1
P1 - Fix in 24 hours
8
P2 - Fix in 72 hours
0
P3 - Next sprint
9
Total Findings
1
Critical (severity)
8
High (severity)
0
Medium (severity)
0
Auto-Fixed
9
Downstream At Risk
1
Compound-Risk

Attack Path Analysis

Reachability + Blast Radius
ATTACK PATHS COMPUTED9
DOWNSTREAM RESOURCES AT RISK9
COMPOUND-RISK RESOURCES1
RESOURCES WITH MULTIPLE FINDINGS

Findings (9)

FID
dce154aa6c4c
P2 HIGH IAM-SA open
Default Compute Engine service account is still active
RESOURCEsa/[email protected]
HIPAA / NIST CITATIONCIS GCP 1.4, NIST 800-53 AC-6
RECOMMENDATIONDisable the default compute SA; use dedicated SAs per workload.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSPHI exposure · Business-critical
MITRE ATT&CKT1078.004 - Valid Accounts: Cloud Accounts
ATTACK PATHSA Token Compromise → Project IAM → All Resources Authorized to Role
PATH LENGTH2 hops
BLAST RADIUS1 service_account_or_binding(s): sa/[email protected]
DETECTED AT2026-04-26T13:23:23.4913080-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Security + IAM admin · ESTIMATED EFFORT: 1-2 days
  1. Identify what's still using the default Compute Engine SA: gcloud iam service-accounts get-iam-policy
  2. Create a workload-specific SA with minimum-necessary roles
  3. Migrate the workload to the new SA (Compute, GKE, Cloud Run, Cloud Functions all support SA swap)
  4. Disable the default Compute SA: gcloud iam service-accounts disable
  5. Add an Org Policy: iam.automaticIamGrantsForDefaultServiceAccounts -> false
FID
334cf97b2cdc
P2 HIGH IAM open
Default Compute SA holds roles/editor on the project
RESOURCEbinding/roles/editor
HIPAA / NIST CITATIONCIS GCP 1.5, NIST 800-53 AC-6
RECOMMENDATIONReplace with a least-privilege custom role bound to a workload-specific SA.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSPHI exposure · Business-critical
MITRE ATT&CKT1078.004 - Valid Accounts: Cloud Accounts
ATTACK PATHSA Token Compromise → Project IAM → All Resources Authorized to Role
PATH LENGTH2 hops
BLAST RADIUS1 service_account_or_binding(s): binding/roles/editor
DETECTED AT2026-04-26T13:23:37.3357209-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Security + IAM admin · ESTIMATED EFFORT: Same day
  1. Identify all bindings granting Owner/Editor to default-compute SA: gcloud projects get-iam-policy
  2. Replace with custom roles scoped to required APIs only (use Recommender to suggest minimum)
  3. Update the workload's SA accordingly
  4. Remove the broad role binding: gcloud projects remove-iam-policy-binding
  5. Re-scan + verify workload still functions
FID
01d8579de578
P2 HIGH Firewall open
Firewall rule default-allow-rdp exposes RDP (port 3389) to 0.0.0.0/0
RESOURCEfw/default-allow-rdp
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall default-allow-rdp → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): default-allow-rdp
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9520138-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
6a5bc0773dde
P2 HIGH Firewall open
Firewall rule default-allow-ssh exposes SSH (port 22) to 0.0.0.0/0
RESOURCEfw/default-allow-ssh
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall default-allow-ssh → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): default-allow-ssh
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9580823-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
ea3f388b38c8
P2 HIGH Firewall open
Firewall rule fw-titandemo-bad-mssql-260426-1315 exposes MSSQL (port 1433) to 0.0.0.0/0
RESOURCEfw/fw-titandemo-bad-mssql-260426-1315
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall fw-titandemo-bad-mssql-260426-1315 → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): fw-titandemo-bad-mssql-260426-1315
