Trust posture, architecture diagram, the exact read-only Azure RBAC roles we ask for in each cloud, integrations list, AI data-handling policy, what TITAN does not do, contracting terms, implementation timeline, and three-year TCO. Everything procurement and security review will ask for, in one URL you can forward.
We do not list a certification we do not hold. Where a milestone has a target, the date is committed. Where a control runs but the formal report is not yet issued, the gap and the timeline are explicit.
| Control / artifact | Status | Detail |
|---|---|---|
| SOC 2 Type II | In progress | Pre-audit gap analysis underway. Target observation window opens Q3 2026 with a Type II report Q1 2027. SOC 2 Type I letter from auditor available under NDA Q2 2026. |
| ISO 27001 | In progress | Stage 1 audit Q4 2026. Stage 2 / certification target Q1 2027. ISMS scope: TITAN AI engine, build pipeline, customer support. |
| HIPAA Security Rule | Aligned | BAA template available now. Healthcare bundle ships HIPAA Security Rule controls with continuous attestation. No production PHI ever leaves customer environment. |
| HITRUST CSF v11 | In progress | Self-assessment complete. e1 readiness Q4 2026. r2 certified inheritance available to Healthcare customers via the COMPLY agent. |
| FedRAMP Moderate / High | Aligned, not yet authorised | NIST 800-53 Rev 5 control coverage in COMPLY. Government tier ships FedRAMP-aligned controls. Agency sponsorship required for actual ATO; talking to two agencies now. |
| CMMC Level 2 / 3 | Aligned | Government tier auto-collects evidence for all 110 NIST 800-171 r2 controls and the 24 CMMC L3 enhanced practices. Pre-assessment readiness in weeks. |
| Pen test | Quarterly | External pen test runs every quarter and on every major engine release. Latest report (April 2026) available under NDA. Findings are tracked publicly in the change log. |
| Bug bounty | Private, in scope Q3 2026 | Targeted private bug-bounty cohort opens Q3 2026. Public program follows SOC 2 Type II completion. |
| Cyber-liability insurance | Active | The Hartford, Custom general liability + cyber + E&O. Policy 57 SBM CB7XDT. COI furnished within 24 hours of request. |
| Incident response SLA | 4h ack / 24h plan | Acknowledgement within 4 hours, root-cause within 24 hours, full RCA within 5 business days, status emails every 4 hours during an active incident. |
| Vendor security questionnaire | CAIQ + SIG-Lite ready | Pre-filled CAIQ-Lite (CSA Cloud Controls Matrix) and SIG-Lite responses available within 24 hours of request, signed under NDA. |
| Patent | USPTO 19/645,524 (filing receipt, not a credential) | We list the application number for traceability. We do not present pending-patent status as competitive moat. |
| Sub-processor | Purpose | Data category |
|---|---|---|
| Cloudflare | Web edge, DNS, TLS, DDoS protection for titanaisec.com | Marketing-site traffic only. No customer scan data. |
| GitHub (Microsoft) | Source control, CI/CD, signed releases via SLSA 3 + Sigstore | Source code only. No customer data. |
| Stripe | Subscription billing | Billing contact + payment instrument. No scan data. |
| External reasoning service | REASON agent (think-first reasoning) when customer opts in | Finding metadata only. Disabled in AIRLOCK mode. Vendor does not retain or train on API content. |
| Google Workspace | [email protected] email + calendar | Customer contact emails. No scan data. |
No analytics, no marketing pixels, no session-replay tools on this site. titanaisec.com runs zero third-party trackers. Customer scan data never leaves the customer environment except as findings routed via CONDUIT to the customer-controlled SIEM or ticketing destination.
TITAN AI runs as a single signed binary inside the customer environment. It reads cloud APIs over the customer's own outbound TLS, evaluates findings locally, and routes results through CONDUIT to the customer-owned SIEM or ticketing destination. No TITAN-owned cloud sees customer data.
