Live scans against five real platforms: Azure, AWS, GCP (deliberately misconfigured cloud accounts, scanned, evidence captured, accounts torn down to zero billing) plus Snowflake Enterprise trial account ZWZBKIU-YJ80040 (33 detectors active, 54 findings including unmasked PHI columns and PUBLIC role grants) plus an ORACLE portal vendor pack (20 findings). Every finding below has a per-finding evidence file with priority score, MITRE ATT&CK technique mapping, and a five-step remediation playbook with the exact `az`, `aws`, `gcloud`, or SQL command to apply the fix.
Five live scans across Azure, AWS, GCP, Snowflake, and an ORACLE portal. Cloud accounts deliberately misconfigured, scanned, evidence captured, then torn down to zero billing. Snowflake scan ran against a live Enterprise trial. Every per-detector card below points at the consolidated HTML, PDF, DOCX, JSON, and Markdown evidence file. Resource names embed creation timestamp — e.g. tlsec-260426-1315 means the resource was created on April 26 at 13:15 CST.
SSH, RDP, and SQL Server exposed to 0.0.0.0/0 on a public NSG. Plus four medium and high IAM and key-vault findings. Subscription torn down post-scan.
Root user MFA off (critical), one IAM user without MFA, one S3 bucket without full Public Access Block. Account torn down post-scan.
Default Compute SA still active and bound to roles/editor, default-allow-rdp firewall rule open to 0.0.0.0/0, plus six other high and critical findings. Project torn down post-scan.
Live scan against Snowflake Enterprise trial account ZWZBKIU-YJ80040 (AWS US East 2). 9 critical (PUBLIC role granted on PHI tables, admin without MFA), 31 high (unmasked PHI columns including SSN / DOB / MRN / EMAIL, password-only auth users, no network and authentication policy, Tri-Secret Secure off, external stage without encryption, sensitive tables without row-access policy), 14 medium (session timeout, role privilege explosion, Cortex AI PHI egress, no failover group, low Time-Travel retention). 33 detectors active across ACCOUNT_USAGE plus real-time INFORMATION_SCHEMA / SHOW probes. Two connection modes: native snowflake-connector-python and stdlib-only generic SQL API with key-pair JWT or OAuth.
Healthcare-focused portal scan: PHI-in-URL signals, vendor breach intake, insider email patterns, CVE drift, and shadow-AI tools detected on the endpoint. Five detectors with self-learning routing.
Each card below is a unique detection from the April 26–27, 2026 scans. Where one detector matched multiple resources (e.g. five users without MFA), the affected resources are listed inside the card — one card per detector, not one per resource. Open any card to see the affected resources, recommendation, and exact fix command. The full FORGE remediation workflow is described once below.
nsg-titandemo-public/BAD-allow-ssh-from-internetnsg-titandemo-public/BAD-allow-rdp-from-internetnsg-titandemo-public/BAD-allow-sql-from-internetRestrict source to corporate IP ranges or remove rule entirely.
Pending operator approval
TITANBAD_STALETITANBAD_NOMFA2TITANBAD_NOMFA1TITANADMINSVC_TITANBAD_BROADEnroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.
ALTER USER <name> SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA
TITAN_DEMO.PUBLIC_BADTITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNTTITAN_DEMO.PUBLIC_BAD.PATIENT_PHIRevoke the privilege from PUBLIC. PUBLIC is granted to every role automatically; non-default grants on PUBLIC make data world-readable inside the account.
REVOKE USAGE ON SCHEMA TITAN_DEMO.PUBLIC_BAD FROM ROLE PUBLIC;
mft01.regional-health.examplemft01.regional-health.examplemft01.regional-health.exampleedi.regional-health.exampleedi.regional-health.examplega.regional-health.examplega.regional-health.examplePatch the file transfer appliance within 24 hours, rotate credentials, and review egress logs for the backfill window of the CVE disclosure. Put the appliance behind a WAF with CVE specific virtual patches.
Patch managed-file-transfer appliance CVE
Quarantine the message, notify the privacy officer, and open a HIPAA sanctions case under 164.530(e). Block personal webmail domains at the secure email gateway for employees with PHI access.
Block PHI exfiltration via personal email
Stop passing identifiers through URL query strings. Move identifiers into POST bodies or server side session lookups. URLs land in browser history, server logs, referrer headers, and analytics pipelines.
Stop PHI from appearing in URL query strings
Remove tracker from every page that renders or receives PHI. If retention is required, route through a HIPAA compliant analytics pipeline with BAA in place.
Remove third-party trackers from PHI pages
Conduent Business ServicesYoung Consulting / ConnexureTreat this vendor as compromised until they produce a clean forensic report. Rotate any shared secrets, pull recent exchange logs, and issue member notifications if PHI transited the vendor in the breach window.
Re-evaluate vendor in active OCR breach list
fw/default-allow-rdpfw/default-allow-sshfw/fw-titandemo-bad-mssql-260426-1315fw/fw-titandemo-bad-pg-260426-1315fw/fw-titandemo-bad-rdp-260426-1315fw/fw-titandemo-bad-ssh-260426-1315Restrict source range to corporate CIDR.
Pending operator approval
TITANADMINTITANBAD_NOMFA1TITANBAD_NOMFA2TITANBAD_STALESVC_TITANBAD_BROADMove service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.
ALTER USER <name> SET RSA_PUBLIC_KEY='<key>'; ALTER USER <name> UNSET PASSWORD;
accountApply at least one account-level network policy that restricts logins to corporate egress IPs and approved cloud IP ranges.
