{ "report_id": "GCP-20260426-132448", "cloud": "gcp", "project_id": "adroit-terminus-234522", "tenant": "TITAN AI Live Demo", "generated_at": "2026-04-26T13:24:48.0631666-05:00", "summary": { "medium": 0, "critical": 1, "low": 0, "high": 8 }, "fix_count": 0, "total_findings": 9, "downstream_resources_at_risk": 9.0, "compound_risk_resources": 1, "findings": [ { "FID": "dce154aa6c4c", "Severity": "high", "Detector": "IAM-SA", "Resource": "sa/1082937919292-compute@developer.gserviceaccount.com", "Title": "Default Compute Engine service account is still active", "Citation": "CIS GCP 1.4, NIST 800-53 AC-6", "Recommendation": "Disable the default compute SA; use dedicated SAs per workload.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:23.4913080-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": false, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1078.004 - Valid Accounts: Cloud Accounts", "Playbook": { "owner": "Security + IAM admin", "steps": [ "Identify what's still using the default Compute Engine SA: gcloud iam service-accounts get-iam-policy ", "Create a workload-specific SA with minimum-necessary roles", "Migrate the workload to the new SA (Compute, GKE, Cloud Run, Cloud Functions all support SA swap)", "Disable the default Compute SA: gcloud iam service-accounts disable", "Add an Org Policy: iam.automaticIamGrantsForDefaultServiceAccounts -> false" ], "effort": "1-2 days" }, "BlastRadius": { "finding_id": "dce154aa6c4c", "attack_origin": "credential_compromise_or_default_sa", "path_length": 2, "trust_zones_crossed": [ "SA Token Compromise", "Project IAM", "All Resources Authorized to Role" ], "affected_resources": [ { "type": "service_account_or_binding", "count": 1, "names": [ "sa/1082937919292-compute@developer.gserviceaccount.com" ] } ], "co_located_findings": [], "risk_multiplier": 1 } }, { "FID": "334cf97b2cdc", "Severity": "high", "Detector": "IAM", "Resource": "binding/roles/editor", "Title": "Default Compute SA holds roles/editor on the project", "Citation": "CIS GCP 1.5, NIST 800-53 AC-6", "Recommendation": "Replace with a least-privilege custom role bound to a workload-specific SA.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:37.3357209-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": false, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1078.004 - Valid Accounts: Cloud Accounts", "Playbook": { "owner": "Security + IAM admin", "steps": [ "Identify all bindings granting Owner/Editor to default-compute SA: gcloud projects get-iam-policy", "Replace with custom roles scoped to required APIs only (use Recommender to suggest minimum)", "Update the workload's SA accordingly", "Remove the broad role binding: gcloud projects remove-iam-policy-binding", "Re-scan + verify workload still functions" ], "effort": "Same day" }, "BlastRadius": { "finding_id": "334cf97b2cdc", "attack_origin": "credential_compromise_or_default_sa", "path_length": 2, "trust_zones_crossed": [ "SA Token Compromise", "Project IAM", "All Resources Authorized to Role" ], "affected_resources": [ { "type": "service_account_or_binding", "count": 1, "names": [ "binding/roles/editor" ] } ], "co_located_findings": [], "risk_multiplier": 1 } }, { "FID": "01d8579de578", "Severity": "high", "Detector": "Firewall", "Resource": "fw/default-allow-rdp", "Title": "Firewall rule default-allow-rdp exposes RDP (port 3389) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9520138-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "01d8579de578", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall default-allow-rdp", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "default-allow-rdp" ] } ], "co_located_findings": [ "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 } }, { "FID": "6a5bc0773dde", "Severity": "high", "Detector": "Firewall", "Resource": "fw/default-allow-ssh", "Title": "Firewall rule default-allow-ssh exposes SSH (port 22) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9580823-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "6a5bc0773dde", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall default-allow-ssh", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "default-allow-ssh" ] } ], "co_located_findings": [ "01d8579de578", "ea3f388b38c8", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 } }, { "FID": "ea3f388b38c8", "Severity": "high", "Detector": "Firewall", "Resource": "fw/fw-titandemo-bad-mssql-260426-1315", "Title": "Firewall rule fw-titandemo-bad-mssql-260426-1315 exposes MSSQL (port 