FINDING ID
TITAN-LIVE-20260419-F0001
✔ FIXED + VERIFIED ON PROD
Azure
TITAN SCOUT
CRITICAL
Public Blob Access Enabled
Azure Storage account 'titanlivecdfwpub' has allowBlobPublicAccess=true. Any container in this account can be made publicly rea...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | titanlivecdfwpub |
| RESOURCE TYPE | Microsoft.Storage/storageAccounts |
| REGION | East US |
| FULL RESOURCE ID | /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Storage/storageAccounts/titanlivecdfwpub |
■ SECTION 2 · FINDING DETAILS
Azure Storage account 'titanlivecdfwpub' has allowBlobPublicAccess=true. Any container in this account can be made publicly readable.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 AC-3
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"allowBlobPublicAccess": true
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"allowBlobPublicAccess": false
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage account update -n titanlivecdfwpub -g titan-live-20260419 --allow-blob-public-access false
ROLLBACK
az storage account update -n titanlivecdfwpub -g titan-live-20260419 --allow-blob-public-access true
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:49:34+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"accessTier": "Hot",
"accountMigrationInProgress": null,
"allowBlobPublicAccess": false,
"allowCrossTenantReplication": false,
"allowSharedKeyAccess": null,
"allowedCopyScope": null,
"azureFilesIdentityBasedAuthentication": null,
"blobRestoreStatus": null,
"creationTime": "2026-04-19T15:40:43.218946+00:00",
"customDomain": null,
"defaultToOAuthAuthentication": null,
"dnsEndpointType": null,
"dualStackEndpointPreference"
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0002
✔ FIXED + VERIFIED ON PROD
Azure
TITAN SCOUT
HIGH
Weak TLS Version
Azure Storage account 'titanlivecdfwpub' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or higher. ...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | titanlivecdfwpub |
| RESOURCE TYPE | Microsoft.Storage/storageAccounts |
| REGION | East US |
| FULL RESOURCE ID | /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Storage/storageAccounts/titanlivecdfwpub |
■ SECTION 2 · FINDING DETAILS
Azure Storage account 'titanlivecdfwpub' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or higher. TLS 1.0 is vulnerable to BEAST/POODLE.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1 + NIST 800-52
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"minimumTlsVersion": "TLS1_0"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"minimumTlsVersion": "TLS1_2"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage account update -n titanlivecdfwpub -g titan-live-20260419 --min-tls-version TLS1_2
ROLLBACK
az storage account update -n titanlivecdfwpub -g titan-live-20260419 --min-tls-version TLS1_0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:49:45+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"accessTier": "Hot",
"accountMigrationInProgress": null,
"allowBlobPublicAccess": false,
"allowCrossTenantReplication": false,
"allowSharedKeyAccess": null,
"allowedCopyScope": null,
"azureFilesIdentityBasedAuthentication": null,
"blobRestoreStatus": null,
"creationTime": "2026-04-19T15:40:43.218946+00:00",
"customDomain": null,
"defaultToOAuthAuthentication": null,
"dnsEndpointType": null,
"dualStackEndpointPreference"
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0003
✔ FIXED + VERIFIED ON PROD
Azure
TITAN SCOUT
HIGH
Weak TLS Version
Azure Storage account 'titanlivecdfwtls' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or higher. ...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | titanlivecdfwtls |
| RESOURCE TYPE | Microsoft.Storage/storageAccounts |
| REGION | East US |
| FULL RESOURCE ID | /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Storage/storageAccounts/titanlivecdfwtls |
■ SECTION 2 · FINDING DETAILS
Azure Storage account 'titanlivecdfwtls' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or higher. TLS 1.0 is vulnerable to BEAST/POODLE.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1 + NIST 800-52
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"minimumTlsVersion": "TLS1_0"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"minimumTlsVersion": "TLS1_2"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage account update -n titanlivecdfwtls -g titan-live-20260419 --min-tls-version TLS1_2
ROLLBACK
az storage account update -n titanlivecdfwtls -g titan-live-20260419 --min-tls-version TLS1_0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:49:55+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"accessTier": "Hot",
"accountMigrationInProgress": null,
"allowBlobPublicAccess": false,
"allowCrossTenantReplication": false,
"allowSharedKeyAccess": null,
"allowedCopyScope": null,
"azureFilesIdentityBasedAuthentication": null,
"blobRestoreStatus": null,
"creationTime": "2026-04-19T15:41:38.585655+00:00",
"customDomain": null,
"defaultToOAuthAuthentication": null,
"dnsEndpointType": null,
"dualStackEndpointPreference"
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0004
✔ FIXED + VERIFIED ON PROD
Azure
TITAN SCOUT
CRITICAL
NSG Rule Open to Internet
Azure NSG 'nsg-titan-cdfw' rule 'allow-ssh-from-internet' allows inbound traffic from 0.0.0.0/0 on port(s) 22. Unrest...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | nsg-titan-cdfw |
| RESOURCE TYPE | Microsoft.Network/networkSecurityGroups |
| REGION | East US |
| FULL RESOURCE ID | /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Network/networkSecurityGroups/nsg-titan-cdfw |
■ SECTION 2 · FINDING DETAILS
Azure NSG 'nsg-titan-cdfw' rule 'allow-ssh-from-internet' allows inbound traffic from 0.0.0.0/0 on port(s) 22. Unrestricted internet access to internal services.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + PCI DSS 1.3.1 + NIST 800-53 SC-7
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"sourceAddressPrefix": "0.0.0.0/0",
"destinationPortRange": "22",
"access": "Allow"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"sourceAddressPrefix": "10.0.0.0/8 (internal-only)",
"access": "Allow"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az network nsg rule update -g titan-live-20260419 --nsg-name nsg-titan-cdfw -n allow-ssh-from-internet --source-address-prefixes 10.0.0.0/8
ROLLBACK
az network nsg rule update -g titan-live-20260419 --nsg-name nsg-titan-cdfw -n allow-ssh-from-internet --source-address-prefixes '0.0.0.0/0'
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:07+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"access": "Allow",
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationPortRange": "22",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"5bac26d9-cd2c-488c-af77-020d62ce8d69\"",
"id": "/subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Network/networkSecurityGroups/nsg-titan-cdfw/securityRules/allow-ssh-from-internet",
"na
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0005
✔ FIXED + VERIFIED ON PROD
Azure
TITAN SCOUT
HIGH
Weak TLS Version
Azure Storage account 'titanlivecdfwnohttps' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or high...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | titanlivecdfwnohttps |
| RESOURCE TYPE | Microsoft.Storage/storageAccounts |
| REGION | East US |
| FULL RESOURCE ID | /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-live-20260419/providers/Microsoft.Storage/storageAccounts/titanlivecdfwnohttps |
■ SECTION 2 · FINDING DETAILS
Azure Storage account 'titanlivecdfwnohttps' has minimumTlsVersion=TLS1_0. HIPAA Transmission Security requires TLS 1.2 or higher. TLS 1.0 is vulnerable to BEAST/POODLE.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1 + NIST 800-52
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"minimumTlsVersion": "TLS1_0"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"minimumTlsVersion": "TLS1_2"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage account update -n titanlivecdfwnohttps -g titan-live-20260419 --min-tls-version TLS1_2
ROLLBACK
az storage account update -n titanlivecdfwnohttps -g titan-live-20260419 --min-tls-version TLS1_0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:17+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"accessTier": "Hot",
"accountMigrationInProgress": null,
"allowBlobPublicAccess": false,
"allowCrossTenantReplication": false,
"allowSharedKeyAccess": null,
"allowedCopyScope": null,
"azureFilesIdentityBasedAuthentication": null,
"blobRestoreStatus": null,
"creationTime": "2026-04-19T15:43:21.829325+00:00",
"customDomain": null,
"defaultToOAuthAuthentication": null,
"dnsEndpointType": null,
"dualStackEndpointPreference"
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0006
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SCOUT
CRITICAL
S3 Bucket Public Access Block Missing
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | titan-live-cdfw-patient-backups |
| RESOURCE TYPE | s3:bucket |
| FULL ARN | arn:aws:s3:::titan-live-cdfw-patient-backups |
■ SECTION 2 · FINDING DETAILS
AWS S3 bucket 'titan-live-cdfw-patient-backups' has no Public Access Block configured. Bucket policies and ACLs granting public access will take effect. A public bucket policy was detected on this bucket.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 AC-3 + PCI DSS 7.1
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"PublicAccessBlock": "NOT CONFIGURED"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws s3api put-public-access-block --bucket titan-live-cdfw-patient-backups --public-access-block-configuration "BlockPublicAcls=true,BlockPublicPolicy=true,IgnorePublicAcls=true,RestrictPublicBuckets=true"
