FOR CEOs, CTOs & CISOs · 60-SECOND READ

What TITAN AI actually does

Installs in 10 minutes. One license-gated installer command, zero manual setup. Works on Azure + AWS + GCP — or fully air-gapped via AIRLOCK.

Client picks a tier. CONDUCTOR activates only entitled agents. Nothing leaves their machine. Every remediation requires explicit [y/N] consent. A 12-point integrity check runs in 10 seconds before any scan. Source-review under NDA. Patent pending (USPTO App# 19/645,524).

GET TITAN AI RUNNING IN YOUR ENVIRONMENT

Deploy TITAN AI in 10 Minutes

Zero-hassle setup. Works on Azure, AWS, GCP — pick any combo. Copy-paste commands. No compiler, no docker, no cluster. Just Python and your cloud CLI.

Every step is verified end-to-end: install → configure → authenticate → run → review → (optional) fix → rollback.

⚡ WHAT PROTECTS YOUR BOX · Emergency kill switch (Ctrl-C / STOP file) · Per-agent memory cap · Wall-clock timeouts · SLSA 3 signed bundle verification · Graceful crash recovery · Tamper-evident audit trail · Full reliability brief »

Two ways to deploy — pick whichever fits your security team

⚡ OPTION A · RECOMMENDED

One-Click Smart Runner

Single command. Detects your OS. Installs missing tools (Python, cloud CLIs). Validates license. Authenticates you into Azure / AWS / GCP. Launches CONDUCTOR. ~90 seconds, zero manual setup.

# Linux / macOS curl -fsSL https://titanaisec.com/titanai-run.sh | bash # Windows (PowerShell as admin) iwr -useb https://titanaisec.com/titanai-run.ps1 | iex

Prompts once for your license key. Opens your browser for cloud auth. CONDUCTOR's preflight handles run-mode decisions.

🔧 OPTION B · MANUAL CONTROL

Step-by-Step Walkthrough

For security-reviewed environments, air-gapped hosts, or teams whose policy requires manual installation. Every command documented, every step inspectable. ~10 minutes end-to-end.

1. Install prerequisites (Python, cloud CLI)
2. Download license-tied installer bundle
3. Configure .env
4. Verify (12-check integrity)
5. Authenticate your cloud(s)
6. Launch CONDUCTOR
7. Review + (optionally) apply fixes

Full step-by-step starts below.

Both paths produce the same outcome. Same signed bundle, same license validation, same CONDUCTOR flow, same 12-check integrity verification. The one-click just automates the connective tissue between steps.

Option C — Security-Reviewed Install (for enterprise CISOs / air-gapped)

If your security team forbids curl | bash patterns (common in finance, healthcare, DoD), or your corporate firewall blocks piped remote execution, use this path instead. Download, verify the SHA-256, inspect the script, then run locally. Every byte is checksummed and auditable before anything executes.

# Step 1 — Download the installer + its SHA-256 sidecar curl -fsSL -o titanai-run.sh https://titanaisec.com/titanai-run.sh curl -fsSL -o titanai-run.sh.sha256 https://titanaisec.com/titanai-run.sh.sha256 # Step 2 — Verify integrity (should print "OK") sha256sum -c titanai-run.sh.sha256 # Step 3 — Inspect the script (your security team reviews) less titanai-run.sh # or: cat titanai-run.sh # Step 4 — Run locally, with your license bash titanai-run.sh # prompts for license key

Windows PowerShell equivalent

# Download + verify + run (PowerShell) Invoke-WebRequest -Uri https://titanaisec.com/titanai-run.ps1 -OutFile titanai-run.ps1 Invoke-WebRequest -Uri https://titanaisec.com/titanai-run.ps1.sha256 -OutFile titanai-run.ps1.sha256 # Verify SHA-256 $expected = (Get-Content titanai-run.ps1.sha256).Split(' ')[0] $actual = (Get-FileHash titanai-run.ps1 -Algorithm SHA256).Hash.ToLower() if ($expected -ne $actual) { throw "SHA mismatch — do NOT run!" } else { Write-Host "OK" -ForegroundColor Green } # Inspect notepad titanai-run.ps1 # Run .\titanai-run.ps1

Published SHA-256 checksums (verify these match what you downloaded)

Pin these in your change-control ticket so the security team can attest the binary they reviewed is the one that ran.

