{ "report_id": "AZL-20260426-132706", "generated_at": "2026-04-26T13:27:06.4993506-05:00", "tenant": "TITAN AI Live Demo", "subscription": "Pay-As-You-Go", "subscription_id": "4f29d094-1079-44c9-acb0-4d73a7a2dd34", "resource_group": "rg-titandemo-260426-1324", "summary": { "compound_risk_resources": 3, "by_severity": { "low": 0, "critical": 4, "high": 3, "medium": 1 }, "fixes_applied": 0, "downstream_resources_at_risk": 5.0, "total_findings": 8 }, "findings": [ { "FID": "65a687f4432a", "Severity": "critical", "Detector": "nsg_open_to_internet", "Resource": "nsg-titandemo-public/BAD-allow-ssh-from-internet", "Title": "SSH exposed to 0.0.0.0/0", "Citation": "HIPAA 164.312(e)(1) Transmission Security", "Recommendation": "Restrict source to corporate IP ranges or remove rule entirely.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:02.1133696-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "steps": [ "Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)", "Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway", "Update Azure Firewall + Bastion if RDP/SSH access still needed", "Re-scan to verify rule removed", "Document change in CAB ticket" ], "owner": "Network/Security", "effort": "24-72 hours" }, "BlastRadius": { "finding_id": "65a687f4432a", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "071b32f412a2", "b6c0ed1d8fae" ], "risk_multiplier": 2.0 } }, { "FID": "071b32f412a2", "Severity": "critical", "Detector": "nsg_open_to_internet", "Resource": "nsg-titandemo-public/BAD-allow-rdp-from-internet", "Title": "RDP exposed to 0.0.0.0/0", "Citation": "HIPAA 164.312(e)(1) Transmission Security", "Recommendation": "Restrict source to corporate IP ranges or remove rule entirely.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:02.1292853-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "steps": [ "Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)", "Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway", "Update Azure Firewall + Bastion if RDP/SSH access still needed", "Re-scan to verify rule removed", "Document change in CAB ticket" ], "owner": "Network/Security", "effort": "24-72 hours" }, "BlastRadius": { "finding_id": "071b32f412a2", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "65a687f4432a", "b6c0ed1d8fae" ], "risk_multiplier": 2.0 } }, { "FID": "b6c0ed1d8fae", "Severity": "critical", "Detector": "nsg_open_to_internet", "Resource": "nsg-titandemo-public/BAD-allow-sql-from-internet", "Title": "SQL Server exposed to 0.0.0.0/0", "Citation": "HIPAA 164.312(e)(1) Transmission Security", "Recommendation": "Restrict source to corporate IP ranges or remove rule entirely.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:02.1533773-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "steps": [ "Identify which subnet/NIC the NSG attaches to (Get-AzNetworkSecurityGroup)", "Replace 0.0.0.0/0 source with corporate CIDR ranges or VPN gateway", "Update Azure Firewall + Bastion if RDP/SSH access still needed", "Re-scan to verify rule removed", "Document change in CAB ticket" ], "owner": "Network/Security", "effort": "24-72 hours" }, "BlastRadius": { "finding_id": "b6c0ed1d8fae", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "65a687f4432a", "071b32f412a2" ], "risk_multiplier": 2.0 } }, { "FID": "9f2657a3ab56", "Severity": "critical", "Detector": "storage_public_blob", "Resource": "satitandemo2604261324", "Title": "Anonymous blob access enabled (PHI exposure risk)", "Citation": "HIPAA 164.502 Uses and Disclosures", "Recommendation": "Set AllowBlobPublicAccess=false.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:02.9928748-05:00", "Priority": { "Score": 75, "Bucket": "P1", "Sla": "Fix in 24 hours", "Factors": { "InternetFacing": true, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1530 - Data from Cloud Storage", "Playbook": { "steps": [ "Set-AzStorageAccount -AllowBlobPublicAccess $false on the storage account", "Audit storage diagnostic logs (last 90 days) for any anonymous reads", "If access detected on PHI containers: trigger HIPAA breach assessment within 60 days", "Enable Azure Defender for Storage (continuous threat detection)", "Configure Storage Firewall: PublicNetworkAccess=Disabled, allowlist VNet subnets" ], "owner": "Storage Owner + Privacy", "effort": "1-2 days" }, "BlastRadius": { "finding_id": "9f2657a3ab56", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "ddf556249b37", "4a713e7c6cf5" ], "risk_multiplier": 2.0 } }, { "FID": "ddf556249b37", "Severity": "high", "Detector": "storage_http_allowed", "Resource": "satitandemo2604261324", "Title": "HTTP traffic allowed - PHI in transit not encrypted", "Citation": "HIPAA 164.312(e)(2)(ii) Encryption", "Recommendation": "Set EnableHttpsTrafficOnly=true.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:03.0096734-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": false, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1040 - Network Sniffing", "Playbook": { "steps": [ "Set-AzStorageAccount -EnableHttpsTrafficOnly $true", "Verify clients support TLS 1.2+ (legacy SDKs may break)", "Re-scan to confirm", "Update IaC template (Bicep/Terraform) so it doesn't drift back", "Document change" ], "owner": "Storage Owner", "effort": "Same day" }, "BlastRadius": { "finding_id": "ddf556249b37", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "9f2657a3ab56", "4a713e7c6cf5" ], "risk_multiplier": 2.0 } }, { "FID": "4a713e7c6cf5", "Severity": "high", "Detector": "storage_public_network", "Resource": "satitandemo2604261324", "Title": "Storage exposed to all networks (no firewall)", "Citation": "HIPAA 164.312(c)(1) Integrity Controls", "Recommendation": "Set PublicNetworkAccess=Disabled or configure NetworkRuleSet.