Every card below is a real alert payload CONDUIT filed from a live scan across Azure, AWS, and GCP. 46 tickets — 12 incidents and 34 tickets — with every ticket field auto-populated: justification, implementation plan, risk & impact analysis, backout plan, test plan, team approval assignment, and approval path. FORGE applied the remediation, SCOUT rescanned to verify, and CONDUIT closed each ticket end-to-end.
Scroll down. Every card below is a REAL alert CONDUIT forwarded via the generic API layer. Each card expands to show justification, implementation plan, risk analysis, backout plan, test plan, planned window, assignment group, approval state, close notes.
NEW: 45 Drill-Down Cards · 7-Destination JSON Proof →
15 banking · 15 telecom · 15 healthcare — each with the exact JSON payload CONDUIT sent to Datadog, PagerDuty, Slack, Teams, Opsgenie, Splunk HEC, and generic webhook.
weekend_only policy (Fri 22:00 UTC → Sun 22:00 UTC). Configurable to after_hours or anytime.CONDUIT_WINDOW_POLICY=weekend_only | after_hours | anytime or specify in ~/.titanai/ticketing.yaml. Emergency always overrides policy for Critical severity.
Every card below is a real alert CONDUIT forwarded via its generic API layer against real cloud resources across Azure, AWS, and GCP. Click SHOW FULL DRILL-DOWN on any card to see the finding, implementation plan, risk & impact analysis, backout plan, test plan, the exact JSON payload sent to the alert backend, and AI close notes. Download each one as HTML, PDF, or DOCX for your audit file.
NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.
NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: HIGH business risk — active exposure; fix required immediately. Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach. Scope: single resource (nsg-titan-webtier). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet.
1. TITAN auto-captured snapshot of nsg-titan-webtier before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans nsg-titan-webtier immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork
NSG rule AllowSSHAll permits SSH (port 22) from 0.0.0.0/0 — Internet-wide privilege escalation path to every VM in the subnet. Recommended Fix: az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
Azure Front Door publicly accessible with WAF policy disabled — open to L7 attacks and OWASP Top 10.
Azure Front Door publicly accessible with WAF policy disabled — open to L7 attacks and OWASP Top 10.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az network front-door waf-policy create --name wafp-titan --resource-group rg-titan-demo --mode Prevention 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: HIGH business risk — active exposure; fix required immediately. Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach. Scope: single resource (afd-titan-frontend). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Azure Front Door publicly accessible with WAF policy disabled — open to L7 attacks and OWASP Top 10.
1. TITAN auto-captured snapshot of afd-titan-frontend before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans afd-titan-frontend immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az network front-door waf-policy create --name wafp-titan --resource-group rg-titan-demo --mode Prevention
Azure Front Door publicly accessible with WAF policy disabled — open to L7 attacks and OWASP Top 10. Recommended Fix: az network front-door waf-policy create --name wafp-titan --resource-group rg-titan-demo --mode Prevention Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
Databricks workspace 'dbw-titan-analytics' has public network access enabled and no VNet injection — cluster traffic leaves the Azure backbone.
Databricks workspace 'dbw-titan-analytics' has public network access enabled and no VNet injection — cluster traffic leaves the Azure backbone.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: Re-deploy workspace with enableNoPublicIp=true + customVirtualNetworkId set to rg-titan-demo/vnet-titan-data/snet-databricks-private 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (dbw-titan-analytics). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Databricks workspace 'dbw-titan-analytics' has public network access enabled and no VNet injection — cluster traffic leaves the Azure backbone.
1. TITAN auto-captured snapshot of dbw-titan-analytics before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans dbw-titan-analytics immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
Re-deploy workspace with enableNoPublicIp=true + customVirtualNetworkId set to rg-titan-demo/vnet-titan-data/snet-databricks-private
Databricks workspace 'dbw-titan-analytics' has public network access enabled and no VNet injection — cluster traffic leaves the Azure backbone. Recommended Fix: Re-deploy workspace with enableNoPublicIp=true + customVirtualNetworkId set to rg-titan-demo/vnet-titan-data/snet-databricks-private Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
S3 bucket 's3-titan-customer-exports' has publicly accessible objects via BlockPublicAcls=false — exports of customer PII are exposed.
S3 bucket 's3-titan-customer-exports' has publicly accessible objects via BlockPublicAcls=false — exports of customer PII are exposed.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: aws s3api put-public-access-block --bucket s3-titan-customer-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: HIGH business risk — active exposure; fix required immediately. Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach. Scope: single resource (s3-titan-customer-exports). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: S3 bucket 's3-titan-customer-exports' has publicly accessible objects via BlockPublicAcls=false — exports of customer PII are exposed.
1. TITAN auto-captured snapshot of s3-titan-customer-exports before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans s3-titan-customer-exports immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
aws s3api put-public-access-block --bucket s3-titan-customer-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true
S3 bucket 's3-titan-customer-exports' has publicly accessible objects via BlockPublicAcls=false — exports of customer PII are exposed. Recommended Fix: aws s3api put-public-access-block --bucket s3-titan-customer-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
Security group 'sg-titan-rds' allows MySQL (port 3306) from 0.0.0.0/0 — RDS is directly exposed to the internet. Firewall policy violation.