ROLLBACK
aws s3api delete-public-access-block --bucket titan-live-cdfw-patient-backups
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:27+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
(no stdout)
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0007
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SCOUT
CRITICAL
S3 Bucket Policy Grants Public Access
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | titan-live-cdfw-patient-backups |
| RESOURCE TYPE | s3:bucket |
| FULL ARN | arn:aws:s3:::titan-live-cdfw-patient-backups |
■ SECTION 2 · FINDING DETAILS
AWS S3 bucket 'titan-live-cdfw-patient-backups' bucket policy contains a statement with Principal='*' (anonymous). Action: s3:GetObject. Anyone on the internet can perform this action.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 AC-3
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"Principal": "*",
"Action": "s3:GetObject"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"Principal": "(specific AWS account or role ARN)"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws s3api delete-bucket-policy --bucket titan-live-cdfw-patient-backups
ROLLBACK
aws s3api put-bucket-policy --bucket titan-live-cdfw-patient-backups --policy '<backup-policy-json>'
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:36+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
(no stdout)
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0008
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SCOUT
CRITICAL
Over-Permissive IAM User
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | titan-live-admin-cdfw |
| RESOURCE TYPE | iam:user |
| FULL ARN | arn:aws:iam::450367038821:user/titan-live-admin-cdfw |
■ SECTION 2 · FINDING DETAILS
AWS IAM user 'titan-live-admin-cdfw' has the managed policy 'AdministratorAccess' attached directly to the user (not via role). This grants full account privileges. Principle of least privilege violated.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 AC-2 + PCI DSS 7.1 + SOC 2 CC6.1
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"AttachedPolicy": "AdministratorAccess",
"AttachType": "direct-to-user"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"AttachType": "via role assumed with MFA, scoped to specific resources"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws iam detach-user-policy --user-name titan-live-admin-cdfw --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
ROLLBACK
aws iam attach-user-policy --user-name titan-live-admin-cdfw --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:46+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
(no stdout)
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0009
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SHADOW
HIGH
Long-Lived IAM Access Key
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | titan-live-admin-cdfw |
| RESOURCE TYPE | iam:user |
| FULL ARN | arn:aws:iam::450367038821:user/titan-live-admin-cdfw |
■ SECTION 2 · FINDING DETAILS
AWS IAM user 'titan-live-admin-cdfw' has access key 'AKIAWRW7XUVSSQBK4XWM' (Active since 2026-04-19T15:45:12+00:00). Long-lived static credentials are high-risk. Prefer IAM roles + short-lived STS tokens.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 IA-5(1)
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"AccessKeyId": "AKIAWRW7XUVSSQBK4XWM",
"Status": "Active",
"CreateDate": "2026-04-19T15:45:12+00:00"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"Recommendation": "Replace with IAM role + AssumeRole pattern"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws iam delete-access-key --user-name titan-live-admin-cdfw --access-key-id AKIAWRW7XUVSSQBK4XWM
ROLLBACK
(no rollback — re-create key if needed via create-access-key)
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SHADOW
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:50:56+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
(no stdout)
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0010
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SCOUT
CRITICAL
Security Group Open to Internet
AWS Security Group 'titan-live-sg-cdfw' (sg-0380f1df5b21d7337) allows inbound tcp on port 5432-5432 from 0.0.0.0/0. Unrestricte...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | sg-0380f1df5b21d7337 |
| RESOURCE TYPE | ec2:security-group |
| FULL ARN | arn:aws:ec2:us-east-2:450367038821:security-group/sg-0380f1df5b21d7337 |
■ SECTION 2 · FINDING DETAILS
AWS Security Group 'titan-live-sg-cdfw' (sg-0380f1df5b21d7337) allows inbound tcp on port 5432-5432 from 0.0.0.0/0. Unrestricted internet access to EC2/RDS/EKS resources in this group.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + PCI DSS 1.3.1 + NIST 800-53 SC-7
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"CidrIp": "0.0.0.0/0",
"Protocol": "tcp",
"PortRange": "5432-5432"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"CidrIp": "10.0.0.0/8 or specific bastion IP"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws ec2 revoke-security-group-ingress --region us-east-2 --group-id sg-0380f1df5b21d7337 --protocol tcp --port 5432 --cidr 0.0.0.0/0
ROLLBACK
aws ec2 authorize-security-group-ingress --region us-east-2 --group-id sg-0380f1df5b21d7337 --protocol tcp --port 5432 --cidr 0.0.0.0/0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:51:06+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"Return": true,
"RevokedSecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-03b9df6cc39fbec53",
"GroupId": "sg-0380f1df5b21d7337",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 5432,
"ToPort": 5432,
"CidrIpv4": "0.0.0.0/0"
}
]
}
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0011
✔ FIXED + VERIFIED ON PROD
AWS
TITAN SCOUT
CRITICAL
Security Group Open to Internet
AWS Security Group 'titan-live-sg-cdfw' (sg-0380f1df5b21d7337) allows inbound tcp on port 22-22 from 0.0.0.0/0. Unrestricted in...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | sg-0380f1df5b21d7337 |
| RESOURCE TYPE | ec2:security-group |
| FULL ARN | arn:aws:ec2:us-east-2:450367038821:security-group/sg-0380f1df5b21d7337 |
■ SECTION 2 · FINDING DETAILS
AWS Security Group 'titan-live-sg-cdfw' (sg-0380f1df5b21d7337) allows inbound tcp on port 22-22 from 0.0.0.0/0. Unrestricted internet access to EC2/RDS/EKS resources in this group.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + PCI DSS 1.3.1 + NIST 800-53 SC-7
■ SECTION 4 · DETECTED STATE (REAL CLI RESPONSE)
{
"CidrIp": "0.0.0.0/0",
"Protocol": "tcp",
"PortRange": "22-22"
}
■ SECTION 5 · EXPECTED STATE (TARGET)
{
"CidrIp": "10.0.0.0/8 or specific bastion IP"
}
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws ec2 revoke-security-group-ingress --region us-east-2 --group-id sg-0380f1df5b21d7337 --protocol tcp --port 22 --cidr 0.0.0.0/0
ROLLBACK
aws ec2 authorize-security-group-ingress --region us-east-2 --group-id sg-0380f1df5b21d7337 --protocol tcp --port 22 --cidr 0.0.0.0/0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: REAL CLOUD + FIX VERIFIED
■ SECTION 8 · FIX APPLIED + VERIFIED LIVE ON PROD (April 19, 2026)
FIX APPLIED AT
2026-04-19T15:51:18+00:00
POST-FIX STATUS
✔ RESOLVED — POST-FIX RESCAN CONFIRMS FINDING GONE
FIX STDOUT (from live run)
{
"Return": true,
"RevokedSecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-04dd8d511ddfc42a6",
"GroupId": "sg-0380f1df5b21d7337",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIpv4": "0.0.0.0/0"
}
]
}
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0012
AI-FIX SCENARIO
Azure
TITAN SCOUT
CRITICAL
Public PHI Exposure
Azure Storage container 'patient-data' has public blob access enabled and contains CSV files with patient MRN, ICD-10 codes, an...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | stg-pyx-patient-raw / container:patient-data |
■ SECTION 2 · FINDING DETAILS
Azure Storage container 'patient-data' has public blob access enabled and contains CSV files with patient MRN, ICD-10 codes, and NPI numbers. Anonymous reads allowed from any internet IP.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) Access Control
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage container set-permission --name patient-data --account-name stg-pyx-patient-raw --public-access off
ROLLBACK
az storage container set-permission --name patient-data --account-name stg-pyx-patient-raw --public-access blob
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0013
AI-FIX SCENARIO
Azure
TITAN SCOUT
CRITICAL
Open SQL Firewall
Azure SQL Server firewall rule 'AllowAllIPs' permits inbound from 0.0.0.0 to 255.255.255.255. Database holding clinical records...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | sql-pyx-prod / firewall-rule:AllowAllIPs |
■ SECTION 2 · FINDING DETAILS
Azure SQL Server firewall rule 'AllowAllIPs' permits inbound from 0.0.0.0 to 255.255.255.255. Database holding clinical records is exposed to entire internet.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) Access Control
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az sql server firewall-rule update --resource-group $(az sql server show --name sql-pyx-prod --query resourceGroup -o tsv) --server sql-pyx-prod --name AllowAllIPs --start-ip-address 10.0.0.0 --end-ip-address 10.255.255.255
ROLLBACK
az sql server firewall-rule update --resource-group $(az sql server show --name sql-pyx-prod --query resourceGroup -o ts
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0014
AI-FIX SCENARIO
Azure
TITAN SCOUT
HIGH
Weak TLS
Azure Storage account minimum TLS version is set to 1.0. Deprecated protocol vulnerable to BEAST/POODLE attacks. HIPAA requires TLS 1.2+.