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:03.0212220-05:00", "Priority": { "Score": 75, "Bucket": "P1", "Sla": "Fix in 24 hours", "Factors": { "InternetFacing": true, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1530 - Data from Cloud Storage", "Playbook": { "steps": [ "Identify all consumers of this storage account (find downstream apps/services)", "Configure NetworkRuleSet with VNet allowlist + IP allowlist for build agents", "Set PublicNetworkAccess=Disabled", "Use Private Endpoints for service-to-service traffic", "Re-scan + verify clients still connect via private path" ], "owner": "Storage Owner + Network", "effort": "1-3 days" }, "BlastRadius": { "finding_id": "4a713e7c6cf5", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "9f2657a3ab56", "ddf556249b37" ], "risk_multiplier": 2.0 } }, { "FID": "f716be2ce139", "Severity": "high", "Detector": "keyvault_public_network", "Resource": "kv-titandemo-260426-1324", "Title": "Key Vault exposed to public network", "Citation": "HIPAA 164.312(a)(1) Access Control", "Recommendation": "Set PublicNetworkAccess=Disabled and use private endpoint.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:04.8879770-05:00", "Priority": { "Score": 75, "Bucket": "P1", "Sla": "Fix in 24 hours", "Factors": { "InternetFacing": true, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1528 - Steal Application Access Token", "Playbook": { "steps": [ "Inventory which apps/Functions reference secrets in this Key Vault", "Set PublicNetworkAccess=Disabled and configure Private Endpoint", "Update consumer apps to use Private Endpoint DNS", "Test secret retrieval from each consumer", "Re-scan" ], "owner": "Security + App Owner", "effort": "1-2 days" }, "BlastRadius": { "finding_id": "f716be2ce139", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Key Vault Public Endpoint", "Secrets/Keys/Certs" ], "affected_resources": [ { "type": "key_vault", "count": 1, "names": [ "kv-titandemo-260426-1324" ] } ], "co_located_findings": [ "43e2189b2a3f" ], "risk_multiplier": 1.5 } }, { "FID": "43e2189b2a3f", "Severity": "medium", "Detector": "keyvault_no_purge_protection", "Resource": "kv-titandemo-260426-1324", "Title": "Purge protection disabled - keys can be permanently deleted", "Citation": "HIPAA 164.308(a)(7) Contingency Plan", "Recommendation": "Enable purge protection.", "FixApplied": false, "DetectedAt": "2026-04-26T13:27:04.8954452-05:00", "Priority": { "Score": 25, "Bucket": "P3", "Sla": "Fix in next sprint (2 weeks)", "Factors": { "InternetFacing": false, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1485 - Data Destruction", "Playbook": { "steps": [ "Enable purge protection: Update-AzKeyVault -EnablePurgeProtection", "Confirm soft-delete is also on (cannot disable once purge protection is set)", "Document the irreversibility for ops team", "Re-scan" ], "owner": "Security", "effort": "30 minutes" }, "BlastRadius": { "finding_id": "43e2189b2a3f", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Key Vault Public Endpoint", "Secrets/Keys/Certs" ], "affected_resources": [ { "type": "key_vault", "count": 1, "names": [ "kv-titandemo-260426-1324" ] } ], "co_located_findings": [ "f716be2ce139" ], "risk_multiplier": 1.5 } } ], "attack_paths": [ { "finding_id": "65a687f4432a", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "071b32f412a2", "b6c0ed1d8fae" ], "risk_multiplier": 2.0 }, { "finding_id": "071b32f412a2", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "65a687f4432a", "b6c0ed1d8fae" ], "risk_multiplier": 2.0 }, { "finding_id": "b6c0ed1d8fae", "attack_origin": "external_internet", "path_length": 3, "trust_zones_crossed": [ "Internet", "NSG nsg-titandemo-public", "Subnet/NIC", "Workload VM" ], "affected_resources": [], "co_located_findings": [ "65a687f4432a", "071b32f412a2" ], "risk_multiplier": 2.0 }, { "finding_id": "9f2657a3ab56", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "ddf556249b37", "4a713e7c6cf5" ], "risk_multiplier": 2.0 }, { "finding_id": "ddf556249b37", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "9f2657a3ab56", "4a713e7c6cf5" ], "risk_multiplier": 2.0 }, { "finding_id": "4a713e7c6cf5", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Public Blob Endpoint", "PHI/PII Container" ], "affected_resources": [ { "type": "storage_account", "count": 1, "names": [ "satitandemo2604261324" ] } ], "co_located_findings": [ "9f2657a3ab56", "ddf556249b37" ], "risk_multiplier": 2.0 }, { "finding_id": "f716be2ce139", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Key Vault Public Endpoint", "Secrets/Keys/Certs" ], "affected_resources": [ { "type": "key_vault", "count": 1, "names": [ "kv-titandemo-260426-1324" ] } ], "co_located_findings": [ "43e2189b2a3f" ], "risk_multiplier": 1.5 }, { "finding_id": "43e2189b2a3f", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "Key Vault Public Endpoint", "Secrets/Keys/Certs" ], "affected_resources": [ { "type": "key_vault", "count": 1, "names": [ "kv-titandemo-260426-1324" ] } ], "co_located_findings": [ "f716be2ce139" ], "risk_multiplier": 1.5 } ] }