Security group 'sg-titan-rds' allows MySQL (port 3306) from 0.0.0.0/0 — RDS is directly exposed to the internet. Firewall policy violation.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d --protocol tcp --port 3306 --cidr 0.0.0.0/0 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (sg-titan-rds). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Security group 'sg-titan-rds' allows MySQL (port 3306) from 0.0.0.0/0 — RDS is directly exposed to the internet. Firewall policy violation.
1. TITAN auto-captured snapshot of sg-titan-rds before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans sg-titan-rds immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d --protocol tcp --port 3306 --cidr 0.0.0.0/0
Security group 'sg-titan-rds' allows MySQL (port 3306) from 0.0.0.0/0 — RDS is directly exposed to the internet. Firewall policy violation. Recommended Fix: aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d --protocol tcp --port 3306 --cidr 0.0.0.0/0 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Azure 6.2, NIST SC-7, PCI DSS 1.2.1
GCS bucket 'gs-titan-logs' has allUsers with Storage Object Viewer — logs containing request IDs and internal endpoints are publicly readable.
GCS bucket 'gs-titan-logs' has allUsers with Storage Object Viewer — logs containing request IDs and internal endpoints are publicly readable.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: gcloud storage buckets remove-iam-policy-binding gs://gs-titan-logs --member=allUsers --role=roles/storage.objectViewer 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (gs-titan-logs). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: GCS bucket 'gs-titan-logs' has allUsers with Storage Object Viewer — logs containing request IDs and internal endpoints are publicly readable.
1. TITAN auto-captured snapshot of gs-titan-logs before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans gs-titan-logs immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
gcloud storage buckets remove-iam-policy-binding gs://gs-titan-logs --member=allUsers --role=roles/storage.objectViewer
GCS bucket 'gs-titan-logs' has allUsers with Storage Object Viewer — logs containing request IDs and internal endpoints are publicly readable. Recommended Fix: gcloud storage buckets remove-iam-policy-binding gs://gs-titan-logs --member=allUsers --role=roles/storage.objectViewer Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, SOC 2 CC7.1
Cloud SQL 'csql-titan-orders' has ssl_mode=ALLOW (accepts unencrypted connections) and no customer-managed encryption key — order data at rest is only provider-encrypted.
Cloud SQL 'csql-titan-orders' has ssl_mode=ALLOW (accepts unencrypted connections) and no customer-managed encryption key — order data at rest is only provider-encrypted.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: gcloud sql instances patch csql-titan-orders --require-ssl --disk-encryption-key-name=projects/titan-ai-prod-882017/locations/us-central1/keyRings/titan-kr/cryptoKeys/titan-db-key 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: HIGH business risk — active exposure; fix required immediately. Business impact if unremediated: Potential data exfil, privilege escalation, or compliance breach. Scope: single resource (csql-titan-orders). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Cloud SQL 'csql-titan-orders' has ssl_mode=ALLOW (accepts unencrypted connections) and no customer-managed encryption key — order data at rest is only provider-encrypted.
1. TITAN auto-captured snapshot of csql-titan-orders before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans csql-titan-orders immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
gcloud sql instances patch csql-titan-orders --require-ssl --disk-encryption-key-name=projects/titan-ai-prod-882017/locations/us-central1/keyRings/titan-kr/cryptoKeys/titan-db-key
Cloud SQL 'csql-titan-orders' has ssl_mode=ALLOW (accepts unencrypted connections) and no customer-managed encryption key — order data at rest is only provider-encrypted. Recommended Fix: gcloud sql instances patch csql-titan-orders --require-ssl --disk-encryption-key-name=projects/titan-ai-prod-882017/locations/us-central1/keyRings/titan-kr/cryptoKeys/titan-db-key Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, PCI DSS 3.5
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every compute instance is exposed to the internet.
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every compute instance is exposed to the internet.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (fw-allow-all-ingress). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every compute instance is exposed to the internet.