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | stg-pyx-analytics |
■ SECTION 2 · FINDING DETAILS
Azure Storage account minimum TLS version is set to 1.0. Deprecated protocol vulnerable to BEAST/POODLE attacks. HIPAA requires TLS 1.2+.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) Transmission Security
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage account update --name stg-pyx-analytics --min-tls-version TLS1_2
ROLLBACK
az storage account update --name stg-pyx-analytics --min-tls-version TLS1_0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0015
AI-FIX SCENARIO
Azure
TITAN PIPELINE
CRITICAL
Plaintext Secret in Data Factory
Azure Data Factory pipeline has a plaintext database password in its parameter definition. Credentials visible to anyone with ADF read ac...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | adf-pyx-prod / pipeline:ingest_epic / param:db_password |
■ SECTION 2 · FINDING DETAILS
Azure Data Factory pipeline has a plaintext database password in its parameter definition. Credentials visible to anyone with ADF read access. Pipeline processes Epic EHR extracts containing PHI.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(2)(iv) + NIST 800-53 IA-5(1)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az datafactory pipeline update --factory-name adf-pyx-prod --name ingest_epic --pipeline-file pipeline_config.json --resource-group $(az datafactory show --name adf-pyx-prod --query resourceGroup -o tsv)
ROLLBACK
az datafactory pipeline update --factory-name adf-pyx-prod --name ingest_epic --pipeline-file pipeline_config_backup.jso
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PIPELINE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0016
AI-FIX SCENARIO
Azure
TITAN SCOUT
HIGH
App Service HTTP Enabled
Azure App Service hosting the patient portal allows HTTP connections (httpsOnly=false). Session cookies + auth tokens transit plaintext. ...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | app-pyx-patient-portal.azurewebsites.net |
■ SECTION 2 · FINDING DETAILS
Azure App Service hosting the patient portal allows HTTP connections (httpsOnly=false). Session cookies + auth tokens transit plaintext. TLS downgrade attack surface.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az webapp update --name app-pyx-patient-portal --resource-group $(az webapp show --name app-pyx-patient-portal --query resourceGroup -o tsv) --https-only true
ROLLBACK
az webapp update --name app-pyx-patient-portal --resource-group $(az webapp show --name app-pyx-patient-portal --query r
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0017
AI-FIX SCENARIO
Azure
TITAN GATEKEEPER
HIGH
Key Vault Soft-Delete Disabled
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | kv-pyx-secrets |
■ SECTION 2 · FINDING DETAILS
Azure Key Vault 'kv-pyx-secrets' has soft-delete protection disabled and purge protection off. Accidental or malicious key deletion is unrecoverable. Vault holds ADF connection strings, encryption keys for PHI data at rest.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(7) Contingency Plan + SOC 2 CC6.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az keyvault update --name kv-pyx-secrets --enable-soft-delete true --enable-purge-protection true
ROLLBACK
az keyvault update --name kv-pyx-secrets --enable-soft-delete false --enable-purge-protection false
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN GATEKEEPER
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0018
AI-FIX SCENARIO
Azure
TITAN LAKEHOUSE
CRITICAL
Databricks Workspace Public Network
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | dbw-pyx-analytics / workspace-url |
■ SECTION 2 · FINDING DETAILS
Azure Databricks workspace 'dbw-pyx-analytics' deployed without VNet injection. Control plane and worker nodes reachable over public internet. Unity Catalog holds clinical feature tables with MRN keys.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + HITRUST 01.a
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az databricks workspace update --resource-group $(az databricks workspace show --name dbw-pyx-analytics --query resourceGroup -o tsv) --name dbw-pyx-analytics --public-network-access Disabled --required-nsg-rules NoAzureDatabricksRules --custom-virtual-network-id /subscriptions/$(az account show --query id -o tsv)/resourceGroups/$(az databricks workspace show --name dbw-pyx-analytics --query resourceGroup -o tsv)/providers/Microsoft.Network/virtualNetworks/vnet-databricks-secure --custom-public-subnet-name public-subnet --custom-private-subnet-name private-subnet
ROLLBACK
az databricks workspace update --resource-group $(az databricks workspace show --name dbw-pyx-analytics --query resource
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN LAKEHOUSE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0019
AI-FIX SCENARIO
Azure
TITAN SHADOW
CRITICAL
Service Principal Key Never Rotated
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | sp-pyx-etl-legacy / clientId:8f2e1c... |
■ SECTION 2 · FINDING DETAILS
Azure AD service principal 'sp-pyx-etl-legacy' has a client secret that was created 847 days ago and has never been rotated. Used by a decommissioned ETL job but still has Contributor role on the resource group.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 IA-5(1)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az ad sp delete --id 8f2e1c
ROLLBACK
az ad sp create-for-rbac --name 'sp-pyx-etl-legacy' --role Contributor --scopes '/subscriptions/$(az account show --quer
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SHADOW
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0020
AI-FIX SCENARIO
Azure
TITAN SHADOW
HIGH
Azure AD App With No Owners
Azure AD enterprise application 'Copilot-Legacy-POC' has zero owners assigned and permissions consented: User.Read.All, Mail.Re...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | enterpriseApp:Copilot-Legacy-POC |
■ SECTION 2 · FINDING DETAILS
Azure AD enterprise application 'Copilot-Legacy-POC' has zero owners assigned and permissions consented: User.Read.All, Mail.Read, Files.ReadWrite.All. No one is accountable for this app.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + SOC 2 CC6.2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az ad app owner add --id $(az ad app list --display-name 'Copilot-Legacy-POC' --query '[0].appId' -o tsv) --owner-object-id $(az ad user show --id security-admin@company.com --query 'id' -o tsv)
ROLLBACK
az ad app owner remove --id $(az ad app list --display-name 'Copilot-Legacy-POC' --query '[0].appId' -o tsv) --owner-obj
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SHADOW
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0021
AI-FIX SCENARIO
Azure
TITAN GATEKEEPER
HIGH
Dangling DNS Record
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | pyx-legacy-prod.azurewebsites.net / CNAME -> deleted App Service |
■ SECTION 2 · FINDING DETAILS
Custom domain 'pyx-legacy.example.com' CNAMEs to 'pyx-legacy-prod.azurewebsites.net' which no longer exists. Subdomain hijacking risk — any attacker can claim the Azure hostname and serve content under your domain.
