LATTICE audits Unity Catalog and the full Snowflake account: users without MFA, password-only auth, stale users, PUBLIC role grants, masking policies, row-access policies, external stages, and bulk-export QUERY_HISTORY. Thirteen detectors including continuous Unity Catalog drift sweep. Two connection modes (native Python connector and the generic Snowflake SQL API). custom pricing a la carte (Tier B+) or +discounted as an add-on to any TITAN bundle or as part of the Data Pack.
Most CSPM tools stop at the cloud control plane. Databricks and Snowflake live one layer deeper, with their own RBAC model, their own catalog, and their own cluster policies. LATTICE reads those and flags drift, public exposure, and over-privileged accounts.
For Snowflake the agent runs read-only against the SNOWFLAKE.ACCOUNT_USAGE schema. Twelve detectors covering CIS Snowflake, HIPAA, SOC 2, and NIST 800-53. Two connection modes: the native snowflake-connector-python library, or the generic Snowflake SQL API over HTTPS with key-pair JWT or OAuth (no third-party connector required, stdlib-only).
Replaces a fraction of an Immuta deployment for a fraction of the price.
Run a live demo against your Snowflake account in ten minutes:
$env:SNOWFLAKE_ACCOUNT = 'xy12345.us-east-1' $env:SNOWFLAKE_USER = 'titan_audit_svc' $env:SNOWFLAKE_PASSWORD = '...' python agents\snowflake_lattice.py --account-label your-account
Free Snowflake trial signup is at signup.snowflake.com. Optional demo/snowflake-demo-create.ps1 seeds an intentionally misconfigured demo schema so the scanner has something to find on a fresh trial.
Detects users without MFA, users still on password auth instead of RSA key-pair, and users with no successful login in 90 days. Distinguishes service users from human users by name pattern.
Flags non-default grants on the PUBLIC role (effectively world-readable inside the account), roles holding more than 25 distinct privileges, and service users with broad direct grants outside their declared scope.
Heuristics over the COLUMNS view flag likely-PHI / PII columns (SSN, DOB, MRN, member_id, email, phone) without a masking policy attached, and patient / member / financial tables without a row-access policy.
External stages without server-side encryption metadata are flagged. QUERY_HISTORY is mined for bulk UNLOAD operations exceeding 100k rows in the past 24 hours and long-running SELECTs producing more than a million rows.
Every metastore, catalog, schema, table, and view audited for grant drift, public access, and stale principals. Lineage captured on read so you can answer who-touched-what.
Every 15 minutes LATTICE re-checks: column-mask functions still bound, row-filter predicates still active, service-principal scope unchanged, no new schemas with public grants, no dropped or modified privileges. Anomalies route to PagerDuty within the same window. 24/7.
Cluster policies checked against your baseline. Row-level and column-level access policies read into the audit. Drift flagged with the exact JSON diff and the policy bundle that satisfies your control framework.
LATTICE follows the same self-learning, self-upgrading pattern as every other TITAN agent. The brain is optional — the agent runs deterministically without an LLM — but when an LLM is wired in, every finding gets a one-paragraph context-aware risk explanation written for the security lead, not the DBA.
https://titanaisec.com/feeds/snowflake-lattice-rules.json. New CVEs, new Snowflake security advisories, and customer-supplied custom detectors load automatically. Falls back to the on-disk pack if the feed is unreachable.agents/snowflake_lattice_learning.json. After five feedback events on a detector, priority adjusts up or down based on the analyst’s history. Over-eager detectors quiet down; under-eager ones rise.--use-llm is set, every finding is enriched with a one-paragraph risk explanation tailored to the customer’s environment. Multi-provider fallback (external reasoning services, local Ollama, deterministic). Default off so the agent matches the deterministic posture of every other TITAN agent.snowflake-connector-python path (preferred) or the generic Snowflake SQL API over HTTPS (stdlib-only, key-pair JWT or OAuth). Pick whichever matches your network policy.Read-only scan. No credit card. Full evidence pack on every finding.