1. TITAN auto-captured snapshot of fw-allow-all-ingress before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans fw-allow-all-ingress immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every compute instance is exposed to the internet. Recommended Fix: gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Azure 6.2, NIST SC-7, PCI DSS 1.2.1
NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222654Z). Finding: NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly a...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny
NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation. Recommended Fix: az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: HIPAA obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222654Z). Finding: Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-lev...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Storage account 'stgpublicblob01' has allowBlobPublicAccess=... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false
Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation. Recommended Fix: az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: HIPAA obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222654Z). Finding: SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryp...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of SQL database 'sqldb-phi-members' containing PHI has TDE (Tra... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled
SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation. Recommended Fix: az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1
IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: NIST obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222654Z). Finding: IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — o...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of IAM role 'role-finops-admin' has AdministratorAccess managed... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly
IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity. Recommended Fix: aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222654Z). Finding: GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to a...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCP firewall rule 'fw-allow-all-ingress' allows any protocol... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration. Recommended Fix: gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222819Z). Finding: NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly a...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny
NSG rule 'AllowSSHAll' permits SSH (port 22) inbound from 0.0.0.0/0 — publicly accessible firewall opening. Every VM in this subnet is exposed to internet-wide SSH brute-force. CIS_AZURE_6.2 violation. Recommended Fix: az network nsg rule update --name AllowSSHAll --nsg-name nsg-titan-webtier --resource-group rg-titan-demo --source-address-prefixes VirtualNetwork --access Deny Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: HIPAA obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222819Z). Finding: Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-lev...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Storage account 'stgpublicblob01' has allowBlobPublicAccess=... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false
Storage account 'stgpublicblob01' has allowBlobPublicAccess=true — container-level public access possible. Publicly accessible storage creates data-exfiltration risk. HIPAA §164.312(e)(1) / PCI DSS 1.3.4 violation. Recommended Fix: az storage account update --name stgpublicblob01 --resource-group rg-titan-demo --allow-blob-public-access false Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: HIPAA obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222819Z). Finding: SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryp...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of SQL database 'sqldb-phi-members' containing PHI has TDE (Tra... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled
SQL database 'sqldb-phi-members' containing PHI has TDE (Transparent Data Encryption) disabled. Unencrypted PHI at rest is a direct HIPAA §164.312(a)(2)(iv) violation. Recommended Fix: az sql db tde set --database sqldb-phi-members --server sql-titan-prod --resource-group rg-titan-demo --status Enabled Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1
IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: NIST obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222819Z). Finding: IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — o...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of IAM role 'role-finops-admin' has AdministratorAccess managed... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly
IAM role 'role-finops-admin' has AdministratorAccess managed policy attached — overly broad privilege for a finance operations role. Privilege escalation path if role is assumed by compromised identity. Recommended Fix: aws iam detach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess; aws iam attach-role-policy --role-name role-finops-admin --policy-arn arn:aws:iam::450367038821:policy/FinOpsReadOnly Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-killer-20260421T222819Z). Finding: GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to a...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCP firewall rule 'fw-allow-all-ingress' allows any protocol... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443
GCP firewall rule 'fw-allow-all-ingress' allows any protocol from 0.0.0.0/0 to all VMs tagged 'default' — every GCE instance is publicly accessible over every port. Massive firewall misconfiguration. Recommended Fix: gcloud compute firewall-rules update fw-allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --allowed=tcp:22,tcp:443 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
Storage account 'stgtitan1169' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: Storage account 'stgtitan1169' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az storage account update --name stgtitan1169 --resource-group rg-titan-live-20260421t223919z --allow-blob-public-access false 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Storage account 'stgtitan1169' has allowBlobPublicAccess=true — publicly accessi...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Storage account 'stgtitan1169' has allowBlobPublicAccess=tru... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az storage account update --name stgtitan1169 --resource-group rg-titan-live-20260421t223919z --allow-blob-public-access false
Storage account 'stgtitan1169' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation. Recommended Fix: az storage account update --name stgtitan1169 --resource-group rg-titan-live-20260421t223919z --allow-blob-public-access false Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
NSG 'nsg-titan-webtier-20260421t223919z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: NSG 'nsg-titan-webtier-20260421t223919z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t223919z --resource-group rg-titan-live-20260421t223919z --name AllowSSHAll 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (NSG 'nsg-titan-webtier-20260421t223919z' rule 'AllowSSHAll' permits SSH (port 22...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of NSG 'nsg-titan-webtier-20260421t223919z' rule 'AllowSSHAll' ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t223919z --resource-group rg-titan-live-20260421t223919z --name AllowSSHAll
NSG 'nsg-titan-webtier-20260421t223919z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation. Recommended Fix: az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t223919z --resource-group rg-titan-live-20260421t223919z --name AllowSSHAll Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Key Vault 'kv-titan-1211' has purge protection DISABLED. Destroyed secrets unrecoverable. CIS_AZURE_8.2 hardening gap.
Severity assessment: HIGH — material compliance gap or high-probability exploit vector. team approval required. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: Key Vault 'kv-titan-1211' has purge protection DISABLED. Destroyed secrets unrecoverable. CIS_AZURE_8.2 hardening gap.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az keyvault update --name kv-titan-1211 --resource-group rg-titan-live-20260421t223919z --enable-purge-protection true 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: MEDIUM (standard change with defined rollback) Blast radius: The change is scoped to a single cloud resource (Key Vault 'kv-titan-1211' has purge protection DISABLED. Destroyed secrets unrec...). Downstream dependencies (if any) are listed under 'Affected CIs'. Pre-change snapshot + automated rollback keeps risk bounded. Apply in next window. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Key Vault 'kv-titan-1211' has purge protection DISABLED. Des... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az keyvault update --name kv-titan-1211 --resource-group rg-titan-live-20260421t223919z --enable-purge-protection true