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9596596-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
8867d81b0e88
P2 HIGH Firewall open
Firewall rule fw-titandemo-bad-pg-260426-1315 exposes PostgreSQL (port 5432) to 0.0.0.0/0
RESOURCEfw/fw-titandemo-bad-pg-260426-1315
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall fw-titandemo-bad-pg-260426-1315 → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): fw-titandemo-bad-pg-260426-1315
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9614380-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
ad836c730082
P2 HIGH Firewall open
Firewall rule fw-titandemo-bad-rdp-260426-1315 exposes RDP (port 3389) to 0.0.0.0/0
RESOURCEfw/fw-titandemo-bad-rdp-260426-1315
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall fw-titandemo-bad-rdp-260426-1315 → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): fw-titandemo-bad-rdp-260426-1315
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9650374-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
421f296f9eef
P2 HIGH Firewall open
Firewall rule fw-titandemo-bad-ssh-260426-1315 exposes SSH (port 22) to 0.0.0.0/0
RESOURCEfw/fw-titandemo-bad-ssh-260426-1315
HIPAA / NIST CITATIONCIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3
RECOMMENDATIONRestrict source range to corporate CIDR.
PRIORITYP2 · Fix in 72 hours — risk score 50/100
RISK FACTORSInternet-facing · Business-critical
MITRE ATT&CKT1133 - External Remote Services
ATTACK PATHInternet → VPC Firewall fw-titandemo-bad-ssh-260426-1315 → Compute Instance Network
PATH LENGTH2 hops
BLAST RADIUS1 firewall_rule(s): fw-titandemo-bad-ssh-260426-1315
COMPOUND RISK5 other finding(s) on the same resource — multiplier 3.5x
DETECTED AT2026-04-26T13:23:53.9665763-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Network + Security · ESTIMATED EFFORT: 1-3 days
  1. List all VMs reachable through this firewall rule's network
  2. Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP
  3. Enable VPC Flow Logs to detect any active traffic on this port from public internet
  4. Add to Org Policy: enforce sourceRanges restriction on critical ports
  5. Re-scan + audit flow logs for last 30 days
FID
6a1d5107e1e5
P1 CRITICAL GCS open
Bucket gs-titandemo-260426-1315-adroit-terminus-234522 grants roles/storage.objectViewer to allUsers (PUBLIC)
RESOURCEgs://gs-titandemo-260426-1315-adroit-terminus-234522
HIPAA / NIST CITATIONHIPAA 164.312(a)(1), CIS GCP 5.1, NIST 800-53 AC-3
RECOMMENDATIONRemove allUsers/allAuthenticatedUsers binding immediately.
PRIORITYP1 · Fix in 24 hours — risk score 75/100
RISK FACTORSInternet-facing · PHI exposure · Business-critical
MITRE ATT&CKT1530 - Data from Cloud Storage
ATTACK PATHInternet → GCS Public Endpoint → Bucket Objects
PATH LENGTH1 hops
BLAST RADIUS1 gcs_bucket(s): gs-titandemo-260426-1315-adroit-terminus-234522
DETECTED AT2026-04-26T13:24:27.0534620-05:00
FIX APPLIEDFalse
REMEDIATION PLAYBOOK · OWNER: Storage Owner + Privacy · ESTIMATED EFFORT: Same day
  1. Remove allUsers/allAuthenticatedUsers binding: gcloud storage buckets remove-iam-policy-binding gs:// --member=allUsers --role=
  2. Enable Uniform Bucket-Level Access: gcloud storage buckets update gs:// --uniform-bucket-level-access
  3. Audit access logs for last 90 days for anonymous reads (Cloud Audit Logs)
  4. If anonymous access to PHI/PII detected: trigger HIPAA breach assessment
  5. Enable Sensitive Data Protection (DLP) inspection on the bucket
TITAN AI · Live GCP scan against adroit-terminus-234522 · GCP-20260426-132448