FileSHA-256Size
titanai-run.sh 20a334d38f3f3ad214b49037b1cf90b55d45e0ec02eb6e696fb7a40a4ffd741a13 KB
titanai-run.ps1 aa352cbd5c4460cb9be5d439723d86a6a14862d205a428a41b3ceb391934809b6.5 KB
install.sh 319ddc4409f7be50be6d6324d84a7ca17dca13e4633f4325748c9687421b3cbc8.8 KB
install.ps1 937bf26ad16318bbf23436103909b348b854ebf92b628f29a5c249f0571224275.9 KB
titanai-latest.tar.gzdef1d1917a4ef7f936f14c8b2e008676459843167882d32b606a216aefac4930484 KB

All checksums also served at <file-url>.sha256 (e.g. /titanai-run.sh.sha256). Auto-fetch for scripted verification.

Why this path satisfies enterprise security review: no piped remote execution, every byte is SHA-verified before run, the script is inspectable plaintext, the downloaded bundle is signed & checksummed, and every file has a published integrity hash. This is the same pattern HashiCorp, Kubernetes, and Grafana use for their enterprise installers.

How TITAN AI reaches your environment

Complete transparency on how the product gets from our infrastructure to yours. Source code is never publicly distributed. Only signed, license-tied bundles, served over HTTPS from Cloudflare's edge. Your cloud credentials never leave your machine.

┌──────────────┐   1. Sign up / buy a license
│   CLIENT     │─────────────────────────────────► TITAN AI LLC
└──────┬───────┘                                          │
       │                                                  │
       │   2. You receive via email:                      │
       │      • Your license key                          │
       │      • URL: titanaisec.com/client-deploy.html    │
       │◄─────────────────────────────────────────────────┘
       │
       │   3. Open the URL, pick Option A or Option B
       ▼
┌────────────────────────────────────────────────────────────┐
│  https://titanaisec.com  (Cloudflare Pages, global CDN)    │
│  ├─ /titanai-run.sh          one-click Linux/macOS         │
│  ├─ /titanai-run.ps1         one-click Windows             │
│  ├─ /install.sh              core Linux/macOS installer    │
│  ├─ /install.ps1             core Windows installer        │
│  ├─ /api/license/verify      license validation endpoint   │
│  └─ /bundles/titanai-X.Y.Z.tar.gz  signed bundle + SHA256  │
└────────────────────────────────────────────────────────────┘
       │
       │  Script validates license + downloads signed bundle
       ▼
┌──────────────┐
│   YOUR HOST  │   4. Everything runs LOCALLY on your machine.
│              │      Nothing phones home except the ONE
│  ~/.titanai/ │      license-verify call. No telemetry.
│              │
│  CONDUCTOR ──┼──► 5. Scans YOUR cloud with YOUR credentials
│              │      Produces reports, backups, snapshots
│              │      ALL DATA STAYS ON YOUR MACHINE.
└──────────────┘

What a client gets in email from TITAN AI

Subject: Your TITAN AI license is ready Hi [Client Name], Your TITAN AI license is active. Here's everything you need: License key: TITAN-LIVE-XXXXX-XXXXX-XXXXX-XXXXX License tier: [launch | cloud-pro | healthcare | banking | ...] Expires: YYYY-MM-DD Deploy guide: https://titanaisec.com/client-deploy.html Fastest way to get running — one command: Linux/macOS: curl -fsSL https://titanaisec.com/titanai-run.sh | bash Windows: iwr -useb https://titanaisec.com/titanai-run.ps1 | iex Questions? Reply to this email or write info@titanai.tech. — TITAN AI Customer Success

Exactly what the one-click script auto-installs for you

The script detects your OS and installs only what's missing. Zero action needed from you — it figures out your distro, uses the right package manager, and handles everything.