Key Vault 'kv-titan-1211' has purge protection DISABLED. Destroyed secrets unrecoverable. CIS_AZURE_8.2 hardening gap. Recommended Fix: az keyvault update --name kv-titan-1211 --resource-group rg-titan-live-20260421t223919z --enable-purge-protection true Rollback: TITAN pre-change snapshot captured automatically. Compliance: PCI DSS 3.5, HIPAA §164.312(a)(2)(iv)
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
S3 bucket 'titan-live-20260421t223919z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: S3 bucket 'titan-live-20260421t223919z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws s3api put-public-access-block --bucket titan-live-20260421t223919z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (S3 bucket 'titan-live-20260421t223919z-public-exports' has public-access-block D...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of S3 bucket 'titan-live-20260421t223919z-public-exports' has p... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws s3api put-public-access-block --bucket titan-live-20260421t223919z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true
S3 bucket 'titan-live-20260421t223919z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation. Recommended Fix: aws s3api put-public-access-block --bucket titan-live-20260421t223919z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Security group 'titan-live-20260421t223919z-rds-sg' (ID sg-09f893e4ace45e362) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: Security group 'titan-live-20260421t223919z-rds-sg' (ID sg-09f893e4ace45e362) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws ec2 revoke-security-group-ingress --group-id sg-09f893e4ace45e362 --protocol tcp --port 3306 --cidr 0.0.0.0/0 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Security group 'titan-live-20260421t223919z-rds-sg' (ID sg-09f893e4ace45e362) al...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Security group 'titan-live-20260421t223919z-rds-sg' (ID sg-0... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws ec2 revoke-security-group-ingress --group-id sg-09f893e4ace45e362 --protocol tcp --port 3306 --cidr 0.0.0.0/0
Security group 'titan-live-20260421t223919z-rds-sg' (ID sg-09f893e4ace45e362) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation. Recommended Fix: aws ec2 revoke-security-group-ingress --group-id sg-09f893e4ace45e362 --protocol tcp --port 3306 --cidr 0.0.0.0/0 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
GCS bucket 'gs-titan-public-1289' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: GCS bucket 'gs-titan-public-1289' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1289 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (GCS bucket 'gs-titan-public-1289' has allUsers:objectViewer — every object publi...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCS bucket 'gs-titan-public-1289' has allUsers:objectViewer ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1289 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522
GCS bucket 'gs-titan-public-1289' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk. Recommended Fix: gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1289 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522 Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
GCS bucket 'gs-titan-legacy-1314' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2.
Severity assessment: HIGH — material compliance gap or high-probability exploit vector. team approval required. Regulatory driver: SOC 2 obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T223919Z). Finding: GCS bucket 'gs-titan-legacy-1314' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud storage buckets update gs://gs-titan-legacy-1314 --uniform-bucket-level-access --project=adroit-terminus-234522 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: MEDIUM (standard change with defined rollback) Blast radius: The change is scoped to a single cloud resource (GCS bucket 'gs-titan-legacy-1314' is not using uniform bucket-level access — leg...). Downstream dependencies (if any) are listed under 'Affected CIs'. Pre-change snapshot + automated rollback keeps risk bounded. Apply in next window. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCS bucket 'gs-titan-legacy-1314' is not using uniform bucke... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud storage buckets update gs://gs-titan-legacy-1314 --uniform-bucket-level-access --project=adroit-terminus-234522
GCS bucket 'gs-titan-legacy-1314' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2. Recommended Fix: gcloud storage buckets update gs://gs-titan-legacy-1314 --uniform-bucket-level-access --project=adroit-terminus-234522 Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Storage account 'stgtitan1766' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: Storage account 'stgtitan1766' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az storage account update --name stgtitan1766 --resource-group rg-titan-live-20260421t224916z --allow-blob-public-access false 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Storage account 'stgtitan1766' has allowBlobPublicAccess=true — publicly accessi...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Storage account 'stgtitan1766' has allowBlobPublicAccess=tru... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az storage account update --name stgtitan1766 --resource-group rg-titan-live-20260421t224916z --allow-blob-public-access false
Storage account 'stgtitan1766' has allowBlobPublicAccess=true — publicly accessible. CIS_AZURE_3.7 violation. Recommended Fix: az storage account update --name stgtitan1766 --resource-group rg-titan-live-20260421t224916z --allow-blob-public-access false Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
NSG 'nsg-titan-webtier-20260421t224916z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: NSG 'nsg-titan-webtier-20260421t224916z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowSSHAll 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (NSG 'nsg-titan-webtier-20260421t224916z' rule 'AllowSSHAll' permits SSH (port 22...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of NSG 'nsg-titan-webtier-20260421t224916z' rule 'AllowSSHAll' ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowSSHAll
NSG 'nsg-titan-webtier-20260421t224916z' rule 'AllowSSHAll' permits SSH (port 22) from Internet — publicly accessible firewall opening. CIS_AZURE_6.2 violation. Recommended Fix: az network nsg rule delete --nsg-name nsg-titan-webtier-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowSSHAll Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
NSG 'nsg-titan-lab-20260421t224916z' rule 'AllowAny' permits ALL protocols on ALL ports from Internet — equivalent to no firewall. HIPAA §164.312(e)(1) transmission-security violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: HIPAA obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: NSG 'nsg-titan-lab-20260421t224916z' rule 'AllowAny' permits ALL protocols on ALL ports from Internet — equivalent to no firewall. HIPAA §164.312(e)(1) transmission-security violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): az network nsg rule delete --nsg-name nsg-titan-lab-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowAny 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (NSG 'nsg-titan-lab-20260421t224916z' rule 'AllowAny' permits ALL protocols on AL...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of NSG 'nsg-titan-lab-20260421t224916z' rule 'AllowAny' permits... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
az network nsg rule delete --nsg-name nsg-titan-lab-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowAny
NSG 'nsg-titan-lab-20260421t224916z' rule 'AllowAny' permits ALL protocols on ALL ports from Internet — equivalent to no firewall. HIPAA §164.312(e)(1) transmission-security violation. Recommended Fix: az network nsg rule delete --nsg-name nsg-titan-lab-20260421t224916z --resource-group rg-titan-live-20260421t224916z --name AllowAny Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Azure 6.2, NIST SC-7, PCI DSS 1.2.1
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Public DNS zone 'titan-demo-1896.local' was created without DNSSEC signing. DNS queries for this zone can be spoofed. CIS_AZURE_6.8.
