LAUNCH CLOUD_PRO HEALTHCARE TELECOM BANKING GOVERNMENT ORACLE_PRO ENTERPRISE_APPS COMMAND CENTER RECON
Tier: CLOUD_PRO   |   Pricing: Contact sales   |   Agents (10): scout, comply, audit, bastion, sentinel, forge, shadow, watch, secure_code, ai_guard   |   Scan date: 2026-05-09
66
Total Findings
34
Critical
21
High
2
Medium
9
Low
23
INC Auto-Fixed (FORGE)
43
CHG Awaiting Approval

FINDINGS (66)

CRITICALauditP90INC AUTO-FIXEDINC83462132A8A

Audit logging not enabled at platform level

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34
Detector: AUD-001
Audit logging not enabled at platform level
Enable audit logging on the platform. Without it, no detection or forensics is possible.
FORGE Auto-Fix Applied:
Playbook: FRG-009
Action: Enable cloud audit logging across all regions
Command: Enable provider-native audit logging with multi-region delivery
Citation: HIPAA 164.312(b); PCI-DSS 10.1; SOC 2 CC4.1; NIST 800-53 AU-2
CRITICALbastionP90INC AUTO-FIXEDINC83462137208

Firewall rule allows 0.0.0.0/0 inbound on management port (22, 3389, 5985, 5986)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Network/networkSecurityGroups/titan-permissive-nsg
Detector: BAS-001
Firewall rule allows 0.0.0.0/0 inbound on management port (22, 3389, 5985, 5986)
Restrict management access to corporate / VPN CIDR ranges. Use bastion host or session manager for admin access.
FORGE Auto-Fix Applied:
Playbook: FRG-001
Action: Revoke 0.0.0.0/0 inbound rule on management port
Command: az network nsg rule update --name <rule> --source-address-prefixes <corp-cidr>
Citation: CIS Azure 6.1; CIS AWS 5.2; NIST 800-53 SC-7; HIPAA 164.312(e)(1)
CRITICALbastionP90INC AUTO-FIXEDINC834621333AB

Firewall rule allows 0.0.0.0/0 inbound on management port (22, 3389, 5985, 5986)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Network/networkSecurityGroups/titan-vuln-nsg
Detector: BAS-001
Firewall rule allows 0.0.0.0/0 inbound on management port (22, 3389, 5985, 5986)
Restrict management access to corporate / VPN CIDR ranges. Use bastion host or session manager for admin access.
FORGE Auto-Fix Applied:
Playbook: FRG-001
Action: Revoke 0.0.0.0/0 inbound rule on management port
Command: az network nsg rule update --name <rule> --source-address-prefixes <corp-cidr>
Citation: CIS Azure 6.1; CIS AWS 5.2; NIST 800-53 SC-7; HIPAA 164.312(e)(1)
CRITICALbastionP90CHG AWAITING APPROVALCHG834621317A0

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/7447ee4a-22cc-45bb-96a9-5ae6b0cd4bc6
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG8346213349B

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/b7c61e84-2339-46cb-8203-0f250c814176
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG834621308DF

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/ad84b263-bcde-5c41-8308-afab0125f190
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG83462137CF3

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/446cf0d0-f9ab-52e8-87e1-869a4fa91957
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG8346213754B

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/47590a88-f60a-40b9-83c7-2e70fcd0c6a7
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG8346213E27E

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/d5ed883c-551e-4678-bf7f-578253a4c740
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG834621351AA

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/e9b180ff-84d4-40d5-0094-03e1d9324d0b
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALbastionP90CHG AWAITING APPROVALCHG83462133654

Privileged AD / IAM group has member outside approved baseline

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/bbe025e4-fbf2-6862-a036-83ead4b79939
Detector: BAS-005
Privileged AD / IAM group has member outside approved baseline
Review and revoke. Privileged group membership must match approved access list. Investigate when added and by whom.
Manual change required (CHG):
Remove from privileged group. Audit who added them via Security log Event 4728 / 4732. Document approved baseline in identity governance tool.
Citation: NIST 800-53 AC-6; CIS AD 1.1; HIPAA 164.308(a)(4)
CRITICALcomplyP90INC AUTO-FIXEDINC8346213CCDE