■ SECTION 3 · REGULATORY CONTEXT
NIST 800-53 SC-20 + OWASP A10 Subdomain Takeover
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az network dns record-set cname delete --resource-group $(az network dns zone list --query "[?name=='example.com'].resourceGroup" -o tsv) --zone-name example.com --name pyx-legacy --yes
ROLLBACK
az network dns record-set cname create --resource-group $(az network dns zone list --query "[?name=='example.com'].resou
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN GATEKEEPER
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0022
AI-FIX SCENARIO
Azure
TITAN GATEKEEPER
CRITICAL
TLS Certificate Expired
Wildcard TLS certificate '*.pyx-health.com' attached to Azure Application Gateway expired 9 days ago. Browsers show NET::ERR_CE...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | *.pyx-health.com certificate |
■ SECTION 2 · FINDING DETAILS
Wildcard TLS certificate '*.pyx-health.com' attached to Azure Application Gateway expired 9 days ago. Browsers show NET::ERR_CERT_DATE_INVALID. All patient-portal traffic interrupted.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az network application-gateway ssl-cert update --gateway-name pyx-health-appgw --resource-group pyx-health-rg --name pyx-health-wildcard-cert --cert-file /path/to/new-pyx-health-wildcard.pfx --cert-password $CERT_PASSWORD
ROLLBACK
az network application-gateway ssl-cert update --gateway-name pyx-health-appgw --resource-group pyx-health-rg --name pyx
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN GATEKEEPER
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0023
AI-FIX SCENARIO
Azure
TITAN PROMPTGUARD
CRITICAL
PHI Leaked to Claude.ai
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| SUBSCRIPTION | 4f29d094-1079-44c9-acb0-4d73a7a2dd34 |
| RESOURCE GROUP | titan-live-20260419 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| REGION | East US |
| FULL RESOURCE ID | api.anthropic.com | user:clinician@pyx-health.com |
■ SECTION 2 · FINDING DETAILS
TITAN PROMPTGUARD intercepted a prompt from a clinician workstation to Claude.ai containing patient name 'Jane Doe', MRN 88221-457, DOB 1978-03-14, and a narrative describing ICD-10 Z13.89 screening. Redact-in-flight policy triggered; original prompt logged to immutable store for HIPAA audit.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.502 Minimum Necessary + NIST AI RMF GOVERN-1.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az network nsg rule create --resource-group rg-titan-security --nsg-name nsg-clinician-workstations --name block-claude-ai --priority 100 --direction Outbound --access Deny --protocol Tcp --destination-address-prefixes 'api.anthropic.com' --destination-port-ranges 443 --source-address-prefixes '10.0.100.0/24'
ROLLBACK
az network nsg rule delete --resource-group rg-titan-security --nsg-name nsg-clinician-workstations --name block-claude-
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PROMPTGUARD
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0024
AI-FIX SCENARIO
AWS
TITAN SCOUT
CRITICAL
Public S3 Bucket
AWS S3 bucket 'pyx-patient-backups' has Block Public Access disabled and a bucket ACL granting 'AllUsers' read permis...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | s3://pyx-patient-backups |
■ SECTION 2 · FINDING DETAILS
AWS S3 bucket 'pyx-patient-backups' has Block Public Access disabled and a bucket ACL granting 'AllUsers' read permissions. Contains nightly PHI backups.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 AC-3
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws s3api put-public-access-block --bucket pyx-patient-backups --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true && aws s3api put-bucket-acl --bucket pyx-patient-backups --acl private
ROLLBACK
aws s3api delete-public-access-block --bucket pyx-patient-backups && aws s3api put-bucket-acl --bucket pyx-patient-backu
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0025
AI-FIX SCENARIO
AWS
TITAN SCOUT
CRITICAL
Over-Permissive IAM
AWS IAM user 'jsmith' has the AdministratorAccess managed policy attached directly (not via role). Access key last used 180 day...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | IAM::User/jsmith |
■ SECTION 2 · FINDING DETAILS
AWS IAM user 'jsmith' has the AdministratorAccess managed policy attached directly (not via role). Access key last used 180 days ago. No MFA.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 AC-2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws iam detach-user-policy --user-name jsmith --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
ROLLBACK
aws iam attach-user-policy --user-name jsmith --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0026
AI-FIX SCENARIO
AWS
TITAN SCOUT
HIGH
Open Security Group
AWS Security Group attached to production RDS allows inbound 0.0.0.0/0 on port 5432 (PostgreSQL). Entire internet can reach the database.
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | sg-0a7b3c4d5e6f7g8h9 |
■ SECTION 2 · FINDING DETAILS
AWS Security Group attached to production RDS allows inbound 0.0.0.0/0 on port 5432 (PostgreSQL). Entire internet can reach the database.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + PCI DSS 1.3.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws ec2 revoke-security-group-ingress --group-id sg-0a7b3c4d5e6f7g8h9 --protocol tcp --port 5432 --cidr 0.0.0.0/0
ROLLBACK
aws ec2 authorize-security-group-ingress --group-id sg-0a7b3c4d5e6f7g8h9 --protocol tcp --port 5432 --cidr 0.0.0.0/0
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0027
AI-FIX SCENARIO
AWS
TITAN SCOUT
HIGH
Unencrypted RDS
AWS RDS PostgreSQL instance 'pyx-clinical-prod' has storage encryption disabled. Storing PHI unencrypted at rest.
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | rds:pyx-clinical-prod |
■ SECTION 2 · FINDING DETAILS
AWS RDS PostgreSQL instance 'pyx-clinical-prod' has storage encryption disabled. Storing PHI unencrypted at rest.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(2)(iv) Encryption at Rest
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws rds create-db-snapshot --db-instance-identifier pyx-clinical-prod --db-snapshot-identifier pyx-clinical-prod-pre-encryption-$(date +%Y%m%d-%H%M%S) && aws rds copy-db-snapshot --source-db-snapshot-identifier pyx-clinical-prod-pre-encryption-$(date +%Y%m%d-%H%M%S) --target-db-snapshot-identifier pyx-clinical-prod-encrypted-$(date +%Y%m%d-%H%M%S) --kms-key-id alias/aws/rds && aws rds restore-db-instance-from-db-snapshot --db-instance-identifier pyx-clinical-prod-encrypted --db-snapshot-identifier pyx-clinical-prod-encrypted-$(date +%Y%m%d-%H%M%S) --storage-encrypted
ROLLBACK
aws rds delete-db-instance --db-instance-identifier pyx-clinical-prod-encrypted --skip-final-snapshot && aws rds delete-
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0028
AI-FIX SCENARIO
AWS
TITAN PIPELINE
HIGH
Glue Job Over-Privileged
AWS Glue job 'pyx-claims-etl' runs under IAM role 'GlueServiceRole-Admin' which has AdministratorAccess. ETL job only...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 403670388211 |
| REGION | us-east-1 |
| RESOURCE NAME | pyx-claims-etl |
| RESOURCE TYPE | glue:job |
| FULL ARN | arn:aws:glue:us-east-1:403670388211:job/pyx-claims-etl |
■ SECTION 2 · FINDING DETAILS
AWS Glue job 'pyx-claims-etl' runs under IAM role 'GlueServiceRole-Admin' which has AdministratorAccess. ETL job only needs S3:Get + Glue:StartJobRun + RDS:Connect scope.
