iwr https://downloads.titanaisec.com/deploy-titan.ps1 -OutFile deploy.ps1; .\deploy.ps1 -LicenseKey YOUR_KEY -Vertical healthcare
WHAT THE SCRIPT DOES FOR YOU
Script computes its own SHA-256 and sends it to the license server. If anyone has modified the script, the server REJECTS execution and TITAN AI security is alerted. You always run the original.
Your --license=KEY is validated once. The server returns a short-lived signed URL to download the encrypted agent bundle. Offline-token available for air-gapped deployment.
Verifies Python 3.11+, checks for az, aws, gcloud CLIs. Auto-prints install URLs for anything missing. No silent failures.
Agent bundle is AES-256 encrypted at rest. Downloaded over TLS 1.2+, SHA-256 verified, then decrypted with a key derived from your license. Tampered bundles never run.
Creates a clean virtual environment and installs dependencies. Nothing pollutes your system Python.
Detects current cloud auth, queries what roles you already have, and lists exactly what's missing. Offers (with your consent) to create a least-privilege read-only service principal. Revoke anytime.
If --airlock: starts local Llama 3 LLM on 127.0.0.1:11434. Otherwise: uses Claude API for AI smart-fix. Either way, zero inbound ports opened.
TITAN CONDUCTOR — our supervisor agent — reads your license, detects your package, enforces mode (trial/prod), and activates ONLY the agents you paid for. Reports written to ~/titan-ai/reports/ in HTML + PDF + DOCX + JSON.
THE SUPERVISOR AGENT THAT RUNS YOUR PACKAGE — NOTHING MORE, NOTHING LESS
| Package | Price | Agents Activated | Clouds |
|---|---|---|---|
| oracle-only | $150K/yr | PROMPTGUARD | licensed scope |
| lattice-only | $150K/yr | LAKEHOUSE | licensed scope |
| flux-only | $150K/yr | PIPELINE | licensed scope |
| bastion-only | $150K/yr | GATEKEEPER | licensed scope |
| trinity | $350K/yr | PROMPTGUARD + LAKEHOUSE + PIPELINE | licensed scope |
| full-suite | $579,900/yr | Platform + PromptGuard + Lakehouse + Pipeline + Gatekeeper (25 agents) | Azure + AWS + GCP |
| enterprise-airlock | $749,900+/yr | All 25 agents + AIRLOCK mode | Azure + AWS + GCP + DMZ |
| +banking overlay | +$49K/yr | +Fraud, +AML, +KYC, +BankingCompliance | stacks on base |
| +healthcare overlay | +$29K/yr | +PHI classifiers, +Epic/Cerner connectors | stacks on base |
| +telecom overlay | +$39K/yr | +Telco, +CPNI, +STIR/SHAKEN, +E-911 | stacks on base |
| trial-14d | FREE 14 days | All agents (read-only exploration) | all |
EXACTLY WHAT THE SCRIPT REQUESTS, PER CLOUD
| Cloud | TRIAL (read-only) | PROD (scan + approval-gated fixes) | Destructive? |
|---|---|---|---|
| Azure | Reader, Security Reader, Key Vault Reader, Monitoring Reader — NEVER writes |
Same as trial + Network Contributor, Storage Account Contributor, Key Vault Contributor — only used after human approval |
NO — delete/drop/group-delete hard-blocked |
| AWS | SecurityAudit, ReadOnlyAccess — NEVER writes |
Same as trial + scoped write policies for the exact remediations proposed (e.g. Security Group tighten) | NO — AWS-managed read-only baseline |
| GCP | roles/iam.securityReviewer, roles/viewer — NEVER writes |
Same as trial + narrow service-specific roles (compute.networkAdmin, etc.) scoped to approved fix targets |
NO — predefined read-only baseline |
| On-prem AD | Read-only LDAP bind (no DA) — NEVER modifies AD | Same as trial + delegated write on SPECIFIC OUs/GPOs approved in the UI | NO — read-only bind in trial |
| AIRLOCK mode | Same cloud perms + localhost-only for LLM | Same cloud perms + localhost-only. All fixes local-LLM-generated, human-approved, then executed. | NO — fully isolated |
SAME SCRIPT. ONE FLAG CHANGES THE AGENT SET.