Severity assessment: LOW — hygiene/best-practice drift; low business risk if deferred by one cycle. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: Public DNS zone 'titan-demo-1896.local' was created without DNSSEC signing. DNS queries for this zone can be spoofed. CIS_AZURE_6.8.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): Enable DNSSEC signing on zone (Azure Preview feature) OR consider using Azure Private DNS if zone is internal-only. 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: LOW (routine hardening) Blast radius: The change is scoped to a single cloud resource (Public DNS zone 'titan-demo-1896.local' was created without DNSSEC signing. DNS ...). Downstream dependencies (if any) are listed under 'Affected CIs'. Minimal blast radius. Safe to batch with other low-risk changes. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Public DNS zone 'titan-demo-1896.local' was created without ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
Enable DNSSEC signing on zone (Azure Preview feature) OR consider using Azure Private DNS if zone is internal-only.
Public DNS zone 'titan-demo-1896.local' was created without DNSSEC signing. DNS queries for this zone can be spoofed. CIS_AZURE_6.8. Recommended Fix: Enable DNSSEC signing on zone (Azure Preview feature) OR consider using Azure Private DNS if zone is internal-only. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Benchmark, SOC 2 CC6.1
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
S3 bucket 'titan-live-20260421t224916z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: S3 bucket 'titan-live-20260421t224916z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws s3api put-public-access-block --bucket titan-live-20260421t224916z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (S3 bucket 'titan-live-20260421t224916z-public-exports' has public-access-block D...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of S3 bucket 'titan-live-20260421t224916z-public-exports' has p... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws s3api put-public-access-block --bucket titan-live-20260421t224916z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true
S3 bucket 'titan-live-20260421t224916z-public-exports' has public-access-block DISABLED — objects in this bucket can be made publicly accessible. CIS_AWS_2.1.5 violation. Recommended Fix: aws s3api put-public-access-block --bucket titan-live-20260421t224916z-public-exports --public-access-block-configuration BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Security group 'titan-live-20260421t224916z-rds-sg' (ID sg-0131bd6f435d87962) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: Security group 'titan-live-20260421t224916z-rds-sg' (ID sg-0131bd6f435d87962) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws ec2 revoke-security-group-ingress --group-id sg-0131bd6f435d87962 --protocol tcp --port 3306 --cidr 0.0.0.0/0 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (Security group 'titan-live-20260421t224916z-rds-sg' (ID sg-0131bd6f435d87962) al...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Security group 'titan-live-20260421t224916z-rds-sg' (ID sg-0... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws ec2 revoke-security-group-ingress --group-id sg-0131bd6f435d87962 --protocol tcp --port 3306 --cidr 0.0.0.0/0
Security group 'titan-live-20260421t224916z-rds-sg' (ID sg-0131bd6f435d87962) allows MySQL (port 3306) from 0.0.0.0/0 — publicly accessible firewall opening to databases. CIS_AWS_5.2 violation. Recommended Fix: aws ec2 revoke-security-group-ingress --group-id sg-0131bd6f435d87962 --protocol tcp --port 3306 --cidr 0.0.0.0/0 Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, CIS Azure 6.2
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
Security group 'titan-live-20260421t224916z-egress-all' has default unrestricted egress (0.0.0.0/0 all protocols). Data-exfiltration risk if any workload in this SG is compromised.
Severity assessment: LOW — hygiene/best-practice drift; low business risk if deferred by one cycle. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: Security group 'titan-live-20260421t224916z-egress-all' has default unrestricted egress (0.0.0.0/0 all protocols). Data-exfiltration risk if any workload in this SG is compromised.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): aws ec2 revoke-security-group-egress --group-id sg-06b658fbb0e95b3ba --protocol -1 --cidr 0.0.0.0/0; then add specific egress rules. 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: LOW (routine hardening) Blast radius: The change is scoped to a single cloud resource (Security group 'titan-live-20260421t224916z-egress-all' has default unrestricted...). Downstream dependencies (if any) are listed under 'Affected CIs'. Minimal blast radius. Safe to batch with other low-risk changes. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of Security group 'titan-live-20260421t224916z-egress-all' has ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
aws ec2 revoke-security-group-egress --group-id sg-06b658fbb0e95b3ba --protocol -1 --cidr 0.0.0.0/0; then add specific egress rules.
Security group 'titan-live-20260421t224916z-egress-all' has default unrestricted egress (0.0.0.0/0 all protocols). Data-exfiltration risk if any workload in this SG is compromised. Recommended Fix: aws ec2 revoke-security-group-egress --group-id sg-06b658fbb0e95b3ba --protocol -1 --cidr 0.0.0.0/0; then add specific egress rules. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Azure 6.2, NIST SC-7, PCI DSS 1.2.1
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
GCS bucket 'gs-titan-public-1974' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk.
