes | Yes |
| Operations Dashboard | Yes | Yes | Yes | Yes |
| GPO Analysis | Yes | Yes | Yes | Yes |
| Certificate Templates Analysis | Yes | Yes | Yes | Yes |
| Offline Collector Mode | Yes | Yes | Yes | Yes |
| Reporting & Exports | Not available | Full | Full | Full |
| Governance Survey (26 controls) | Yes | Yes | Yes | Yes |
| Risk Acceptance (PIN-protected) | Yes | Yes | Yes | Yes |
| Audit Database (local SQLite) | Yes | Yes | Yes | Yes |
| Email support | — | Yes | Yes | Yes |
| Consulting (3 days, BrkrOps engineer) | — | — | — | Yes |
| Guided ADCS security assessment | — | — | — | Yes |
| Written report + remediation roadmap | — | — | — | Yes |
Once you have Truvald™, we're not going to sell you anything else. No upsell cadence, no "just checking in" emails, no account manager nudging you toward a higher tier. You bought a tool — we'll be here if you need support or have questions. We're there for you. You're not there for us.
Evaluation
Email us · We respond by next business day (Alberta, Canada)
What you need
- Assessment Workstation Windows 10 / 11 or Windows Server 2016+
- .NET Runtime Compiled into Truvald™ — no separate installation required
- Permissions Local admin on target CA servers + LDAP read access to AD
- CA Servers Windows Server 2012 R2+ with ADCS. Air-gapped CAs supported via Offline Collector.
- A point-in-time snapshot — accurate the day they leave
- Scope limited to what the engagement covers
- Report delivered weeks later, fixed format
- Any follow-up questions cost consulting hours
- Repeat next year? Full price again
- Their PKI knowledge may be broad, not deep ADCS-specific
- Run an assessment any time — before a pen test, after a change, quarterly, whenever
- 80+ controls across every ADCS layer: ESC paths, CA config, OS hardening, GPO, templates
- Results in minutes, not weeks
- Reports and documentation for your CISO, auditors, or internal records
- PKI changes? Reassess immediately
- Built by ADCS practitioners — this is all it does
First year license includes 3 hours of expert PKI consultation — on us.
When you license Truvald™, we want you to actually understand your first report. Schedule a session with the BrkrOps™ Inc. team and we'll walk through your Critical and High findings together, explain what they mean in the context of your specific environment, and give you actionable remediation recommendations. You'll know exactly what to fix and in what order — not just a list of controls with severity labels. Three hours with people who wrote the checks beats a stack of framework PDFs.
There are good tools in the AD security space. Truvald™ doesn't do everything they do, and they certainly don't do everything Truvald™ does. They complement each other. Here's where each fits.
| Capability | Truvald™ | Ping Castle | Locksmith | Purple Knight | MS PKI Health Tool |
|---|---|---|---|---|---|
| Primary Focus | ADCS / PKI | Active Directory | ADCS ESC paths | AD Identity | CA Health (basic) |
| ADCS ESC privilege escalation paths (all 16) | All 16 | Partial | Most | Some | None |
| CA configuration hardening (OS, registry, roles) | Yes | No | No | No | Minimal |
| All ADCS roles assessed (OCSP, NDES, CES/CEP, Web Enrollment) | Yes | No | No | No | No |
| GPO analysis (SYSVOL-based) | Yes | Yes | No | Yes | No |
| Certificate Templates deep analysis | Yes | Partial | Partial | No | No |
| Ongoing operations dashboard (CRL, OCSP, NDES) | Yes | No | No | No | No |
| Offline / air-gapped CA support | Yes | No | No | No | No |
| Governance survey (policy & process) | 26 controls | No | No | No | No |
| Executive & technical reporting (Word / PDF / Excel) | Yes | Yes | No | Yes | No |
| Single-click disaster recovery documentation | Yes | No | No | No | No |
| Active Directory health (broader AD posture) | Under Development | Yes — strong | No | Yes — strong | No |
| Cost model | Annual license | Annual license | Free / open source | Free basic / Enterprise | Free (Microsoft) |
Ping Castle and Purple Knight are excellent for Active Directory posture — they belong in any AD security program. Locksmith (GhostPack) is a sharp offensive-oriented CLI tool for finding ESC paths quickly. None of them manage your PKI operations, assess CA server hardening end-to-end, handle offline Root CAs, or produce the governance documentation a compliance program needs. Run them alongside Truvald™ for full coverage.
Does Truvald™ need to be on the CA server?
No. Truvald™ runs on your assessment workstation and connects to CA servers over standard Windows remote administration protocols (RPC/DCOM and SMB). For servers that aren't directly reachable, use the Offline Collector — it runs on the target server and produces an encrypted package you import.
Will Truvald™ make changes to my environment?
Not by itself. Truvald™ assesses and monitors without touching anything — but remediation actions are available for those who want them. Every action requires a deliberate human click, and every action taken is fully audited with a timestamp and operator record for later review. Some actions require additional elevation through Truvald™'s built-in PIN or a connected authenticator app, so nothing consequential happens by accident or without accountability.
Can I assess an offline Root CA?
Yes — that's exactly what the Offline Collector is for. Copy the Truvald™ executable to the offline Root CA, run it with the --collect flag, and transfer the encrypted package back to your assessment workstation. Full assessment results, no network connection required.
What credentials does Truvald™ need?
Truvald™ runs under the credentials of the logged-in user by default. The user needs local administrator rights on the target CA servers and LDAP read access to Active Directory for GPO analysis. No domain admin credentials are required — a dedicated PKI Tier 0 management account with the appropriate AD delegations is the recommended approach.
Where does assessment data go?
All assessment data, risk acceptances, and governance survey answers are stored in a local SQLite database on the assessment workstation. Nothing is sent to BrkrOps™ Inc. servers. The license validation makes a periodic outbound check, but no assessment data is transmitted.
Still have questions?
We're small on purpose. Reach us directly — you'll talk to the people who built Truvald™ and actually know how PKI works. No ticket system, no Tier 1, no knowledge base articles that don't apply to your situation.