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanaudit9247
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC8346213F9C3

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanbank8663
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC8346213CB1D

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titangov9211
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC83462130085

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanlogs11615
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC834621373D4

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphi1988
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC8346213E4AB

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanprod14609
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC83462132D97

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titantel7568
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALcomplyP90INC AUTO-FIXEDINC8346213CB86

PHI / cardholder data transmitted without TLS 1.2 or higher

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanvuln20260508144
Detector: CMP-002
PHI / cardholder data transmitted without TLS 1.2 or higher
Enforce TLS 1.2 minimum on all endpoints handling PHI / CHD. Disable TLS 1.0 and 1.1. Reject SSL.
FORGE Auto-Fix Applied:
Playbook: FRG-010
Action: Set minimum TLS version to 1.2 on endpoint
Command: az appservice plan update --min-tls-version 1.2 / ELBSecurityPolicy-TLS13-1-2-2021-06
Citation: HIPAA 164.312(e)(1); PCI-DSS 4.1; SOC 2 CC6.7
CRITICALscoutP90CHG AWAITING APPROVALCHG8346213EA49

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanbank8663
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG8346213672B

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanbank8663
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90CHG AWAITING APPROVALCHG83462130FB8

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titangov9211
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG83462132E6C

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titangov9211
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90CHG AWAITING APPROVALCHG83462137503

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphi1988
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG834621377C5

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphi1988
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90CHG AWAITING APPROVALCHG83462132870

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanprod14609
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG8346213DF4C

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanprod14609
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90CHG AWAITING APPROVALCHG83462134173

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titantel7568
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG834621381DB

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titantel7568
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90CHG AWAITING APPROVALCHG8346213DEC0

Storage bucket / container is publicly readable

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanvuln20260508144
Detector: SCT-001
Storage bucket / container is publicly readable
Remove public ACLs and require authenticated access. Enable bucket-level public access blocks at the account level.
Manual change required (CHG):
AWS: aws s3api put-public-access-block; Azure: az storage container set --public-access off; GCP: gsutil iam ch -d allUsers gs://<bucket>
Citation: CIS Azure 3.1; CIS AWS 2.1.5; CIS GCP 5.1; HIPAA 164.312(a)(1)
CRITICALscoutP90CHG AWAITING APPROVALCHG8346213B8ED

Storage account allows anonymous (public) blob access

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanvuln20260508144
Detector: SCT-010
Storage account allows anonymous (public) blob access
Disable anonymous access at the account level. Even if individual containers are private, account-level anonymous access is a misconfiguration risk.
Manual change required (CHG):
Azure: az storage account update --allow-blob-public-access false; AWS: account-level Block Public Access; GCP: bucket-level uniform access
Citation: HIPAA 164.312(a)(1); PCI-DSS 7.1; CIS Azure 3.6
CRITICALscoutP90INC AUTO-FIXEDINC8346213B2A7

Security group permits 0.0.0.0/0 on sensitive port (22, 3389, 1433, 3306, 5432, 6379, 27017)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Network/networkSecurityGroups/titan-permissive-nsg
Detector: SCT-002
Security group permits 0.0.0.0/0 on sensitive port (22, 3389, 1433, 3306, 5432, 6379, 27017)
Scope inbound CIDRs to specific corporate or VPN ranges. Use a bastion host or session manager for admin access.
FORGE Auto-Fix Applied:
Playbook: FRG-001
Action: Revoke 0.0.0.0/0 inbound rule on management port
Command: az network nsg rule update --name <rule> --source-address-prefixes <corp-cidr> / aws ec2 revoke-security-group-ingress
Citation: CIS Azure 6.2; CIS AWS 5.2; CIS GCP 3.6; PCI-DSS 1.2.1
CRITICALscoutP90INC AUTO-FIXEDINC83462135FC9