What's installedUbuntu / DebianRHEL / Oracle / FedoraArchmacOSWindows
Python 3.10+aptdnfpacmanbrewwinget
pip, curl, unzip, taraptdnfpacmanbrewbundled
Azure CLIMicrosoft InstallAzureCLIDebMicrosoft RPM repoAUR notebrew install azure-cliwinget Microsoft.AzureCLI
AWS CLI v2Amazon awscli-exeAmazon awscli-exeAmazon awscli-exebrew install awscliwinget Amazon.AWSCLI
Google Cloud CLIsdk.cloud.google.comsdk.cloud.google.comsdk.cloud.google.combrew --cask google-cloud-sdkwinget Google.CloudSDK
Python dependenciespip install -r requirements.txt into an isolated venv at ~/.titanai/.venv

What happens if you don't want all three cloud CLIs

Pass TITAN_CLOUDS to control which ones get installed:

# Only install Azure CLI TITAN_CLOUDS=azure curl -fsSL https://titanaisec.com/titanai-run.sh | bash # Install AWS + GCP (no Azure) TITAN_CLOUDS=aws,gcp curl -fsSL https://titanaisec.com/titanai-run.sh | bash # CI/CD mode — license pre-set, no prompts, non-interactive TITAN_LICENSE=TITAN-XXX TITAN_NON_INTERACTIVE=1 TITAN_CLOUDS=azure \ bash -c "$(curl -fsSL https://titanaisec.com/titanai-run.sh)"

Data residency — the guarantee

Nothing leaves your machine except ONE license validation call. Your cloud credentials, your scan findings, your resource names, your compliance data — all stay on your host. Every report is written to ~/.titanai/reports/, every snapshot to ~/.titan-ai/snapshots/. We never see any of it. Ever.

Prerequisites (one-time, 3 minutes — Option B only)

Python 3.10+ Git pip Azure CLI, AWS CLI, or gcloud (at least one) TITAN AI license key Anthropic API key (optional — unlocks AI analysis)
Don't have a license yet? You have two options:

Install Python (if not already installed)

# Windows (PowerShell): winget install -e --id Python.Python.3.12 # macOS (Homebrew): brew install python@3.12 # Linux (Ubuntu/Debian): sudo apt update && sudo apt install -y python3.12 python3.12-venv python3-pip # Linux (RHEL/Oracle Linux/CentOS): sudo dnf install -y python3.12 python3-pip

Verify Python + pip

python --version # must be 3.10 or newer pip --version # any recent version

Install each cloud CLI (only the ones you'll scan)

# ───── AZURE CLI ───── # Windows: winget install -e --id Microsoft.AzureCLI # macOS: brew install azure-cli # Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash # ───── AWS CLI v2 ───── # Windows: winget install -e --id Amazon.AWSCLI # macOS: brew install awscli # Linux (x86_64): curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o awscli.zip unzip awscli.zip && sudo ./aws/install # ───── Google Cloud CLI ───── # Windows: winget install -e --id Google.CloudSDK # macOS: brew install --cask google-cloud-sdk # Linux: curl https://sdk.cloud.google.com | bash && exec -l $SHELL

Step 1 — Install TITAN AI

1

Download your license-tied install package

Once we issue your license, you receive a personalized download link + signed installer. One line installs, gates on your license key, and wires up the Python environment automatically.

# Linux / macOS curl -fsSL https://titanaisec.com/install.sh | sh -s -- \ --license TITAN-XXXXX-XXXXX-XXXXX-XXXXX # Windows (PowerShell as administrator) iwr -useb https://titanaisec.com/install.ps1 | iex # (installer prompts for your license key interactively)

The installer verifies your license against our server, downloads the signed TITAN AI bundle (~80 MB — includes Azure SDK, AWS boto3, GCP libs, Anthropic client, Flask), and installs into ~/.titanai/ (Linux/Mac) or %LOCALAPPDATA%\TitanAI\ (Windows). Takes ~90 seconds.

Source code is not publicly distributed. Every bundle is cryptographically signed, keyed to your license, and tied to your organization. Source-review access for SOC2 / FedRAMP / HITRUST audits is available under NDA — email info@titanai.tech.