Severity assessment: CRITICAL — active exploit path, 0-day or internet-exposed asset. Meets ITIL 'security emergency' threshold. Regulatory driver: CIS obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: GCS bucket 'gs-titan-public-1974' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1974 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: HIGH (change risk: severity overrides defer-ability) Blast radius: The change is scoped to a single cloud resource (GCS bucket 'gs-titan-public-1974' has allUsers:objectViewer — every object publi...). Downstream dependencies (if any) are listed under 'Affected CIs'. Applying this fix during business hours is acceptable given exploit exposure. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCS bucket 'gs-titan-public-1974' has allUsers:objectViewer ... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1974 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522
GCS bucket 'gs-titan-public-1974' has allUsers:objectViewer — every object publicly accessible on the internet. CIS_GCP_5.1 violation, GDPR exposure risk. Recommended Fix: gcloud storage buckets remove-iam-policy-binding gs://gs-titan-public-1974 --member=allUsers --role=roles/storage.objectViewer --project=adroit-terminus-234522 Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
GCS bucket 'gs-titan-legacy-1996' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2.
Severity assessment: HIGH — material compliance gap or high-probability exploit vector. team approval required. Regulatory driver: SOC 2 obligation. Risk if deferred: Per industry telemetry, mean time to exploit a publicly-reachable misconfiguration of this class is measured in hours. Delaying this change extends exposure window and increases breach cost per IBM Cost of a Data Breach Report (avg $4.45M per incident). Detected by: TITAN AI agent unknown (scan titan-3cloud-20260421T224916Z). Finding: GCS bucket 'gs-titan-legacy-1996' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2.
1. PRE-CHANGE VERIFICATION (5 min) - Confirm TITAN pre-scan snapshot captured; snapshot ID in work notes. - Confirm no blocking dependencies (check 'Affected CIs' below). - Announce change start in #ops-change Slack channel. 2. APPLY FIX (primary command, auto-generated by TITAN): gcloud storage buckets update gs://gs-titan-legacy-1996 --uniform-bucket-level-access --project=adroit-terminus-234522 3. POST-CHANGE VERIFICATION (5 min) - Re-run TITAN targeted scan on the affected resource. - Confirm finding cleared (scan returns 0 matches for this finding_id). - Smoke-test dependent applications (see Test plan). 4. CLOSE - Update ticket state to Review -> Closed. - Attach scan-diff evidence (pre vs post). - If verification fails at step 3, execute Backout plan immediately.
Change risk level: MEDIUM (standard change with defined rollback) Blast radius: The change is scoped to a single cloud resource (GCS bucket 'gs-titan-legacy-1996' is not using uniform bucket-level access — leg...). Downstream dependencies (if any) are listed under 'Affected CIs'. Pre-change snapshot + automated rollback keeps risk bounded. Apply in next window. Worst-case failure mode: Change is rejected by the cloud API (network partition or permission drift). Impact: no state change on target resource; Backout plan is a no-op. Time to detect: immediate (non-zero exit code from fix command). Residual risk after successful fix: zero — the finding no longer exists. TITAN verifies this via post-change scan (see Implementation plan step 3).
If post-change verification fails or the fix causes a service disruption: 1. IMMEDIATE: Revert the resource to its pre-change state using the TITAN pre-scan snapshot (snapshot ID recorded in work notes at scan time). 2. Azure: az <resource-type> update ... (inverse of the apply command) OR az deployment group create --template-uri <pre-change ARM URI> 3. AWS: aws <service> ... (restore from snapshot or inverse IAM policy) 4. GCP: gcloud <service> ... update --rollback 5. Confirm rollback succeeded by re-running TITAN scan — the original finding should reappear (confirming the state was fully reverted). 6. Document the failure mode in 'Close notes' for the post-incident review. 7. Re-open this change with 'Rejected' disposition and spawn a parent Problem ticket for root-cause analysis.
Acceptance criteria (must all PASS to close this change): [ ] TITAN targeted re-scan of GCS bucket 'gs-titan-legacy-1996' is not using uniform bucke... returns ZERO matches for this finding_id. [ ] Resource remains in provisioning_state=Succeeded (Azure) / available (AWS) / RUNNING (GCP) immediately after change. [ ] Dependent applications pass smoke tests (HTTP 200 on health endpoints, auth still works for service accounts, DB connection-strings unchanged). [ ] No new alerts raised in Azure Monitor / CloudWatch / Cloud Monitoring in the 30 minutes following the change. [ ] Audit chain entry written: agent.change.applied event with pre/post hashes. Any FAIL triggers the Backout plan above. Evidence attached to 'Closure Information' tab.
gcloud storage buckets update gs://gs-titan-legacy-1996 --uniform-bucket-level-access --project=adroit-terminus-234522
GCS bucket 'gs-titan-legacy-1996' is not using uniform bucket-level access — legacy per-object ACLs enabled. Audit gap + inconsistent access control surface. CIS_GCP_5.2. Recommended Fix: gcloud storage buckets update gs://gs-titan-legacy-1996 --uniform-bucket-level-access --project=adroit-terminus-234522 Rollback: TITAN pre-change snapshot captured automatically. Compliance: HIPAA §164.312(e)(1), PCI DSS 3.4, SOC 2 CC6.1, CIS 1.x IAM
[TITAN FORGE] Fix command executed, post-scan verification PASS. No rollback required. Change closed successfully.
