| Mode | When | One command |
|---|---|---|
| Trial | 14-day free key, online API issues it | .\titanai-quickstart.ps1 -Email you@co.com -Company "Co" |
| Prod | Paid tier, you bring the key | .\titanai-quickstart.ps1 -Mode prod -LicenseKey TITAN-XXX-XXX-XXX |
https://titanaisec.com/client/<name> — same for the demo orchestrator and the per-cloud demo scripts. Customer never sees git, never sees a personal repo URL, never has to clone anything.
For internal demos and customer screenshares: provisions a deliberately misconfigured environment in all three clouds, prompts the bundle picker, scans every cloud, optionally auto-fixes, then tears everything down. Total runtime ~25-35 min. Cost ~$15-20/day if left running — -AutoTeardown zeroes that out at the end.
.\demo\run-full-demo.ps1 -CloudProvider all -AutoTeardown -Email demo@yourco.com -Company "Demo Co"
| Phase | What runs |
|---|---|
| 1 | Provisions vulnerable Azure RG (NSG / Storage / KeyVault / SQL / App / Firewall) + AWS account (VPC / SG / S3 / RDS / IAM) + GCP project (Firewall / GCS / CloudSQL / SA) |
| 2 | Calls titanai-quickstart.ps1 — auto-detects all 3 clouds, prompts bundle 1-7, fetches license |
| 3 | Runs titanai-azure-live-scan.ps1 + titanai-aws-live-scan.ps1 + titanai-gcp-live-scan.ps1 in sequence. Each writes its own evidence pack: reports/azure-live/, reports/aws-live/, reports/gcp-live/ |
| 4 | Shows 24/7 monitoring summary — SCOUT/SENTINEL/COMPLY/SHADOW/ORACLE/WATCH/CONDUIT cadence |
| 5 | Tears down all 3 demo environments — AWS billing $0, Azure billing $0, GCP billing $0 |
Want only one cloud? Pass -CloudProvider azure or aws or gcp instead of all.
For paid customers running TITAN against their actual production cloud accounts. No demo provisioning — TITAN scans whatever Azure subscriptions, AWS accounts, or GCP projects the workstation is logged in to. Findings are reported first; no remediation runs until the customer re-invokes with -AutoFix.
# Step 1 - scan only, show what's broken .\client\titanai-quickstart.ps1 -Mode prod -LicenseKey TITAN-XXX-XXX-XXX # Step 2 - after the customer reviews findings, apply auto-remediation .\client\titanai-quickstart.ps1 -Mode prod -LicenseKey TITAN-XXX-XXX-XXX -AutoFix -AutoApprove
Restrict to a single cloud with -Cloud aws / -Cloud azure / -Cloud gcp. Default -Cloud auto hits every cloud the workstation is authenticated against.
For audit-ready continuous compliance, the new titanai-evidence-collector.ps1 wraps the live scanners, snapshots their output to ~/.titan-ai/evidence/<timestamp>/, and emits a delta.json showing exactly which findings appeared, were resolved, or persisted between runs — the artifact auditors keep asking for.
.\client\titanai-evidence-collector.ps1 -Tenant "Your Co"
Schedule hourly on Windows Task Scheduler:
schtasks /create /tn TITAN-Evidence /tr "pwsh -NoProfile -File C:\TITAN-AI\client\titanai-evidence-collector.ps1" /sc hourly
Or hourly on Linux/macOS via cron:
0 * * * * /usr/bin/pwsh -NoProfile -File /opt/titanai/client/titanai-evidence-collector.ps1
Every snapshot writes a manifest.json (what was scanned) and a delta.json (what changed since last). Both are signed-shareable with external auditors with no source-data exposure.
Visit titanaisec.com/trial for a free 14-day key, or titanaisec.com/subscribe to buy a production tier. The key carries your bundle entitlement; the installer activates only the agents your tier covers.
The runtime calls az login / aws configure / gcloud auth login as needed. Read-only Reader / SecurityReader / equivalent is enough for trial mode. Production mode needs Contributor or Security Admin to apply auto-fixes.
Windows 10/11 / Server 2016+ for PowerShell, or any modern Linux/macOS with bash. The installer bootstraps Python 3.12, Az / AWS / gcloud CLIs, and the TITAN runtime if not already present. Air-gapped environments use the AIRLOCK bundle (no outbound calls).
Cloud posture entry: SCOUT, COMPLY, AUDIT, WATCH, RECON, COMMAND CENTER.
Cloud + AI security: baseline 6 plus BASTION, SENTINEL, FORGE, SHADOW, SECURE CODE, AI GUARD.
Cloud Pro minus Secure Code, plus CONDUIT, PHI, ORACLE PORTAL PACK (HIPAA / HITRUST / PHI pack).
Baseline plus BASTION, SENTINEL, FORGE, SHADOW, AI GUARD (CSRIC / NIST / CISA pack).
Cloud Pro minus Secure Code, plus CONDUIT, FRAUD, AML (PCI / SOX / FFIEC / OCC pack).
Cloud Pro plus CONDUIT, FEDRAMP_CMMC (FedRAMP / CMMC / NIST 800-53 pack).
Healthcare bundle plus the V195 ORACLE Portal + Vendor Risk Pack: 5 detectors closing the leak patterns OCR has cited in every major Blue-plan settlement.
Pick the one that matches your situation. All three end with the same card-style HTML, PDF, DOCX, MD, and JSON evidence pack.
Use this when you want to scan the cloud account you are currently signed in to. The bundle script auto-detects whether az, aws, or gcloud is logged in and only scans what it can reach.