Security group permits 0.0.0.0/0 on sensitive port (22, 3389, 1433, 3306, 5432, 6379, 27017)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Network/networkSecurityGroups/titan-vuln-nsg
Detector: SCT-002
Security group permits 0.0.0.0/0 on sensitive port (22, 3389, 1433, 3306, 5432, 6379, 27017)
Scope inbound CIDRs to specific corporate or VPN ranges. Use a bastion host or session manager for admin access.
FORGE Auto-Fix Applied:
Playbook: FRG-001
Action: Revoke 0.0.0.0/0 inbound rule on management port
Command: az network nsg rule update --name <rule> --source-address-prefixes <corp-cidr> / aws ec2 revoke-security-group-ingress
Citation: CIS Azure 6.2; CIS AWS 5.2; CIS GCP 3.6; PCI-DSS 1.2.1
CRITICALsentinelP90CHG AWAITING APPROVALCHG8346213257F

Lateral movement indicator (RDP/WinRM/SSH from atypical source)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.KeyVault/vaults/titan-kv-62854
Detector: SEN-003
Lateral movement indicator (RDP/WinRM/SSH from atypical source)
Isolate source host. Investigate for compromise. Common post-exploitation pattern.
Manual change required (CHG):
Network-isolate source, EDR scan, hunt for related auth events on other targets in last 24h
Citation: MITRE ATT&CK T1021; NIST 800-53 SI-4
HIGHscoutP75CHG AWAITING APPROVALCHG834621366D7

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.KeyVault/vaults/titan-kv-62854
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG834621319C0

Compute instance has public IP and is reachable from the internet

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/TITAN-TIER-TEST-20260508-144346/providers/Microsoft.Compute/virtualMachines/titan-linux-9407
Detector: SCT-006
Compute instance has public IP and is reachable from the internet
Move sensitive workloads to private subnets. Use load balancer / API gateway as the only public ingress.
Manual change required (CHG):
Detach public IP; route ingress through ALB/Application Gateway with WAF in front
Citation: CIS Azure 6.5; CIS AWS 4.1; HIPAA 164.312(e)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG83462134C44

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/7447ee4a-22cc-45bb-96a9-5ae6b0cd4bc6
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG8346213AC05

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/b7c61e84-2339-46cb-8203-0f250c814176
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG8346213CC4E

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/ad84b263-bcde-5c41-8308-afab0125f190
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG834621372E8

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/446cf0d0-f9ab-52e8-87e1-869a4fa91957
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG83462130ECA

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/47590a88-f60a-40b9-83c7-2e70fcd0c6a7
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG83462139452

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/d5ed883c-551e-4678-bf7f-578253a4c740
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG8346213F5DD

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/e9b180ff-84d4-40d5-0094-03e1d9324d0b
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75CHG AWAITING APPROVALCHG83462137751

Service account / managed identity holds admin (Owner / Contributor / *) grants

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/providers/Microsoft.Authorization/roleAssignments/bbe025e4-fbf2-6862-a036-83ead4b79939
Detector: SCT-011
Service account / managed identity holds admin (Owner / Contributor / *) grants
Apply least-privilege custom roles. Service accounts should hold only the permissions they actually use.
Manual change required (CHG):
Replace admin role with scoped custom role. AWS: aws iam create-policy + attach; Azure: az role assignment delete + create with custom role
Citation: NIST 800-53 AC-6; CIS Azure 1.21; CIS AWS 1.16; HIPAA 164.312(a)(1)
HIGHscoutP75INC AUTO-FIXEDINC83462131B36

Cloud audit logging not enabled (CloudTrail / Activity Log / Cloud Audit Logs)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34
Detector: SCT-007
Cloud audit logging not enabled (CloudTrail / Activity Log / Cloud Audit Logs)
Enable audit logging across all regions. Ship logs to immutable storage (S3 with object-lock / Azure Storage immutable / GCS retention).
FORGE Auto-Fix Applied:
Playbook: FRG-009
Action: Enable cloud audit logging across all regions
Command: az monitor diagnostic-settings create / aws cloudtrail create-trail --is-multi-region-trail
Citation: HIPAA 164.312(b); PCI-DSS 10.2; CIS Azure 5.1; CIS AWS 3.1
HIGHsentinelP75CHG AWAITING APPROVALCHG83462132684