CREATE NETWORK POLICY corp_only ALLOWED_IP_LIST=('1.2.3.4/32', ...); ALTER ACCOUNT SET NETWORK_POLICY = corp_only;
TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PATIENT_IDTITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_SSNTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.SSNTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MEMBER_IDTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.DOBTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MRNTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PHONETITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_DOBTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.EMAILApply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.
CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE <t> MODIFY COLUMN <c> SET MASKING POLICY phi_redact;
accountApply an authentication policy at account level that requires MFA, restricts auth methods to PASSWORD+MFA / KEYPAIR / SAML, and disables legacy paths.
CREATE AUTHENTICATION POLICY require_mfa ALLOWED_AUTHENTICATION_METHODS=('PASSWORD','KEYPAIR','SAML') MFA_AUTHENTICATION_METHODS=('PASSWORD'); ALTER ACCOUNT SET AUTHENTICATION POLICY require_mfa;
accountEnable Tri-Secret Secure so encryption requires a customer-controlled KMS key. This is a Business Critical / Enterprise-tier feature; if your account is on a lower tier and you handle PHI / cardholder data, request the upgrade.
Contact Snowflake support to enable Tri-Secret Secure on the account; provide your AWS KMS / Azure Key Vault / GCP KMS key reference.
SVC_TITANBAD_BROADTITANADMINTITANBAD_NOMFA1TITANBAD_NOMFA2TITANBAD_STALEEnrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.
ALTER USER SVC_TITANBAD_BROAD SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA
TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.EMAILTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MEMBER_IDTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.DOBTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.SSNTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PHONETITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_DOBTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PATIENT_IDTITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_SSNTITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MRNApply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.
CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE <table> MODIFY COLUMN EMAIL SET MASKING POLICY phi_redact;
TITAN_DEMO.PUBLIC_BAD.BAD_EXT_STAGEConfigure server-side encryption (AWS-KMS or Azure-KV or GCS-CMEK) on every external stage carrying regulated data.
CREATE OR REPLACE STAGE TITAN_DEMO.PUBLIC_BAD.BAD_EXT_STAGE URL='s3://titan-demo-fake-bucket/' STORAGE_INTEGRATION=<si> ENCRYPTION=(TYPE='AWS_SSE_KMS' KMS_KEY_ID='<arn>');
New Analytics StartupExecute a Business Associate Agreement before any further PHI exchange. If the vendor refuses, stop the data flow within 30 days.
ORACLE-VENDOR-MISSING-BAA
SVC_TITANBAD_BROADTITANBAD_NOMFA2TITANBAD_STALETITANBAD_NOMFA1Disable users with no login in 90 days. Service accounts that legitimately do not log in should be tagged so they are not flagged.
ALTER USER <name> SET DISABLED = TRUE;
SNOWFLAKE.TRUST_CENTER.ACCOUNT_NOTIFICATION_RECIPIENTSTITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNTSNOWFLAKE.TRUST_CENTER_STATE.ACCOUNT_NOTIFICATION_METADATATITAN_DEMO.PUBLIC_BAD.PATIENT_PHISNOWFLAKE.TRUST_CENTER_STATE.ACCOUNT_NOTIFICATION_HISTORYApply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.
CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE <t> ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);
no_session_policyApply a session policy with idle timeout no greater than 30 minutes (15 for healthcare). PCI requires 15 minutes for cardholder-data environments.
CREATE SESSION POLICY tight_idle SESSION_IDLE_TIMEOUT_MINS=15; ALTER ACCOUNT SET SESSION POLICY tight_idle;
TITAN_DEMO.PUBLIC_BAD.PATIENT_PHISensitive tables (PHI, transactions, audit logs) should hold at least 7 days of Time Travel for incident reconstruction. Compliance frameworks frequently require longer log retention.
ALTER TABLE <table> SET DATA_RETENTION_TIME_IN_DAYS = 30;
accountConfigure at least one failover group covering the regulated databases. RPO and RTO requirements (HIPAA: 24h backup target) are not satisfied by Time Travel alone.
CREATE FAILOVER GROUP regulated_data OBJECT_TYPES=(DATABASES, ROLES) ALLOWED_DATABASES=(<list>) ALLOWED_ACCOUNTS=(<dr_account>) REPLICATION_SCHEDULE='10 MINUTE';
TITANADMINCortex AI calls send data to Snowflake's hosted LLM. For PHI workloads, confirm the BAA covers Cortex inference and that PHI is masked or tokenized before the call.
Apply masking policy to PHI columns before they can be passed to CORTEX functions; add a row-access policy that hides PHI from the role used by Cortex callers.
R_TITANBAD_EXPLOSIONSplit this role into purpose-specific sub-roles. A single role with many privileges is hard to audit and tends to accumulate over-grant.
Identify each functional purpose; CREATE sub-roles; GRANT specific privileges; over time REVOKE direct grants.
Every card above carries the same FORGE workflow. Listing it once here keeps the cards readable and the steps consistent. Operators run the same five-step pattern whether the finding came from Azure, AWS, GCP, Snowflake, or the ORACLE portal pack.
az, aws, gcloud, or SQL). Auto-fix tier (Tier 1) runs the command; review tier (Tier 2) opens a PR; change-control tier (Tier 3) routes to the change manager.Read-only scan. No credit card. Full evidence pack on every finding.