IAM user 'iam-user-titan-svc-backup' has no MFA enabled and 180-day-old access keys — credential compromise likelihood elevated.
High: IAM user 'iam-user-titan-svc-backup' has no MFA enabled and 180-day-old access keys — credential compromise likelihood elevated.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: aws iam update-access-key --user-name iam-user-titan-svc-backup --access-key-id AKIA... --status Inactive && aws iam create-access-key --user-name iam-user-titan-svc-backup 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (iam-user-titan-svc-backup). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: IAM user 'iam-user-titan-svc-backup' has no MFA enabled and 180-day-old access keys — credential compromise likelihood elevated.
1. TITAN auto-captured snapshot of iam-user-titan-svc-backup before change (baseline: titan-live-demo-20260421T213642Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans iam-user-titan-svc-backup immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
aws iam update-access-key --user-name iam-user-titan-svc-backup --access-key-id AKIA... --status Inactive && aws iam create-access-key --user-name iam-user-titan-svc-backup
IAM user 'iam-user-titan-svc-backup' has no MFA enabled and 180-day-old access keys — credential compromise likelihood elevated. Recommended Fix: aws iam update-access-key --user-name iam-user-titan-svc-backup --access-key-id AKIA... --status Inactive && aws iam create-access-key --user-name iam-user-titan-svc-backup Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, PCI DSS 3.5
IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
High: IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (iam-user-svc-backup). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
1. TITAN auto-captured snapshot of iam-user-svc-backup before change (baseline: titan-killer-20260421T222654Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans iam-user-svc-backup immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h.
IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14. Recommended Fix: aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, PCI DSS 3.5
2026-04-21 15:26:54 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222654Z). Severity: High (priority 2). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
Medium: Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers). 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (mi-orphan-app1). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
1. TITAN auto-captured snapshot of mi-orphan-app1 before change (baseline: titan-killer-20260421T222654Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans mi-orphan-app1 immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers).
Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface. Recommended Fix: az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers). Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:26:54 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222654Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
Medium: Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (u-jsmith-contractor). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
1. TITAN auto-captured snapshot of u-jsmith-contractor before change (baseline: titan-killer-20260421T222654Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans u-jsmith-contractor immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants.
Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled. Recommended Fix: Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Benchmark, SOC 2 CC6.1
2026-04-21 15:26:55 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222654Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
Low: No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: LOW risk — hygiene item, fix during normal maintenance. Business impact if unremediated: Minor deviation from baseline. Scope: single resource (alerts-prod-missing-rbac). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
1. TITAN auto-captured snapshot of alerts-prod-missing-rbac before change (baseline: titan-killer-20260421T222654Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans alerts-prod-missing-rbac immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write
No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation. Recommended Fix: az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:26:55 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222654Z). Severity: Low (priority 4). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
High: IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM-HIGH risk — misconfiguration with realistic exploit path. Business impact if unremediated: Increases attack surface; auditor finding likely. Scope: single resource (iam-user-svc-backup). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14.
1. TITAN auto-captured snapshot of iam-user-svc-backup before change (baseline: titan-killer-20260421T222819Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans iam-user-svc-backup immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h.
IAM user 'iam-user-svc-backup' has MFA disabled and 180-day-old access keys. Human service account posture non-compliant with CIS_AWS_1.14. Recommended Fix: aws iam update-access-key --user-name iam-user-svc-backup --access-key-id AKIA... --status Inactive; aws iam create-access-key --user-name iam-user-svc-backup; rotate credentials in callers within 24h. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, PCI DSS 3.5
2026-04-21 15:28:19 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222819Z). Severity: High (priority 2). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
Medium: Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers). 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (mi-orphan-app1). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface.
1. TITAN auto-captured snapshot of mi-orphan-app1 before change (baseline: titan-killer-20260421T222819Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans mi-orphan-app1 immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers).
Managed identity 'mi-orphan-app1' has no role assignments for past 90 days. Orphaned credentials widen attack surface. Recommended Fix: az identity delete --name mi-orphan-app1 --resource-group rg-titan-demo (after confirming no consumers). Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:28:20 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222819Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
Medium: Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (u-jsmith-contractor). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled.
1. TITAN auto-captured snapshot of u-jsmith-contractor before change (baseline: titan-killer-20260421T222819Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans u-jsmith-contractor immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants.
Azure AD user 'u-jsmith-contractor' has not signed in for 120 days. Per company policy, contractor accounts dormant >90d must be disabled. Recommended Fix: Disable AAD user account pending HR review. Revoke all app assignments and OAuth grants. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS Benchmark, SOC 2 CC6.1
2026-04-21 15:28:20 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222819Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
Low: No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: LOW risk — hygiene item, fix during normal maintenance. Business impact if unremediated: Minor deviation from baseline. Scope: single resource (alerts-prod-missing-rbac). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation.