Anomalous login pattern (geo / time / device > 3-sigma deviation)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/databricks-rg-titan-dbw-f7c026e8-qxwra6mczld49/providers/Microsoft.Network/networkSecurityGroups/workers-sg
Detector: SEN-001
Anomalous login pattern (geo / time / device > 3-sigma deviation)
Step up to MFA. Investigate user. Common ATO indicator.
Manual change required (CHG):
Trigger session re-auth with hardware token. Notify customer via secondary channel
Citation: MITRE ATT&CK T1078; NIST 800-53 SI-4
HIGHwatchP75CHG AWAITING APPROVALCHG83462136556

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/databricks-rg-titan-dbw-f7c026e8-qxwra6mczld49/providers/Microsoft.Storage/storageAccounts/dbstoragejcdyzp6tlwjsq
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG834621383B8

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanaudit9247
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213BE9E

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanbank8663
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213C9FE

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titangov9211
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213241C

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanlogs11615
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213E9F4

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphi1988
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213CD62

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanprod14609
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG834621324BB

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titantel7568
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
HIGHwatchP75CHG AWAITING APPROVALCHG8346213DD4F

Configuration drift on critical resource (deviated from approved baseline)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanvuln20260508144
Detector: WCH-001
Configuration drift on critical resource (deviated from approved baseline)
Investigate drift cause. Restore baseline or document approved exception via change ticket.
Manual change required (CHG):
Run config management remediation; verify against baseline; update baseline if intentional
Citation: NIST 800-53 CM-2; CIS Critical Controls 5
MEDIUMcomplyP55CHG AWAITING APPROVALCHG8346213C402

Encryption keys not rotated within policy period

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34
Detector: CMP-013
Encryption keys not rotated within policy period
Rotate KMS keys annually for cardholder data, every 2 years for general PHI. Document rotation events.
Manual change required (CHG):
Enable automatic key rotation in cloud KMS (AWS KMS auto-rotate, Azure Key Vault key rotation policy, GCP KMS scheduled rotation)
Citation: PCI-DSS 3.6.4; NIST 800-57
MEDIUMwatchP55CHG AWAITING APPROVALCHG8346213861D

Vulnerability count trending up over last 4 scans

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/TITAN-TIER-TEST-20260508-144346/providers/Microsoft.Compute/virtualMachines/titan-linux-9407
Detector: WCH-004
Vulnerability count trending up over last 4 scans
Investigate root cause. New vulns may indicate stale dependencies, new attack surface, or scan tool false-positive expansion.
Manual change required (CHG):
Review new vuln sources; align dev sprint capacity to remediation; quarterly vuln retrospective
Citation: NIST 800-53 RA-5
LOWscoutP35INC AUTO-FIXEDINC834621305F5

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/databricks-rg-titan-dbw-f7c026e8-qxwra6mczld49/providers/Microsoft.Storage/storageAccounts/dbstoragejcdyzp6tlwjsq
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462135460

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanaudit9247
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462130E84

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanbank8663
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC8346213AE19

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titangov9211
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462133864

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanlogs11615
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462135436

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanphi1988
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC834621300D2

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanprod14609
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462136983

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titantel7568
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
LOWscoutP35INC AUTO-FIXEDINC83462133FAD

Production resource missing required tags (env, owner, cost-center, data-class)

Resource: /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Storage/storageAccounts/titanvuln20260508144
Detector: SCT-009
Production resource missing required tags (env, owner, cost-center, data-class)
Enforce tagging policy. Untagged resources cannot be inventoried for incident response or cost attribution.
FORGE Auto-Fix Applied:
Playbook: FRG-005
Action: Apply default tags to untagged production resource
Command: az tag update / aws resourcegroupstaggingapi tag-resources
Citation: NIST 800-53 CM-8; SOC 2 CC6.1
TITAN AI - CLOUD_PRO tier live proof - generated 2026-05-09
All 66 findings auto-forwarded to(Incident + Change Request tables)
titanaisec.com