■ SECTION 3 · REGULATORY CONTEXT
PCI DSS 7.1 + NIST 800-53 AC-6
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws iam create-role --role-name GlueServiceRole-PyxClaimsETL --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"glue.amazonaws.com"},"Action":"sts:AssumeRole"}]}' && aws iam attach-role-policy --role-name GlueServiceRole-PyxClaimsETL --policy-arn arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole && aws iam put-role-policy --role-name GlueServiceRole-PyxClaimsETL --policy-name PyxClaimsETLPolicy --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:GetObjectVersion","s3:ListBucket"],"Resource":["arn:aws:s3:::*"]},{"Effect":"Allow","Action":["glue:StartJobRun"],"Resource":"*"},{"Effect":"Allow","Action":["rds:DescribeDBInstances","rds:Connect"],"Resource":"*"}]}' && aws glue update-job --job-name pyx-claims-etl --job-update Role=arn:aws:iam::403670388211:role/GlueServiceRole-PyxClaimsETL
ROLLBACK
aws glue update-job --job-name pyx-claims-etl --job-update Role=arn:aws:iam::403670388211:role/GlueServiceRole-Admin
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PIPELINE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0029
AI-FIX SCENARIO
AWS
TITAN SCOUT
HIGH
EKS Cluster Public API
AWS EKS cluster 'pyx-claims-cluster' has endpointPublicAccess=true with CIDR 0.0.0.0/0. Kubernetes API server reachable from in...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | eks:pyx-claims-cluster |
■ SECTION 2 · FINDING DETAILS
AWS EKS cluster 'pyx-claims-cluster' has endpointPublicAccess=true with CIDR 0.0.0.0/0. Kubernetes API server reachable from internet. Claims processing cluster exposed.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 SC-7
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws eks update-cluster-config --region $(aws eks describe-cluster --name pyx-claims-cluster --query 'cluster.arn' --output text | cut -d':' -f4) --name pyx-claims-cluster --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
ROLLBACK
aws eks update-cluster-config --region $(aws eks describe-cluster --name pyx-claims-cluster --query 'cluster.arn' --outp
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0030
AI-FIX SCENARIO
AWS
TITAN AUDIT
HIGH
CloudTrail Disabled
AWS CloudTrail is not enabled in us-west-2 where 3 EC2 instances run. No API audit log exists for that region. SOC 2 CC7.2 requires loggi...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | CloudTrail (us-west-2 region) |
■ SECTION 2 · FINDING DETAILS
AWS CloudTrail is not enabled in us-west-2 where 3 EC2 instances run. No API audit log exists for that region. SOC 2 CC7.2 requires logging of all privileged activity — gap exists.
■ SECTION 3 · REGULATORY CONTEXT
SOC 2 CC7.2 + NIST 800-53 AU-12 + PCI DSS 10.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws cloudtrail create-trail --name titan-ai-cloudtrail-us-west-2 --s3-bucket-name titan-ai-cloudtrail-logs-$(date +%s) --include-global-service-events --is-multi-region-trail --enable-log-file-validation --region us-west-2 && aws s3 mb s3://titan-ai-cloudtrail-logs-$(date +%s) --region us-west-2 && aws cloudtrail start-logging --name titan-ai-cloudtrail-us-west-2 --region us-west-2
ROLLBACK
aws cloudtrail stop-logging --name titan-ai-cloudtrail-us-west-2 --region us-west-2 && aws cloudtrail delete-trail --nam
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN AUDIT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0031
AI-FIX SCENARIO
AWS
TITAN GATEKEEPER
CRITICAL
ACM Certificate Expired
AWS ACM TLS certificate for 'portal.pyx-health.com' expired 3 days ago. Attached to ALB. Patient portal TLS handshake fails — u...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 403670388211 |
| REGION | us-east-1 |
| RESOURCE NAME | portal.pyx-health.com |
| RESOURCE TYPE | acm:certificate |
| FULL ARN | arn:aws:acm:us-east-1:403670388211:certificate/portal.pyx-health.com |
■ SECTION 2 · FINDING DETAILS
AWS ACM TLS certificate for 'portal.pyx-health.com' expired 3 days ago. Attached to ALB. Patient portal TLS handshake fails — users locked out.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + PCI DSS 4.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws acm request-certificate --domain-name portal.pyx-health.com --validation-method DNS --region us-east-1
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN GATEKEEPER
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0032
AI-FIX SCENARIO
AWS
TITAN SHADOW
HIGH
Stale IAM Access Key
AWS IAM access key AKIAXXXX7G8H belonging to 'legacy-deploy-bot' was created 842 days ago and has PowerUserAccess. Last used 39...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | IAM::AccessKey/AKIAXXXX7G8H (user:legacy-deploy-bot) |
■ SECTION 2 · FINDING DETAILS
AWS IAM access key AKIAXXXX7G8H belonging to 'legacy-deploy-bot' was created 842 days ago and has PowerUserAccess. Last used 397 days ago. Orphaned credential.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 IA-5(1)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws iam update-access-key --user-name legacy-deploy-bot --access-key-id AKIAXXXX7G8H --status Inactive
ROLLBACK
aws iam update-access-key --user-name legacy-deploy-bot --access-key-id AKIAXXXX7G8H --status Active
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SHADOW
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0033
AI-FIX SCENARIO
AWS
TITAN SCOUT
MEDIUM
Lambda Outdated Runtime
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | lambda:pyx-claims-normalize |
■ SECTION 2 · FINDING DETAILS
AWS Lambda function 'pyx-claims-normalize' uses python3.7 runtime (deprecated 2023-11). No longer receiving security patches. Function parses incoming claim PDFs with possibly-untrusted input.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(5) + NIST 800-53 SI-2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws lambda update-function-configuration --function-name pyx-claims-normalize --runtime python3.11
ROLLBACK
aws lambda update-function-configuration --function-name pyx-claims-normalize --runtime python3.7
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0034
AI-FIX SCENARIO
AWS
TITAN COMPLY
HIGH
PCI DSS 3.2 Control Failures
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| AWS ACCOUNT | 450367038821 |
| REGION | us-east-2 |
| RESOURCE NAME | |
| RESOURCE TYPE | |
| FULL ARN | cardholder-data-env / account:403670388211 |
■ SECTION 2 · FINDING DETAILS
PCI DSS scope assessment found 4 failing controls: 3.4 (PAN stored in CloudWatch log group 'billing-api' unmasked), 8.2.3 (IAM password policy allows 8-char passwords), 10.5.5 (CloudTrail log file integrity validation disabled), 11.2.2 (no quarterly external vulnerability scans).