1. TITAN auto-captured snapshot of alerts-prod-missing-rbac before change (baseline: titan-killer-20260421T222819Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans alerts-prod-missing-rbac immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write
No alert rule exists for 'Role Assignment Created at Subscription scope'. Detection gap for privilege escalation. Recommended Fix: az monitor activity-log alert create --name rbac-subscription-scope --condition category=Administrative AND operationName=Microsoft.Authorization/roleAssignments/write Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:28:20 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-killer-20260421T222819Z). Severity: Low (priority 4). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
IAM user 'titan-live-20260421t223919z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
Medium: IAM user 'titan-live-20260421t223919z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: Enforce MFA on user titan-live-20260421t223919z-svc-backup or rotate to SSO-backed identity. Audit last access date. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (titan-live-20260421t223919z-svc-backup). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: IAM user 'titan-live-20260421t223919z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
1. TITAN auto-captured snapshot of titan-live-20260421t223919z-svc-backup before change (baseline: titan-3cloud-20260421T223919Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans titan-live-20260421t223919z-svc-backup immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
Enforce MFA on user titan-live-20260421t223919z-svc-backup or rotate to SSO-backed identity. Audit last access date.
IAM user 'titan-live-20260421t223919z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14. Recommended Fix: Enforce MFA on user titan-live-20260421t223919z-svc-backup or rotate to SSO-backed identity. Audit last access date. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:42:20 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-3cloud-20260421T223919Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
GCP service account 'sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com' has no usage in 120 days and no key rotation schedule. Orphan credentials widen credential-theft blast radius.
Medium: GCP service account 'sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com' has no usage in 120 days and no key rotation schedule. Orphan credentials widen credential-theft blast radius.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: gcloud iam service-accounts delete sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com --project=adroit-terminus-234522 (after confirming no active consumers). 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: GCP service account 'sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com' has no usage in 120 days and no key rotation schedule. Orphan credentials widen credential-theft blast radius.
1. TITAN auto-captured snapshot of sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com before change (baseline: titan-3cloud-20260421T223919Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
gcloud iam service-accounts delete sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com --project=adroit-terminus-234522 (after confirming no active consumers).
GCP service account 'sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com' has no usage in 120 days and no key rotation schedule. Orphan credentials widen credential-theft blast radius. Recommended Fix: gcloud iam service-accounts delete sa-titan-orphan-1324@adroit-terminus-234522.iam.gserviceaccount.com --project=adroit-terminus-234522 (after confirming no active consumers). Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1, PCI DSS 3.5
2026-04-21 15:42:21 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-3cloud-20260421T223919Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
IAM user 'titan-live-20260421t224916z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
Medium: IAM user 'titan-live-20260421t224916z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
1. Pre-change snapshot captured by TITAN (auto-rollback available). 2. Execute fix command: Enforce MFA on user titan-live-20260421t224916z-svc-backup or rotate to SSO-backed identity. Audit last access date. 3. TITAN FORGE verifies the fix was applied. 4. Post-change rescan by TITAN SCOUT — finding must no longer appear. 5. Close ticket with Successful close_code.
Risk level: MEDIUM risk — weaker control, should be hardened. Business impact if unremediated: Control weakness that compounds with other gaps. Scope: single resource (titan-live-20260421t224916z-svc-backup). Blast radius: change is idempotent; pre-change snapshot captured by TITAN; auto-rollback available if rescan fails. Finding detail: IAM user 'titan-live-20260421t224916z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14.
1. TITAN auto-captured snapshot of titan-live-20260421t224916z-svc-backup before change (baseline: titan-3cloud-20260421T224916Z). 2. If post-change rescan still shows the finding OR a new issue appears within 15 min: a. TITAN FORGE fires rollback automatically using stored snapshot. b. Incident reopens and escalates to on-call. 3. Manual rollback command path (human override) is documented in close notes.
1. TITAN SCOUT rescans titan-live-20260421t224916z-svc-backup immediately after FORGE applies the change. 2. PASS criteria: the specific finding no longer appears in SCOUT results. 3. PASS criteria: no new CRITICAL or HIGH findings introduced by the change. 4. Automated compliance check: HIPAA/PCI/SOC2 controls re-evaluated. 5. If any check fails, backout plan fires automatically.
Enforce MFA on user titan-live-20260421t224916z-svc-backup or rotate to SSO-backed identity. Audit last access date.
IAM user 'titan-live-20260421t224916z-svc-backup' has no MFA enabled. Privileged operation account vulnerable to credential compromise. CIS_AWS_1.14. Recommended Fix: Enforce MFA on user titan-live-20260421t224916z-svc-backup or rotate to SSO-backed identity. Audit last access date. Rollback: TITAN pre-change snapshot captured automatically. Compliance: CIS 1.x IAM, NIST AC-2, SOC 2 CC6.1
2026-04-21 15:53:44 - System Administrator (Work notes) [TITAN CONDUIT] Incident auto-filed from security scan. Detecting agent: unknown (scan titan-3cloud-20260421T224916Z). Severity: Medium (priority 3). This is a hygiene/access-control issue that does not require a formal approval window. Assign to the listed team and resolve per their standard runbook. TITAN will auto-detect clearance on the next scan.
We point CONDUIT at your dev instance and run the same 3-cloud flow live in a 30-minute call. You keep the tickets + the teardown evidence.
Book the 30-min demo Back to CONDUIT