Adds HIPAA-specific PHI classifiers (ICD-10, HL7, FHIR), Epic / Cerner / Meditech connectors, 164.308 + 164.312 evidence.
./deploy-titan.sh \ --license=KEY \ --mode=trial \ --vertical=healthcare \ --cloud=all
Adds Fraud, AML, KYC, BankingCompliance agents. SWIFT / ACH / wire-data patterns. GLBA + SOX + PCI + FFIEC evidence.
./deploy-titan.sh \ --license=KEY \ --mode=trial \ --vertical=banking \ --cloud=all
Adds Telco, CPNI, STIR/SHAKEN, E-911 agents. CDR / subscriber-PII patterns. FCC + CPNI 222 + TCPA evidence.
./deploy-titan.sh \ --license=KEY \ --mode=trial \ --vertical=telecom \ --cloud=all
Zero internet. Local Llama 3 replaces Claude API. For FedRAMP High, CMMC L3, SCADA, banking-DMZ, hospital-OT.
./deploy-titan.sh \ --license=KEY \ --mode=prod \ --vertical=banking \ --cloud=all \ --airlock
Run one agent only. Useful for scoped tests or targeted fixes.
./deploy-titan.sh \ --license=KEY \ --agent=bastion \ --mode=trial \ --cloud=azure
Scan + propose fixes with AI. Fixes NEVER auto-execute — every action requires explicit human approval.
./deploy-titan.sh \ --license=KEY \ --mode=prod \ --vertical=healthcare \ --cloud=all
The bootstrapper contains zero TITAN AI source. All agent code is in an AES-256 encrypted bundle only your licensed key can decrypt.
Every run sends the script SHA-256 to our license server. Modified scripts get rejected, license gets flagged, and TITAN AI security is alerted.
Every AI-proposed fix shows the exact command + rollback + risk level. Nothing executes without your explicit yes.
Agents refuse to propose any command containing rm -rf, drop table, delete *, terraform destroy, or resource-group deletions. Hardcoded safety.
Auto-permission granter creates a dedicated read-only service principal. Revoke any time with one command. No admin rights requested.
Every scan, proposal, approval, and execution is logged to logs/audit.log. Tamper-evident, exportable to SIEM (Splunk, Sentinel, Datadog).
VERIFY THE SHA-256 BEFORE RUNNING
deploy-titan.ps1
PowerShell 7+ · Verified with Get-AuthenticodeSignature
No. Default behavior is read-only scan in trial mode and proposal-only in prod mode. Every fix requires explicit human approval via the review UI or a signed approval file. Destructive commands are blocked entirely.
Use --airlock. The script requires one-time license validation (via OFFLINE_LICENSE_TOKEN if truly zero-internet), then runs entirely local. Ollama / local Llama 3 replaces Claude API. Reports exported via data-diode to your audit network.
Yes. You need write access to $HOME and cloud-CLI read access. Script never requests sudo. Auto-permission flow creates a dedicated service principal with minimum rights only.
It won't run. The script hashes itself and sends the hash to the license server. A mismatch triggers rejection, logs the event, and alerts our security team. You will see the exact reason for the halt.
Azure: az ad sp delete --id <ID printed at end of deploy>. AWS: aws iam detach-user-policy --policy-arn .... GCP: gcloud projects remove-iam-policy-binding .... All commands printed in the deploy output for your records.
No customer data leaves your environment. Only the license SHA and script SHA phone home for tamper detection — no scan results, no cloud resource details, no credentials. Airlock mode sends zero outbound packets.
Request your 14-day free trial license. Script arrives in your inbox with usage examples for your specific environment.
GET FREE TRIAL LICENSE → BOOK A DEPLOY CALL