■ SECTION 3 · REGULATORY CONTEXT
PCI DSS 3.4 + 8.2.3 + 10.5.5 + 11.2.2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws cloudtrail update-trail --name $(aws cloudtrail describe-trails --query 'trailList[0].Name' --output text --region us-east-1) --enable-log-file-validation --region us-east-1
ROLLBACK
aws cloudtrail update-trail --name $(aws cloudtrail describe-trails --query 'trailList[0].Name' --output text --region u
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN COMPLY
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0035
AI-FIX SCENARIO
GCP
TITAN SCOUT
CRITICAL
Public GCS Bucket
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | gs://pyx-research-data |
■ SECTION 2 · FINDING DETAILS
GCP Cloud Storage bucket 'gs://pyx-research-data' has IAM binding granting 'allUsers' the 'roles/storage.objectViewer' role. De-identified research data (still classified) readable by anyone.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.514 De-identification + GDPR Art. 32
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gsutil iam ch -d allUsers:objectViewer gs://pyx-research-data
ROLLBACK
gsutil iam ch allUsers:objectViewer gs://pyx-research-data
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0036
AI-FIX SCENARIO
GCP
TITAN SCOUT
CRITICAL
Service Account Over-Privileged
GCP service account 'analytics-sa@pyx-prod.iam.gserviceaccount.com' has 'roles/owner' at the project level. Key hasn&...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / serviceAccount:analytics-sa |
■ SECTION 2 · FINDING DETAILS
GCP service account 'analytics-sa@pyx-prod.iam.gserviceaccount.com' has 'roles/owner' at the project level. Key hasn't been rotated in 412 days.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(4) + NIST 800-53 IA-5(1)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud projects remove-iam-policy-binding pyx-prod --member='serviceAccount:analytics-sa@pyx-prod.iam.gserviceaccount.com' --role='roles/owner'
ROLLBACK
gcloud projects add-iam-policy-binding pyx-prod --member='serviceAccount:analytics-sa@pyx-prod.iam.gserviceaccount.com'
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0037
AI-FIX SCENARIO
GCP
TITAN SCOUT
HIGH
Open Firewall
GCP firewall rule 'allow-all-ingress' permits 0.0.0.0/0 on ALL ports to VPC network 'default'. Production VMs exposed...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / firewall-rule:allow-all-ingress |
■ SECTION 2 · FINDING DETAILS
GCP firewall rule 'allow-all-ingress' permits 0.0.0.0/0 on ALL ports to VPC network 'default'. Production VMs exposed to internet.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(e)(1) + NIST 800-53 SC-7
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud compute firewall-rules update allow-all-ingress --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --project=pyx-prod
ROLLBACK
gcloud compute firewall-rules update allow-all-ingress --source-ranges=0.0.0.0/0 --project=pyx-prod
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0038
AI-FIX SCENARIO
GCP
TITAN SCOUT
MEDIUM
Serial Port Enabled
GCP Compute Engine instance 'clinical-etl-vm' has interactive serial port logging enabled. Can be exploited for unauthorized re...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / compute:clinical-etl-vm |
■ SECTION 2 · FINDING DETAILS
GCP Compute Engine instance 'clinical-etl-vm' has interactive serial port logging enabled. Can be exploited for unauthorized remote access.
■ SECTION 3 · REGULATORY CONTEXT
CIS GCP 4.5
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud compute instances add-metadata clinical-etl-vm --zone=$(gcloud compute instances list --filter='name:clinical-etl-vm' --format='value(zone)') --metadata=serial-port-enable=false --project=pyx-prod
ROLLBACK
gcloud compute instances add-metadata clinical-etl-vm --zone=$(gcloud compute instances list --filter='name:clinical-etl
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0039
AI-FIX SCENARIO
GCP
TITAN LAKEHOUSE
CRITICAL
BigQuery Dataset Public
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / bigquery:dataset:patient_analytics |
■ SECTION 2 · FINDING DETAILS
GCP BigQuery dataset 'patient_analytics' has access control granting 'allAuthenticatedUsers' the 'READER' role. Contains 23 tables of de-identified patient data — still HIPAA-scoped under Safe Harbor re-identification risk.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.514(b) + GDPR Art. 32
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud bigquery datasets remove-iam-policy-binding patient_analytics --member='allAuthenticatedUsers' --role='roles/bigquery.dataViewer' --project=pyx-prod
ROLLBACK
gcloud bigquery datasets add-iam-policy-binding patient_analytics --member='allAuthenticatedUsers' --role='roles/bigquer
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN LAKEHOUSE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0040
AI-FIX SCENARIO
GCP
TITAN PIPELINE
HIGH
Dataflow Job Service Account Owner
GCP Dataflow streaming job 'claims-streaming' runs as service account with 'roles/owner'. Job only needs Pub/Sub subs...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / dataflow:job:claims-streaming |
■ SECTION 2 · FINDING DETAILS
GCP Dataflow streaming job 'claims-streaming' runs as service account with 'roles/owner'. Job only needs Pub/Sub subscribe + BigQuery insert + Dataflow worker.
■ SECTION 3 · REGULATORY CONTEXT
PCI DSS 7.1 + NIST 800-53 AC-6 + HIPAA 164.308(a)(4)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud iam roles create dataflow_claims_streaming_role --project=pyx-prod --title='Dataflow Claims Streaming Role' --description='Minimal permissions for claims-streaming job' --permissions='pubsub.subscriptions.consume,pubsub.messages.ack,bigquery.tables.updateData,bigquery.datasets.get,bigquery.tables.get,dataflow.jobs.get,dataflow.jobs.updateContents,compute.machineTypes.get,compute.zones.get,storage.objects.get,storage.objects.create' --stage=GA && gcloud projects add-iam-policy-binding pyx-prod --member='serviceAccount:claims-streaming-sa@pyx-prod.iam.gserviceaccount.com' --role='projects/pyx-prod/roles/dataflow_claims_streaming_role'
ROLLBACK
gcloud projects remove-iam-policy-binding pyx-prod --member='serviceAccount:claims-streaming-sa@pyx-prod.iam.gserviceacc
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PIPELINE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0041
AI-FIX SCENARIO
GCP
TITAN SCOUT
HIGH
Cloud SQL Public IP Enabled
GCP Cloud SQL instance 'pyx-clinical-replica' has a public IPv4 address assigned and authorizedNetworks=0.0.0.0/0. Replica of c...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / sql:pyx-clinical-replica |
■ SECTION 2 · FINDING DETAILS
GCP Cloud SQL instance 'pyx-clinical-replica' has a public IPv4 address assigned and authorizedNetworks=0.0.0.0/0. Replica of clinical database reachable from internet.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + PCI DSS 1.3.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud sql instances patch pyx-clinical-replica --no-assign-ip --authorized-networks= --project=pyx-prod
ROLLBACK
gcloud sql instances patch pyx-clinical-replica --assign-ip --authorized-networks=0.0.0.0/0 --project=pyx-prod
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0042
AI-FIX SCENARIO
GCP
TITAN SCOUT
HIGH
Pub/Sub Public Permission
GCP Pub/Sub topic 'patient-events' has IAM binding for 'allUsers' with 'roles/pubsub.subscriber'. Anyone ca...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / pubsub:topic:patient-events |
■ SECTION 2 · FINDING DETAILS
GCP Pub/Sub topic 'patient-events' has IAM binding for 'allUsers' with 'roles/pubsub.subscriber'. Anyone can subscribe and receive live patient-event messages.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(1) + NIST 800-53 AC-3
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud pubsub topics remove-iam-policy-binding patient-events --member='allUsers' --role='roles/pubsub.subscriber' --project=pyx-prod
ROLLBACK
gcloud pubsub topics add-iam-policy-binding patient-events --member='allUsers' --role='roles/pubsub.subscriber' --projec
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SCOUT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0043
AI-FIX SCENARIO
GCP
TITAN GATEKEEPER
MEDIUM
Default VPC Network Active
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / network:default |
■ SECTION 2 · FINDING DETAILS
GCP project 'pyx-prod' still has the auto-created 'default' VPC network with all its auto-created firewall rules (default-allow-ssh, default-allow-rdp, default-allow-icmp). No production workloads use it — should be removed.
■ SECTION 3 · REGULATORY CONTEXT
CIS GCP 3.1 + NIST 800-53 SC-7
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud compute networks delete default --project=pyx-prod --quiet
ROLLBACK
gcloud compute networks create default --subnet-mode=auto --project=pyx-prod && gcloud compute firewall-rules create def
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN GATEKEEPER
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0044
AI-FIX SCENARIO
GCP
TITAN SENTINEL
HIGH
KMS Key Rotation Disabled
GCP KMS key 'phi-at-rest' has automatic rotation disabled and was last rotated 1,247 days ago. Key encrypts GCS buckets holding...
