TITAN GATEKEEPER

SEVEN COVERAGE DOMAINS — ONE AGENT

GATEKEEPER collapses what used to take 7 separate tools (firewall audit, cert monitor, DNS hygiene, AD assessor, GPO scanner, secrets scanner, PAM) into one always-on agent with auto-fix.

22 checks

🔥 NETWORK & FIREWALLS

Deep inspection of Azure NSGs, AWS Security Groups, GCP Firewall rules, load balancers and WAF policies.

ANY:ANY rules (0.0.0.0/0)
Exposed mgmt ports (22, 3389, 1433, 3306, 5432, 6379...)
Load balancers missing WAF
HTTP listeners without HTTPS redirect
Private Link / PrivateEndpoint gaps
Docker API (2375) / Kubelet (10250) exposures

18 checks

🔐 CERTIFICATES & TLS

Full lifecycle visibility across App Gateway, Front Door, ACM, Load Balancer, Cloud CDN and Key Vault.

Expiring in 7 / 30 / 60 days
Self-signed in production
Weak ciphers (RC4, 3DES, NULL)
TLS 1.0 / 1.1 / SSLv3 still enabled
Missing SAN, wrong CN
RSA < 2048, ECDSA < P-256

24 checks

🌐 DNS HYGIENE

Every DNS blind spot that attackers weaponize — takeover, spoofing, poisoning, info-leak.

Dangling CNAME / A records (subdomain takeover)
DNSSEC disabled
Missing / weak SPF, DKIM, DMARC
No CAA record (any CA can issue)
Open AXFR zone transfer
Dead MX / NS / wildcard records / ultra-low TTLs

26 checks

🏛 AD / GROUP POLICY / GPO

Active Directory + Entra ID + on-prem GPO exposure — the #1 ransomware entry path.

Weak password policy (< 14 char, no complexity)
Account lockout threshold too high
Audit policy gaps (logon, object, privilege)
Kerberoastable SPNs
Unconstrained Delegation on accounts
Dangerous User Rights on non-admins (SeBackup, SeDebug, SeImpersonate)

28 checks

🔑 SECRETS

Finds credentials where they should never be — code, configs, env vars, logs.

Hardcoded AWS / Azure / GCP keys
Stripe, Twilio, SendGrid, OpenAI, Anthropic keys
Private keys, JWTs, DB connection URIs
Expired Key Vault / Secrets Manager entries
No-rotation secrets (>365 days)
Plaintext creds in app-service env vars

14 checks

👤 SERVICE ACCOUNTS

The forgotten identities that every pentester pivots through first.

Dormant > 90 days
Over-privileged (Domain Admins, Backup Operators...)
Password-never-expires flag
No MFA + not managed identity
Used for interactive logins (shouldn't be)
Running with SYSTEM / LocalSystem context

8 checks

🔗 VPN & TUNNELS

Site-to-site, ExpressRoute, Direct Connect, Cloud Interconnect — every link scanned.

IKEv1 weak tunnels
Weak IPSec proposals (SHA-1, 3DES)
Dormant tunnels (>90 days idle)
Split-tunnel misconfigurations
Missing dead-peer detection

42 controls

📜 COMPLIANCE MAPPING

Every finding tagged to the exact framework control — audit-ready the second it's found.

HIPAA 164.308, 164.312
NIST 800-53 (AC, SC, IA, AU)
PCI-DSS 1, 2, 4, 6, 7, 8
ISO 27001 A.9, A.13, A.18
CIS Benchmarks (Azure, AWS, GCP, Windows)
FedRAMP High, CMMC Level 3

AI-powered

🧠 AUTO-REMEDIATION

Every critical / high finding gets a Claude-generated (or local-LLM-generated) fix plan. Human-approval gate before execution.

Azure CLI / AWS CLI / gcloud commands
Rollback command for every fix
Pre-check validation steps
HIPAA / NIST citation on every action
Destructive commands auto-rejected
Full audit trail — who, what, when, why

FIND IT. FIX IT.

WHAT GATEKEEPER FINDS

RDP port 3389 exposed to 0.0.0.0/0 on production NSG
api.acme.com certificate expired 4 days ago
Dangling CNAME staging.acme.com → decommissioned Azure VM (takeover)
Default Domain Policy: MinimumPasswordLength=8 (needs 14)
Service account svc_sql is Kerberoastable + in Domain Admins
Hardcoded AWS access key in app config 'billing-api'
dmarc.acme.com set to p=none (phishing-wide-open)
Load balancer prod-lb accepts HTTP with no redirect

WHAT GATEKEEPER FIXES — AUTOMATICALLY

Restricts 3389 to corporate CIDR, logs change to audit trail
Triggers Key Vault renewal + updates App Gateway binding
Deletes dangling CNAME or re-points to valid target
Pushes Set-GPRegistryValue to raise password policy
Removes svc_sql from Domain Admins, enables AES-only
Rewrites app setting as @Microsoft.KeyVault(SecretUri=...)
Upgrades DMARC to p=reject with DKIM alignment
Adds HTTPS redirect rule, disables HTTP listener

⚡ WORKS WITH OR WITHOUT INTERNET

GATEKEEPER is the first network security agent that works identically in a fully air-gapped DMZ. Same code, same fixes — the LLM is the only thing that changes.

NORMAL MODE

Routes through Anthropic Claude API over HTTPS. Best-in-class accuracy, latest model, full context window. Ideal for commercial cloud + hybrid customers.

AIRLOCK MODE

Zero outbound internet. All AI fixes generated by local Llama 3 / Phi-3 running on customer GPU inside DMZ. FedRAMP High, CMMC L3, SCADA/ICS, defense, banking-DMZ — covered.

Live Demo

EVERY SCAN → FULL CLIENT REPORT

The moment GATEKEEPER finishes scanning + fixing, the client gets a complete multi-format report showing what was flagged, why it was flagged, how it was fixed, and which compliance control it maps to.

HTML

Interactive, drill-down, color-coded. Opens in any browser. Filter by severity / category / framework.

PDF

Print-ready executive report. Perfect for board packets and third-party auditors.

DOCX

Full Microsoft Word version with findings table. Edit, annotate, forward to compliance team.

JSON

Structured export for SIEM / GRC / Jira / ServiceNow integration. Every finding machine-parseable.

Every TITAN agent — all 21 — now emits all four formats by default. No extra configuration needed.

AZURE • AWS • GCP

THE NETWORK & IDENTITY BLIND SPOT