Step 2 — Configure

2

Create your .env file

Copy the template and fill in your license key + Anthropic API key.

cp .env.example .env # Edit .env with your preferred editor notepad .env # Windows nano .env # Linux / Mac

Minimum required in .env:

TITAN_LICENSE_KEY=TITAN-LIVE-XXXXX-XXXXX-XXXXX ANTHROPIC_API_KEY=sk-ant-api03-... # Cloud-specific (only the ones you use): AZURE_SUBSCRIPTION_FILTER= # leave empty to scan all subs you're logged into AWS_PROFILE=default AWS_REGIONS=us-east-1,us-west-2 GCP_SERVICE_ACCOUNT_KEY= # path to JSON key if using GCP
No Anthropic key? That's fine — agents will run without AI-enrichment summaries but still produce the same 100% real scan findings, compliance checks, and fix commands.

Step 3 — Verify Installation

3

Run the CONDUCTOR self-check (no scan yet)

python lab/verify-conductor.py

This validates every agent loads, every tier in the PACKAGE_MATRIX is well-formed, the license gate works, baseline snapshot writes, and cloud detection runs. No cloud calls, no LLM calls, no writes. Takes under 10 seconds.

Expected output: All 12 checks PASSED — CONDUCTOR flow verified end-to-end
If any check fails, email us the output. Don't proceed to Step 4.

Step 4 — Authenticate Your Cloud(s)

4

Sign in to each cloud you want scanned

TITAN AI uses YOUR existing cloud credentials — nothing gets uploaded to our servers, nothing leaves your machine.

Azure — 3 ways to authenticate

# Option A: Interactive browser login (easiest, works everywhere) az login az account list --output table az account set --subscription "Your Sub Name" # Option B: Service Principal (best for CI/CD, headless servers) az login --service-principal \ --username \ --password \ --tenant # Option C: Managed Identity (auto-detected on Azure VMs, App Service, AKS, etc.) az login --identity # TITAN picks up managed identity automatically — no commands needed on Azure hosts.

AWS — 4 ways to authenticate

# Option A: Access Key + Secret (easiest, laptops / servers) aws configure # (enter Access Key, Secret, default region, default output: json) # Option B: AWS SSO (organizations with Identity Center) aws configure sso aws sso login --profile export AWS_PROFILE= # Linux/Mac $env:AWS_PROFILE = "" # PowerShell # Option C: Role assumption (cross-account scan) aws sts assume-role \ --role-arn arn:aws:iam:::role/TitanScanRole \ --role-session-name titan-scan # (then export the returned AccessKey/Secret/Token into AWS_* env vars) # Option D: EC2 instance profile (auto-detected on EC2/ECS/Lambda) # No commands needed — boto3 picks up the instance metadata. aws sts get-caller-identity # should show the instance role

GCP — 3 ways to authenticate

# Option A: User login (interactive, easiest on laptops) gcloud auth login gcloud auth application-default login gcloud projects list gcloud config set project # Option B: Service Account key (CI/CD, headless) export GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa-key.json # Linux/Mac $env:GOOGLE_APPLICATION_CREDENTIALS = "C:\path\to\sa-key.json" # PowerShell gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS # Option C: Workload Identity Federation (best for enterprise, no key files) gcloud iam workload-identity-pools create-cred-config \ projects//locations/global/workloadIdentityPools//providers/ \ --service-account=@.iam.gserviceaccount.com \ --output-file=wif-config.json
Minimum IAM permissions for read-only scan: Azure Reader role, AWS ReadOnlyAccess + SecurityAudit, GCP roles/viewer + roles/iam.securityReviewer. For fix-tier (write-capable), see capabilities.