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | projects/pyx-prod / kms:keyring:phi-enc:key:phi-at-rest |
■ SECTION 2 · FINDING DETAILS
GCP KMS key 'phi-at-rest' has automatic rotation disabled and was last rotated 1,247 days ago. Key encrypts GCS buckets holding PHI backups.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.312(a)(2)(iv) + NIST 800-53 SC-12
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
gcloud kms keys update phi-at-rest --location=global --keyring=phi-enc --rotation-period=90d --next-rotation-time=$(date -d '+90 days' --iso-8601=seconds)
ROLLBACK
gcloud kms keys update phi-at-rest --location=global --keyring=phi-enc --remove-rotation-schedule
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SENTINEL
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0045
AI-FIX SCENARIO
Multi
TITAN SENTINEL
CRITICAL
Impossible Travel Detected
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | user:cfo@pyx-health.com / Azure AD sign-in |
■ SECTION 2 · FINDING DETAILS
TITAN SENTINEL detected two successful Azure AD sign-ins for 'cfo@pyx-health.com' within 42 minutes: first from San Francisco (IP 73.12.x.x), second from Kyiv, Ukraine (IP 185.47.x.x). Physically impossible travel. MFA was satisfied on both — credential-stealer / token-replay attack likely.
■ SECTION 3 · REGULATORY CONTEXT
NIST 800-53 AC-7 + HIPAA 164.308(a)(1)(ii)(D)
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az ad user update --id cfo@pyx-health.com --force-change-password-next-sign-in true && az ad signed-in-user revoke-refresh-tokens --upn cfo@pyx-health.com
ROLLBACK
az ad user update --id cfo@pyx-health.com --force-change-password-next-sign-in false
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN SENTINEL
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0046
AI-FIX SCENARIO
Multi
TITAN DR-GUARD
CRITICAL
RPO Objective Exceeded
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | Azure Cosmos DB:cosmos-pyx-prod / replica:WestUS2 |
■ SECTION 2 · FINDING DETAILS
TITAN DR-GUARD detected RPO violation. Azure Cosmos DB primary region East US has not replicated to secondary West US 2 for 6h 14m (contracted RPO: 1h). Backlog = 847,221 writes. If primary fails now, 6h of clinical data loss.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.308(a)(7)(ii)(A) Data Backup Plan + SOC 2 A1.2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az cosmosdb sql container throughput update --account-name cosmos-pyx-prod --database-name $(az cosmosdb sql database list --account-name cosmos-pyx-prod --query '[0].name' -o tsv) --name $(az cosmosdb sql container list --account-name cosmos-pyx-prod --database-name $(az cosmosdb sql database list --account-name cosmos-pyx-prod --query '[0].name' -o tsv) --query '[0].name' -o tsv) --throughput 20000
ROLLBACK
az cosmosdb sql container throughput update --account-name cosmos-pyx-prod --database-name $(az cosmosdb sql database li
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN DR-GUARD
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0047
AI-FIX SCENARIO
Multi
TITAN PHOENIX
HIGH
Cascade Failure Recovered
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | deployment:patient-portal-v4.2.1 / region:azure-eastus |
■ SECTION 2 · FINDING DETAILS
TITAN PHOENIX auto-recovered from a cascade failure. App Service deployment v4.2.1 started returning 502s at 03:41 UTC. PHOENIX detected traffic drop, confirmed drift vs baseline snapshot, initiated rollback to v4.2.0 in 94s. Zero customer calls needed.
■ SECTION 3 · REGULATORY CONTEXT
NIST 800-53 CP-10 + SOC 2 A1.2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az webapp deployment slot create --name patient-portal --resource-group titan-healthcare-rg --slot staging --configuration-source patient-portal && az webapp config appsettings set --name patient-portal --resource-group titan-healthcare-rg --slot staging --settings HEALTH_CHECK_PATH=/api/health DEPLOYMENT_VALIDATION=true
ROLLBACK
az webapp deployment slot delete --name patient-portal --resource-group titan-healthcare-rg --slot staging
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PHOENIX
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0048
AI-FIX SCENARIO
Multi
TITAN AML
CRITICAL
Structuring Pattern Detected
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | account:checking-882145 / customer:acme-holdings-llc |
■ SECTION 2 · FINDING DETAILS
TITAN AML detected classic structuring: 7 cash deposits totaling $48,300 over 11 days, each under the $10K CTR threshold. Customer 'ACME Holdings LLC' has no prior cash deposit history. SAR filing recommended within 30 days per 31 CFR 1020.320.
■ SECTION 3 · REGULATORY CONTEXT
BSA/AML 31 CFR 1020.320 + OCC Heightened Standards
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws compliance create-sar-filing --customer-id acme-holdings-llc --account-id checking-882145 --violation-type structuring --total-amount 48300 --transaction-count 7 --timeframe-days 11 --regulation '31-CFR-1020.320' --priority critical --due-date-days 30
ROLLBACK
aws compliance update-sar-filing --sar-id [generated-id] --status withdrawn --reason 'false-positive-confirmed'
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN AML
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0049
AI-FIX SCENARIO
Multi
TITAN FRAUD
HIGH
Card-Not-Present Fraud Signal
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | txn:pan-ending-4521 / mid:pyx-payments |
■ SECTION 2 · FINDING DETAILS
TITAN FRAUD flagged a CNP transaction: card issued in Vermont, current txn from IP geolocated Lagos Nigeria, billing address doesn't match BIN country, device fingerprint unknown, velocity 4x card's 90-day baseline. Confidence 94%.
■ SECTION 3 · REGULATORY CONTEXT
PCI DSS 12.5.3 + FFIEC Supplement Authentication
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws frauddetector put-outcome --detector-name titan-cnp-detector --outcome-name BLOCK_AND_CHALLENGE --rule-execution-mode FIRST_MATCHED --event-id txn:pan-ending-4521 --event-timestamp $(date -u +%Y-%m-%dT%H:%M:%S.%3NZ) --event-variables cardBin=Vermont,ipGeo=Lagos,deviceFingerprint=unknown,velocityMultiplier=4
ROLLBACK
aws frauddetector put-outcome --detector-name titan-cnp-detector --outcome-name REVIEW_MANUAL --event-id txn:pan-ending-
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN FRAUD
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0050
AI-FIX SCENARIO
Multi
TITAN KYC
HIGH
Enhanced Due Diligence Skipped
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | onboarding:case-00284751 / customer:wealthmax-capital |
■ SECTION 2 · FINDING DETAILS
TITAN KYC flagged missing EDD on high-risk customer onboarding. Customer is foreign private investment company with PEP connection (director listed on OFAC list in 2022, since removed). Standard CDD was performed; EDD (source of wealth, beneficial ownership) was skipped.
■ SECTION 3 · REGULATORY CONTEXT
BSA 31 CFR 1010.610 + FFIEC BSA/AML Exam Manual
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:${ACCOUNT_ID}:stateMachine:kyc-edd-workflow --name case-00284751-edd-remediation --input '{"customer_id":"wealthmax-capital","case_id":"case-00284751","risk_level":"high","edd_requirements":["source_of_wealth_verification","beneficial_ownership_analysis","pep_enhanced_monitoring"],"trigger_reason":"remediation_high_risk_pep"}'
ROLLBACK
aws stepfunctions stop-execution --execution-arn arn:aws:states:us-east-1:${ACCOUNT_ID}:execution:kyc-edd-workflow:case-
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN KYC
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0051
AI-FIX SCENARIO
Multi
TITAN BANKING_COMPLIANCE
HIGH
PCI Evidence Gaps
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | evidence-pack:PCI-Q2-2026 |
■ SECTION 2 · FINDING DETAILS
TITAN BANKING_COMPLIANCE control scan found 3 evidence gaps in Q2 2026 PCI attestation pack: 6.4.5 (no change-control documentation for the 17 April patch deployment), 10.6.1 (security event log review not documented for 11 days), 11.2.1 (internal vuln scan overdue by 6 days). Assessor will flag during onsite.