Invoke-WebRequest -UseBasicParsing https://titanaisec.com/client/titanai-healthcare.ps1 -OutFile titanai-healthcare.ps1 .\titanai-healthcare.ps1 -LicenseKey YOUR_LICENSE_KEY -Cloud auto
Substitute any tier name for healthcare. Override the auto-detect by passing -Cloud azure, -Cloud aws,gcp, etc.
Use this when your organization has multiple Azure subscriptions, AWS accounts, or GCP projects per environment and you want one report per environment.
Invoke-WebRequest -UseBasicParsing https://titanaisec.com/client/titanai-multi-env.ps1 -OutFile titanai-multi-env.ps1 .\titanai-multi-env.ps1 -LicenseKey YOUR_LICENSE_KEY -Bundle healthcare
The script discovers every subscription / account / project the workstation can reach, classifies each by name pattern (prod, dev, qa, test, stage, staging, uat, sandbox, preprod), runs the bundle in each, and writes a separate report tree per environment with an aggregate index.html on top. Filter to a subset with -Environments prod,dev.
Use this when you have not decided on a bundle yet or want a guided menu. Includes auto trial-license fetch.
Invoke-WebRequest -UseBasicParsing https://titanaisec.com/client/titanai-quickstart.ps1 -OutFile titanai-quickstart.ps1 .\titanai-quickstart.ps1 -Email you@yourcompany.com -Company "Your Company"
curl -fsSL https://titanaisec.com/client/titanai-healthcare.sh -o titanai-healthcare.sh chmod +x titanai-healthcare.sh ./titanai-healthcare.sh YOUR_LICENSE_KEY auto
Multi-environment bash variant ships in the same folder as titanai-quickstart.sh with the bundle picker, plus standalone titanai-multi-env.ps1 on Windows.
| Bundle | Windows command | Linux/macOS command |
|---|---|---|
| LAUNCH | .\titanai-launch.ps1 -LicenseKey KEY -Cloud azure | ./titanai-launch.sh KEY azure |
| CLOUD PRO | .\titanai-cloud.ps1 -LicenseKey KEY -Cloud azure,aws,gcp | ./titanai-cloud.sh KEY azure,aws,gcp |
| HEALTHCARE | .\titanai-healthcare.ps1 -LicenseKey KEY -Cloud azure | ./titanai-healthcare.sh KEY azure |
| TELECOM | .\titanai-telecom.ps1 -LicenseKey KEY -Cloud aws | ./titanai-telecom.sh KEY aws |
| BANKING | .\titanai-banking.ps1 -LicenseKey KEY -Cloud azure,aws,gcp | ./titanai-banking.sh KEY azure,aws,gcp |
| GOVERNMENT | .\titanai-government.ps1 -LicenseKey KEY -Cloud azure | ./titanai-government.sh KEY azure |
| ORACLE PRO | .\titanai-oracle-pro.ps1 -LicenseKey KEY -Cloud azure,aws,gcp | ./titanai-oracle-pro.sh KEY azure,aws,gcp |
| Phase | Time | What runs |
|---|---|---|
| Pre-flight | ~30 sec | TLS 1.2 enforced, NuGet provider check, PSGallery trust policy set. |
| Bootstrap | ~3 min (first install) | Python 3.12, Az / AWS / gcloud CLIs installed if missing. winget tries first, direct MSI fallback if winget not available. |
| Authenticate | ~1 min | Browser-based az login / aws configure / gcloud auth login as needed. |
| License check | ~5 sec | Validates license against https://titanaisec.com/api/license/verify, locks the agent set to your tier. |
| Bundle download | ~30 sec | Pulls the encrypted bundle for your tier from /api/bundle. |
| Scan | ~10-20 min | Runs every agent in your bundle against the clouds you specified. Read-only by default; auto-fix needs explicit consent. |
| Reports | ~30 sec | Card-style HTML drill-down + PDF + DOCX + MD + JSON written to ~/.titan-ai/reports/. |
The ORACLE Portal Pack on flagship and Healthcare tiers emits one email envelope per actionable finding (severity critical or high) plus a digest. By default these are routed to your administrator email; override with the TITAN_ALERT_TO environment variable.
Schedule a weekly aggregate report via Windows Task Scheduler or cron:
python ~/.titanai/agents/oracle_portal_pack.py --weekly-report --days 7
The digest covers every scan in the past 7 days and produces HTML, PDF, DOCX, MD, and JSON in ~/.titanai/reports/oracle-portal/weekly/.
| Symptom | Most likely cause | Fix |
|---|---|---|
| "Execution policy" error on Windows | PowerShell signed-script policy blocking unsigned local script | Run Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass in the same window first. |
| "License invalid" or 401 from license API | Trial expired, key truncated, or wrong tier | Re-fetch from titanaisec.com/trial; ensure the key starts with TITAN-. |
Bash script fails on macOS with set -euo pipefail | Default macOS bash is 3.x | Run with /bin/bash 4+ via Homebrew or use the PS1 version under PowerShell 7 for macOS. |
| Cloud CLI hangs at login | Browser SSO redirect blocked | Run with --device-code against Az; export AWS_PROFILE for AWS; gcloud auth login --no-launch-browser for GCP. |
| Scan finishes with zero findings | Account has no resources or read permissions denied | Verify with az account show / aws sts get-caller-identity; grant SecurityReader. |
~/.titanai/logs/install.log. Share that file with support and we will debug it within a business day.
Government bundle (and any tier with the AIRLOCK add-on) supports a fully offline install. Download the encrypted bundle on an internet-connected workstation, transfer to the air-gapped box on USB or one-way diode, and unpack with the offline installer. The runtime never makes outbound network calls; license verification uses a signed offline manifest. See the air-gapped section in your subscription confirmation.