What’s New in the BloodHound Query Library: BYOL, OpenGraph, Multi-Server, and More
TL;DR: The BloodHound Query Library is updated: Bring Your Own Library — import custom query sources & shipping with three OpenGraph extension sources (Jamf, GitHub, Okta), multi-server support, new queries including mappings to PurpleKnight, upcoming deprecation of system_tags conditions, built-in Cypher cheat sheet, and a range of quality-of-life improvements.
The BloodHound Query Library — queries.specterops.io, released in June 2025, is a community-driven collection of Cypher queries that help BloodHound users unlock the full potential of the graph. If you’re new to the project, check out the introductory blog post.
Today we’re releasing an update that makes the library more powerful and more personal. The sections below cover each feature in detail:
- New Queries & PurpleKnight Mapping
- Deprecation Notice: system_tags Condition
- BYOL: Multi-Source Query Loading
- Multi-Server Management
- Favourites Replace Upvotes/Downvotes
- Cypher Cheat Sheet
- UI & Navigation
New Queries & PurpleKnight Mapping
This release adds 34 new Active Directory and Azure queries to the library and updated 11 existing queries.
The security assessment mapping now includes Semperis PurpleKnight as a fourth assessment tool, covering 96 of 190 PurpleKnight security indicators (51%). Existing mappings for PingCastle, MDI, and Nessus were also reviewed and updated against the latest versions of those tools.
Updated Mapping Coverage:
| Security Tool | Total Controls | Mapped Controls | Coverage |
| PingCastle | 186 | 105 | 56% |
| Purple Knight | 190 | 96 | 51% |
| MDI | 45 | 35 | 78% |
| Nessus | 10 | 10 | 100% |
⚠️ Deprecation Notice: system_tags Condition
Queries in the library currently use two methods to scope nodes to Tier Zero and Owned, supporting both old and new versions of BloodHound. At the end of July 2026, all queries will be updated to use only the newer simpler method.
Old versions require scoping with a node property and null handling:
WHERE COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0'New versions can use node labels directly:
WHERE (n:Tag_Tier_Zero)The simpler label-based approach was introduced with Privilege Zones, which became generally available in v2026.03.23. Upgrade your BloodHound version to ensure queries from the library continue to work.
BYOL: Multi-Source Query Loading
The library now supports Bring Your Own Library — loading queries from multiple sources beyond the default library.
The Query Sources menu allows you to:
- Use built-in sources — BloodHound Query Library, JamfHound, GitHound, and OktaHound ship out of the box.
- Add custom sources — point the library at any JSON endpoint that follows the query schema (also supports the fields: guid, platforms, category, description, revision, resources, acknowledgements).
- Manage sources — edit, remove, or toggle sources. Sources and selections persist in your browser’s localStorage.
- Share queries with source context — query links include the source, so recipients load the right data. If a link references a source not in the recipient’s sources, a confirmation prompt lets them add it.
BYOL allows your team to load shared queries from an internal http-server, or view your work-in-progress OpenGraph extension queries loaded from a private repo.
Multi-Server Management
You can now manage multiple BloodHound servers. Click the pencil icon to add, edit, or select a server, then hit the run icon to execute the query. The server menu lets you:
- Add servers by name and URL (auto-names from the hostname if you skip the name field).
- Switch between servers with a single click — only one is active at a time.
- Edit or remove server entries without affecting the defaults.
- Running queries now reuses the same tab per server instead of opening a new one every time.
This is useful for blue teams operating across multiple environments (staging, production), or for offensive consultants working on multiple engagements and BloodHound instances at once.
Favourites Replace Upvotes/Downvotes
The old upvote/downvote system has been replaced with Favourites — add a heart to the queries you use most:
- Log in from the top-right to save your favourites across sessions.
- Favourite a query with a single click on the ❤️
- Show Favourites toggle to quickly surface the queries you care about.
- Most Favourites is the default sorting when not searching.
- Upvotes have been automatically converted into Favourites.
ℹ️ Favourites is only available on the BloodHound Query Library source for now.
Cypher Cheat Sheet
A one-page cheat sheet is now available — a quick reference for BloodHound Cypher syntax. It covers:
- MATCH & WHERE Filters — code examples for structuring node and path matching queries.
- Functions — aggregation (count, collect), entity information, string manipulation, type conversion, and date/time helpers.
- Operators & Paths — reference tables for comparison operators, relationship patterns (-[]-, -[*]-, recursive expansion with hop ranges), and edge alternatives.
The full Cypher reference can be found on BloodHound Docs.
UI & Navigation
A round of UI refinements:
- Updated navigation — the header now shows Home | Cheat Sheet | Cypher Docs
- Performance improvements.
- All filters support clearing with a single click.
- Updated GitHub README.md.
- … and many many other small tweaks across the library.
Wrap Up
The library’s value grows with each contribution — explore the existing queries, favourite the ones you use, and contribute new queries to help the BloodHound community ✌️
Thanks to the all community contributors: @chryzsh, @5tuk0v, @theluemmel, @auk0x01, @Jonas_B_K, and more. And to the SpecterOps colleagues who gave valuable input, especially @SadProcessor (JD).
Got questions or feedback?
Reach us in the BloodHound community Slack #cypher_queries channel or directly:
- Martin – X | BlueSky | LinkedIn | GitHub
- Joey – X | LinkedIn | GitHub
- BloodHound Query Library: https://queries.specterops.io/
- Project GitHub: https://github.com/SpecterOps/BloodHoundQueryLibrary