Customer environment Customer-owned destinations -------------------------------------------------------- ----------------------------- [ Azure / Snowflake / Databricks ] | | read-only API calls (customer outbound TLS) v +-------------------------------------------+ | TITAN AI engine (single signed binary) | | - CONDUCTOR: license + tier enforcement | | - 34 agents: scan, evaluate, prioritise | | - REASON: optional LLM call (off in | [ Splunk / Sentinel / Datadog ] | AIRLOCK mode) | CONDUIT --> [/ Jira / Remedy ] | - FORGE: consent-gated remediation | [ PagerDuty / Opsgenie / Slack ] | - PHOENIX / DR-GUARD: resilience | [ any REST webhook ] | - tamper-evident hash-chained audit log | +-------------------------------------------+ | v Local evidence packs (HTML + PDF + DOCX + JSON) written to customer disk; nothing leaves boundary
Every finding, every evidence pack, every audit log writes to a customer-controlled directory. No call-home, no telemetry, no analytics pings. CONDUIT only fires when the customer configures a destination.
Trial and audit tiers physically cannot write — the engine kernel rejects FORGE writes when the license tier does not include remediation. Paid tiers gate every write behind explicit per-finding [y/N] consent.
AIRLOCK mode disables CONDUIT external destinations and the optional REASON LLM call. Updates land via signed offline bundle with SLSA 3 provenance. Verified with one slsa-verifier command on the customer side.
A trial scan needs only the read-only role. optional remediation (opt-in) (FORGE) needs the optional write role and is gated per-finding regardless. Every role can be scoped to a single subscription / account / project.
Built-in roles only:
Reader at subscription scopeSecurity Reader at subscription scopeReader on Microsoft.Graph for Entra ID checksManaged policies only:
SecurityAuditReadOnlyAccess (or scoped equivalent)ViewOnlyAccess for IAM Identity CenterPredefined roles only:
roles/iam.securityReviewerroles/viewer at project / folder scoperoles/cloudasset.viewer for inventoryAzure equivalent FORGE policies follow the same shape: enumerated write actions per service, explicit deny on delete and destroy. Full JSON for all Azure cloud plus the cross-account / workload-identity wiring is in the deploy guide.
CONDUIT is the universal output layer. Every integration below is a tested native adapter with field-level mapping, not a generic webhook wrapper. Generic REST webhook is also available for anything not on the list.
Anything not on the list above ships via the generic REST webhook adapter. JSON payload schema is documented in the deploy guide. We will write a native adapter for any integration that is in scope for two or more paid customers.
The AI question every CISO asks first in 2026. Plain-English answers, no hedging.
Not our models, not our sub-processors' models. The external reasoning API call we make from the optional REASON agent runs under vendor no-retention, no-training enterprise terms. Customer scan data never enters any training corpus, ever.
Only the REASON agent calls an external LLM. It receives finding metadata for prioritisation reasoning, never raw customer data. The customer can disable REASON without affecting any other agent. AIRLOCK mode disables it by force.
Before any LLM call, the AI GUARD agent's redaction pipeline strips PHI / PII / PCI / source-code patterns from the payload. The pipeline runs on the customer machine and is auditable end-to-end via the tamper-evident hash chain.
TITAN itself stores nothing in TITAN-owned infrastructure. Findings, evidence packs, and the audit log all live on customer disk and customer-owned destinations. Termination = stop the binary; nothing to reclaim.
Where TITAN is the wrong tool, we say so up front and name what to use instead. Saves everyone a procurement cycle.
| Capability we do not cover | Better tool | Why TITAN does not |
|---|---|---|
| Endpoint EDR / XDR | CrowdStrike, SentinelOne, Microsoft Defender for Endpoint | EDR needs a kernel agent. We are agentless cloud-side. Different problem space. |
| 24x7 managed SOC / MDR | Arctic Wolf, Expel, Red Canary | We ship the platform, not the night-shift analyst team. CONDUIT routes to your existing SOC. |
| On-prem Active Directory deep audit | Microsoft Defender for Identity, Semperis | BASTION covers identity drift, but on-prem AD attack-path analysis is a specialised product space. |
| SAST / SCA / IaC scanning | Snyk, Semgrep, Checkov | FORGE has the dbt model gate, but full SAST / SCA / IaC is outside scope. We integrate with your existing scanner via CONDUIT. |
| Network packet capture / NDR | Zeek + Suricata, ExtraHop, Vectra | SCANNER does IDS / IPS heuristics, not full PCAP. Different operational model. |
| Web application firewall | Cloudflare, F5 | WAF lives at the edge, not the cloud control plane. Out of scope by design. |
| Vulnerability scanning of customer applications | Tenable, Qualys, Rapid7 | SENTINEL covers cloud control-plane CVEs and runtime workload posture, not application CVE scanning. |
| DLP at the endpoint | Microsoft Purview, Symantec DLP | AI GUARD covers AI-channel DLP (ChatGPT / Claude / Gemini). Endpoint USB / clipboard DLP is a different layer. |
Every one of the above tools integrates with TITAN via CONDUIT (their findings flow through the same prioritisation engine and routing rules). If your team is happy with one of them, keep it; we route around.