Step 5 — Run TITAN CONDUCTOR

5

Start the orchestrator — it handles everything

python agents/conductor.py

CONDUCTOR will:

  1. Take a baseline snapshot of account identity → ~/.titan-ai/snapshots/
  2. Check your license → activates only agents you're entitled to
  3. Detect cloud permissions → auto-degrades to read-only if no write access
  4. Show you where data is stored (snapshots, backups, reports, logs)
  5. Ask you two questions:
    • Capture full BACKUP before scanning? [Y/n, default Y]
    • Use STAGED workflow (audit first, fix later)? [Y/n, default Y]
  6. Phase 1 — AUDIT: all read-only scanners run (Scout, Sentinel, Comply, Shadow, Audit…)
  7. Pause for your review — you inspect findings in reports/
  8. Phase 2 — FIX (only if your tier allows + you approve): Forge applies remediation, one fix at a time, each with [y/N] consent
Non-interactive (CI/CD) mode: if you're running inside a pipeline without a TTY, CONDUCTOR auto-detects and uses safe defaults (backup=yes, staged=yes, no AIRLOCK). Override with env vars:
TITAN_NON_INTERACTIVE=true \ TITAN_FULL_BACKUP=true \ TITAN_STAGED_WORKFLOW=true \ python agents/conductor.py

Step 6 — Review Findings

6

Every scan produces three deliverables

All local to YOUR machine. Nothing uploaded. Nothing leaves your environment.

OutputLocationFormat
PRE-FIX reportreports/TITAN-<date>-<vertical>-PRE-FIX.htmlHTML + PDF + DOCX
POST-FIX reportreports/TITAN-<date>-<vertical>-POST-FIX.htmlHTML + PDF + DOCX
Summary JSONdata/live-<date>-results.jsonJSON
Run loglogs/conductor-<timestamp>.logplaintext

Every finding card has 8-section drill-down: resource ID, severity, recommendation, CIS/HIPAA/PCI control, fix command, before/after state, rollback plan, and Section 9 Exception/Approver form.

Step 7 — Apply Fixes (only fix-tier licenses)

7

Forge runs ONLY when all four gates are green

GateWho controls it
1. License tier is "fix" (not "audit")Your purchase
2. Cloud credentials have write permissionsYour IT / IAM admin
3. You approve the audit review in Phase 1You (operator)
4. Every individual fix asks [y/N] before applyingYou (operator)

If ANY gate is missing (trial license, audit-only tier, read-only cloud creds, or you decline), Forge refuses and logs a clear reason. No surprise mutations. Ever.

How you know it's safe: TITAN_READ_ONLY=true env var gets set by CONDUCTOR before any agent runs if you're in trial/audit mode. Every write path in Forge checks this var and aborts if set.

Rollback (if anything needs undoing)

Two backup layers for every fix operation:

Example rollback (Azure storage account)

# Pull the rollback command from the POST-FIX report's Section 9 card, # or from the JSON: cat data/live-2026-04-20-results.json | jq '.actions[] | {resource, rollback_plan}' # Then run the specific command: az storage account update --name titanphi4f29 --allow-blob-public-access true

Troubleshooting

"No valid TITAN AI license found"

Your TITAN_LICENSE_KEY isn't loading. Check:

cat .env | grep TITAN_LICENSE_KEY # or in PowerShell: Get-Content .env | Select-String TITAN_LICENSE_KEY

"Azure CLI not found"

# Windows: winget install -e --id Microsoft.AzureCLI # Mac: brew install azure-cli # Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

"Not logged in"

Run az login / aws configure / gcloud auth login again, verify with az account show / aws sts get-caller-identity.

Scan is slow

First scan against a large tenant takes 5-15 min depending on resource count. Agents parallelize where possible. If a specific agent hangs, kill the process and rerun with TITAN_SKIP_AGENTS=aml,audit to exclude LLM-heavy ones.

Air-gapped / DMZ / classified deployment

Enable AIRLOCK mode — zero outbound traffic, local LLM only (Ollama). Requires $249K/yr AIRLOCK add-on or trial demo toggle.

TITAN_AIRLOCK_RUNTIME=true python agents/conductor.py

Alternative: Docker (zero-install)

Don't want to touch Python? Pull our image, run one command.