■ SECTION 3 · REGULATORY CONTEXT
PCI DSS 6.4.5 + 10.6.1 + 11.2.1
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage blob upload-batch --destination pci-evidence-q2-2026 --source ./evidence-remediation --account-name titancompliancestorage --auth-mode login --pattern '*.pdf'
ROLLBACK
az storage blob delete-batch --source pci-evidence-q2-2026 --account-name titancompliancestorage --pattern 'remediation-
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN BANKING_COMPLIANCE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0052
AI-FIX SCENARIO
Multi
TITAN TELCO
CRITICAL
TCPA Consent Lifecycle Break
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | campaign:outbound-april-wellness-check / 2026-04-18 |
■ SECTION 2 · FINDING DETAILS
TITAN TELCO intercepted a policy violation: outbound autodialer campaign 'april-wellness-check' placed 127 calls yesterday to numbers whose TCPA express-written-consent had expired (over 18 months since last call). Per FCC rulemaking, this is $500-1,500 per violation = $63,500-$190,500 exposure.
■ SECTION 3 · REGULATORY CONTEXT
TCPA 47 USC 227 + 47 CFR 64.1200 + FCC Order DA-23-555
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
aws connect stop-outbound-campaign --campaign-id april-wellness-check --instance-id $(aws connect list-instances --query 'InstanceSummaryList[0].Id' --output text)
ROLLBACK
aws connect start-outbound-campaign --campaign-id april-wellness-check --instance-id $(aws connect list-instances --quer
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN TELCO
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0053
AI-FIX SCENARIO
Multi
TITAN VOICE
CRITICAL
HIPAA Violation in Call Transcript
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | call-id:CAL-20260418-83921 / clinician:nurse-sarah-m |
■ SECTION 2 · FINDING DETAILS
TITAN VOICE flagged a clinical call QA issue: transcript of 17-min call contains patient MRN '88221-457' and DOB '1978-03-14' in plaintext metadata (not redacted before transcript storage). Violates minimum-necessary rule for downstream analytics access.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.502(b) Minimum Necessary
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az storage blob update --account-name titanaicalls --container-name transcripts --name CAL-20260418-83921.json --metadata redaction_status=pending && az functionapp function invoke --name redact-phi-function --resource-group titan-ai-prod --function-name RedactTranscriptPHI --data '{"call_id":"CAL-20260418-83921","phi_elements":["MRN","DOB"],"redaction_method":"tokenize"}'
ROLLBACK
az storage blob update --account-name titanaicalls --container-name transcripts --name CAL-20260418-83921.json --metadat
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN VOICE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0054
AI-FIX SCENARIO
Multi
TITAN ENGAGE
HIGH
Risk Model Using Prohibited Attributes
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | member-scoring-batch:2026-04-18 / model:risk-v3.2 |
■ SECTION 2 · FINDING DETAILS
TITAN ENGAGE detected member-risk-scoring model v3.2 is using ZIP code as a feature, which correlates with race/ethnicity (Fair Housing Act concern) and has drifted 11% since last retrain. Model output feeds care-management outreach priority.
■ SECTION 3 · REGULATORY CONTEXT
ONC HTI-1 Final Rule + NIST AI RMF GOVERN-1.4 + Fair Housing
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az ml job create --file model-retrain-job.yaml --set inputs.excluded_features='zip_code' --set inputs.bias_metrics_enabled=true --set inputs.model_version='3.3' --resource-group titan-ml-rg --workspace-name titan-ml-ws
ROLLBACK
az ml model restore --name risk --version 3.2 --resource-group titan-ml-rg --workspace-name titan-ml-ws
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN ENGAGE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0055
AI-FIX SCENARIO
Multi
TITAN WATCH
HIGH
SLO Burn Rate Exploding
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | Azure Monitor / app:patient-portal / p99-latency |
■ SECTION 2 · FINDING DETAILS
TITAN WATCH detected error budget burn rate at 14.3x sustained over the last 27 minutes on 'patient-portal'. At current rate, the 30-day SLO (99.9% availability) will be exhausted in 2h 11m. Root cause correlates with a Cosmos DB throttling event (429 responses spiking).
■ SECTION 3 · REGULATORY CONTEXT
SOC 2 A1.1 + NIST 800-53 CP-2
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az cosmosdb sql database throughput update --account-name titan-cosmosdb --database-name patient-portal-db --throughput 4000
ROLLBACK
az cosmosdb sql database throughput update --account-name titan-cosmosdb --database-name patient-portal-db --throughput
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN WATCH
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0056
AI-FIX SCENARIO
Multi
TITAN PULSE
MEDIUM
Outreach Without Revocation Check
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | outreach-campaign:ASCVD-risk-2026-Q2 / 18,421 recipients |
■ SECTION 2 · FINDING DETAILS
TITAN PULSE identified a member-outreach campaign that queued 18,421 SMS sends without checking the 'opt-out-since-last-campaign' table. 227 members had revoked consent in the last 30 days and would have received unwanted clinical SMS — TCPA + HIPAA disclosure exposure.
■ SECTION 3 · REGULATORY CONTEXT
HIPAA 164.520(c) + TCPA 47 USC 227
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az servicebus queue purge --name outreach-campaign-queue --namespace-name titan-messaging --resource-group titan-comms && az logic apps workflow run cancel --name ASCVD-risk-2026-Q2 --resource-group titan-workflows
ROLLBACK
az logic apps workflow run trigger --name ASCVD-risk-2026-Q2 --resource-group titan-workflows --trigger-name manual
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PULSE
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0057
AI-FIX SCENARIO
Multi
TITAN PREDICT
HIGH
Model Drift Beyond Tolerance
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | prediction-model:ED-readmit-v2.4 / inference:batch-2026-04-18 |
■ SECTION 2 · FINDING DETAILS
TITAN PREDICT detected drift in the ED-readmission risk model: input distribution shift 0.31 PSI score (threshold 0.20) compared to training data, prediction distribution shift 0.24 PSI (threshold 0.15). Model output drives clinician workflow prioritization — untrusted predictions right now.
■ SECTION 3 · REGULATORY CONTEXT
NIST AI RMF MANAGE-2.3 + FDA SaMD GMLP
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az ml model update --name ED-readmit-v2.4 --set tags.status=drift_detected tags.auto_disabled=true --disable-model --enable-model ED-readmit-baseline-v1.8
ROLLBACK
az ml model update --name ED-readmit-v2.4 --set tags.status=active tags.auto_disabled=false --enable-model --disable-mod
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN PREDICT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE
FINDING ID
TITAN-LIVE-20260419-F0058
AI-FIX SCENARIO
Multi
TITAN CODE_AGENT
MEDIUM
ETL Quality Regression
■ SECTION 3 · REGULATORY CONTEXT
CLICK TO EXPAND ▾
■ SECTION 1 · RESOURCE IDENTIFICATION
| CONTEXT | Vertical agent finding (cross-cloud / business-data scope) |
| RESOURCE / SCOPE | pipeline:claims-normalization / stage:dedup / 2026-04-18 run |
■ SECTION 2 · FINDING DETAILS
TITAN CODE_AGENT flagged a quality regression in the nightly claims pipeline: duplicate-row ratio jumped from 0.2% baseline to 4.7% on the 2026-04-18 run. 2,847 rows fail dedup. Root cause: upstream source schema added a 'claim_version_seq' column that the dedup key didn't incorporate.
■ SECTION 3 · REGULATORY CONTEXT
SOC 2 PI1.1 + NIST 800-53 SI-10 Information Input Validation
■ SECTION 6 · AI-GENERATED REMEDIATION (Claude Sonnet 4, April 19, 2026)
FIX COMMAND
az pipelines variable-group variable update --group-id claims-pipeline-config --name DEDUP_KEY_COLUMNS --value 'claim_id,patient_id,provider_id,service_date,claim_version_seq'
ROLLBACK
az pipelines variable-group variable update --group-id claims-pipeline-config --name DEDUP_KEY_COLUMNS --value 'claim_id
■ SECTION 7 · AUDIT TRAIL
Scan ID: TITAN-LIVE-20260419
Detected by: TITAN CODE_AGENT
Detected at: April 19, 2026
Source: AI REMEDIATION DEMO
■ SECTION 9 · EXCEPTION RECORDING & APPROVER
NO EXCEPTION ON RECORD — RISK IS ACTIVE