If your procurement team has a checklist, this is most of it. Custom terms are negotiated case-by-case; the defaults below clear the common path.
| Question | Standard answer |
|---|---|
| Payment methods | ACH, wire, credit card. Purchase order accepted at Cloud Pro tier and above. Net-30 standard, net-15 available on request. |
| Contract term | One-year standard. Three-year available with 12% multi-year discount. Month-to-month not offered above Launch tier. |
| Limit of liability | 1x annual contract value, mutual. Carve-outs for confidentiality breach, IP infringement, and indemnification follow standard SaaS practice. |
| Termination | For cause: 30 days. For convenience after Year 1: 90 days. Pro-rated refund of any prepaid period beyond termination date. |
| MSA / DPA / BAA / NDA | Templates available now. We mark up customer paper; turnaround typically under 5 business days for standard clauses. |
| GSA / Carahsoft / SEWP V | Not yet on schedule. Target H2 2026. Available today via direct contract with TITAN AI LLC. |
| Azure / multi-tenant pricing | List price covers Azure under one license. No per-cloud upcharge. Tenant-count multipliers apply at MSP / MSSP scale; quoted case-by-case. |
| Auto-renewal | Yes, with 60-day non-renewal window. Procurement can opt out at signing. |
| Price escalation | Year 2 + 3 list price held flat for the term of a multi-year contract. Single-year renewals follow then-current list, capped at 7%. |
| Data location | Customer environment only. TITAN stores no scan data in TITAN-owned infrastructure. Sub-processor list above governs only marketing-site, billing, and the optional REASON LLM call. |
| Audit rights | Customer may audit TITAN's compliance posture once per year on 30 days notice. SOC 2 Type II report (when issued) and pen-test reports satisfy the standard ask. |
| Founding-customer terms | First 5 paid customers per vertical: 20% off Year 1, list Year 2+, direct founder access, roadmap influence. In exchange: a reference call after 90 days. |
Realistic milestones. The trial scan is ten minutes; full enterprise rollout with your SIEM, your IdP, your ticketing, and your evidence cadence runs about 30 days.
Replacement-stack figures use mid-market enterprise quotes from Vendr, G2, and published vendor pricing pages (Q2 2026 snapshot). Year 2 and Year 3 hold list flat per the standard contract; replacement-stack figures assume 5% annual escalation typical of incumbent renewals.
| Vertical | TITAN 3-year | Replacement stack 3-year | 3-year savings |
|---|---|---|---|
| Cloud Pro | Custom | Custom (Wiz + Vanta + Snyk) | Significant savings |
| Healthcare | Custom | Custom (Imprivata + Vanta + Wiz) | Significant savings |
| Telecom | Custom | Custom (TransNexus + PossibleNOW + Numeracle + CSPM) | Significant savings |
| Banking | Custom | Custom (Verafin + Actimize + Featurespace + Sumsub) | Significant savings |
| Banking + AIRLOCK | Contact sales | Multiple vendor contracts + DMZ deploy | Significant consolidation savings |
| Government | Custom | Custom (Tanium Fed + CrowdStrike Gov + Splunk Cloud) | Significant savings |
Three-year savings assume the replacement stack stays at the buyer-quoted entry price without scope creep. In practice incumbents add SKUs over a multi-year window; the gap typically widens.
Pick the path that fits where your team is in the buying cycle.
Pre-filled CAIQ-Lite, SIG-Lite, MSA / DPA / BAA / NDA templates, latest pen-test report under NDA — reply to any email above and we respond within 24 hours.