# Pull the image docker pull ghcr.io/titanaisec/titanai:latest # Run CONDUCTOR (mounts your .env + cloud configs, writes reports to host) docker run --rm -it \ -v "$PWD/.env:/app/.env:ro" \ -v "$HOME/.azure:/root/.azure:ro" \ -v "$HOME/.aws:/root/.aws:ro" \ -v "$HOME/.config/gcloud:/root/.config/gcloud:ro" \ -v "$PWD/reports:/app/reports" \ -v "$PWD/data:/app/data" \ -v "$HOME/.titan-ai:/root/.titan-ai" \ ghcr.io/titanaisec/titanai:latest \ python agents/conductor.py

Docker on Windows (PowerShell)

docker run --rm -it ` -v "${PWD}/.env:/app/.env:ro" ` -v "${HOME}/.azure:/root/.azure:ro" ` -v "${HOME}/.aws:/root/.aws:ro" ` -v "${PWD}/reports:/app/reports" ` -v "${HOME}/.titan-ai:/root/.titan-ai" ` ghcr.io/titanaisec/titanai:latest ` python agents/conductor.py

Alternative: Kubernetes CronJob (scheduled scans)

apiVersion: batch/v1 kind: CronJob metadata: name: titanai-nightly-scan spec: schedule: "0 2 * * *" # 2 AM daily jobTemplate: spec: template: spec: serviceAccountName: titanai-scanner # workload identity for cloud access restartPolicy: OnFailure containers: - name: titanai image: ghcr.io/titanaisec/titanai:latest command: ["python", "agents/conductor.py"] env: - {name: TITAN_NON_INTERACTIVE, value: "true"} - {name: TITAN_FULL_BACKUP, value: "true"} - {name: TITAN_STAGED_WORKFLOW, value: "true"} envFrom: - secretRef: {name: titanai-secrets} # TITAN_LICENSE_KEY, ANTHROPIC_API_KEY volumeMounts: - {name: reports, mountPath: /app/reports} volumes: - name: reports persistentVolumeClaim: {claimName: titanai-reports}

Alternative: Air-gapped / DMZ / classified (AIRLOCK)

Zero outbound internet. Local LLM only (Ollama). FedRAMP High / SCIF / SECRET / TOP SECRET compliant.

# 1. Transfer TITAN AI installer + all dependencies via physical media # (we provide a signed offline bundle for enterprise tier) # 2. Install Ollama locally (one-time) curl -fsSL https://ollama.com/install.sh | sh # Linux ollama pull llama3.1:70b-instruct-q4_K_M # pick your model # 3. Set AIRLOCK env vars, point TITAN at local LLM export TITAN_AIRLOCK_RUNTIME=true export TITAN_LLM_BACKEND=ollama export TITAN_LLM_MODEL=llama3.1:70b-instruct-q4_K_M export TITAN_LLM_ENDPOINT=http://127.0.0.1:11434 # 4. Run CONDUCTOR normally — it self-enforces no outbound network python agents/conductor.py
AIRLOCK license: $249K/yr add-on for production. Trial tier can demo AIRLOCK at runtime via the preflight prompt — same zero-outbound enforcement, just for evaluation.

All Together (one-page cheat sheet)

# 1. Install (license-gated — bundle signed to your org) curl -fsSL https://titanaisec.com/install.sh | sh -s -- --license TITAN-XXX-XXX-XXX # Windows: iwr -useb https://titanaisec.com/install.ps1 | iex cd ~/.titanai # %LOCALAPPDATA%\TitanAI on Windows # 2. Configure cp .env.example .env && nano .env # paste your license key + Anthropic key # 3. Verify (12-point engine integrity check) python lab/verify-conductor.py # expect: All 12 checks PASSED # 4. Authenticate your cloud(s) az login # and/or aws configure # and/or gcloud auth login # 5. Run python agents/conductor.py # interactive, asks your preferences # 6. Review start reports/ # Windows — open the HTML report open reports/ # Mac xdg-open reports/ # Linux # 7. Apply fixes (only if your tier allows + you approve) # CONDUCTOR walks you through per-fix consent prompts [y/N]

Support

Email: info@titanai.tech
Web: titanaisec.com
Response SLA: 4 business hours for paid tiers, 1 business day for trial
Emergency rollback help: include logs/conductor-<timestamp>.log + ~/.titan-ai/snapshots/ in your email — we'll walk you through a safe revert.

TITAN AI — Client Deployment Guide v1.3 — 2026-04-20 — Copyright © TITAN AI LLC, All Rights Reserved