1433) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9596596-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "ea3f388b38c8", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-mssql-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-mssql-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 } }, { "FID": "8867d81b0e88", "Severity": "high", "Detector": "Firewall", "Resource": "fw/fw-titandemo-bad-pg-260426-1315", "Title": "Firewall rule fw-titandemo-bad-pg-260426-1315 exposes PostgreSQL (port 5432) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9614380-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "8867d81b0e88", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-pg-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-pg-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 } }, { "FID": "ad836c730082", "Severity": "high", "Detector": "Firewall", "Resource": "fw/fw-titandemo-bad-rdp-260426-1315", "Title": "Firewall rule fw-titandemo-bad-rdp-260426-1315 exposes RDP (port 3389) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9650374-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "ad836c730082", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-rdp-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-rdp-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "421f296f9eef" ], "risk_multiplier": 3.5 } }, { "FID": "421f296f9eef", "Severity": "high", "Detector": "Firewall", "Resource": "fw/fw-titandemo-bad-ssh-260426-1315", "Title": "Firewall rule fw-titandemo-bad-ssh-260426-1315 exposes SSH (port 22) to 0.0.0.0/0", "Citation": "CIS GCP 3.6/3.7, NIST 800-53 SC-7, PCI DSS 1.3", "Recommendation": "Restrict source range to corporate CIDR.", "FixApplied": false, "DetectedAt": "2026-04-26T13:23:53.9665763-05:00", "Priority": { "Score": 50, "Bucket": "P2", "Sla": "Fix in 72 hours", "Factors": { "InternetFacing": true, "PhiExposure": false, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1133 - External Remote Services", "Playbook": { "owner": "Network + Security", "steps": [ "List all VMs reachable through this firewall rule's network", "Update the rule's source range from 0.0.0.0/0 to corporate CIDR or use Identity-Aware Proxy for SSH/RDP", "Enable VPC Flow Logs to detect any active traffic on this port from public internet", "Add to Org Policy: enforce sourceRanges restriction on critical ports", "Re-scan + audit flow logs for last 30 days" ], "effort": "1-3 days" }, "BlastRadius": { "finding_id": "421f296f9eef", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-ssh-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-ssh-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "ad836c730082" ], "risk_multiplier": 3.5 } }, { "FID": "6a1d5107e1e5", "Severity": "critical", "Detector": "GCS", "Resource": "gs://gs-titandemo-260426-1315-adroit-terminus-234522", "Title": "Bucket gs-titandemo-260426-1315-adroit-terminus-234522 grants roles/storage.objectViewer to allUsers (PUBLIC)", "Citation": "HIPAA 164.312(a)(1), CIS GCP 5.1, NIST 800-53 AC-3", "Recommendation": "Remove allUsers/allAuthenticatedUsers binding immediately.", "FixApplied": false, "DetectedAt": "2026-04-26T13:24:27.0534620-05:00", "Priority": { "Score": 75, "Bucket": "P1", "Sla": "Fix in 24 hours", "Factors": { "InternetFacing": true, "PhiExposure": true, "ExploitInWild": false, "BusinessCritical": true } }, "AttckTechnique": "T1530 - Data from Cloud Storage", "Playbook": { "owner": "Storage Owner + Privacy", "steps": [ "Remove allUsers/allAuthenticatedUsers binding: gcloud storage buckets remove-iam-policy-binding gs:// --member=allUsers --role=", "Enable Uniform Bucket-Level Access: gcloud storage buckets update gs:// --uniform-bucket-level-access", "Audit access logs for last 90 days for anonymous reads (Cloud Audit Logs)", "If anonymous access to PHI/PII detected: trigger HIPAA breach assessment", "Enable Sensitive Data Protection (DLP) inspection on the bucket" ], "effort": "Same day" }, "BlastRadius": { "finding_id": "6a1d5107e1e5", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "GCS Public Endpoint", "Bucket Objects" ], "affected_resources": [ { "type": "gcs_bucket", "count": 1, "names": [ "gs-titandemo-260426-1315-adroit-terminus-234522" ] } ], "co_located_findings": [], "risk_multiplier": 1 } } ], "attack_paths": [ { "finding_id": "dce154aa6c4c", "attack_origin": "credential_compromise_or_default_sa", "path_length": 2, "trust_zones_crossed": [ "SA Token Compromise", "Project IAM", "All Resources Authorized to Role" ], "affected_resources": [ { "type": "service_account_or_binding", "count": 1, "names": [ "sa/1082937919292-compute@developer.gserviceaccount.com" ] } ], "co_located_findings": [], "risk_multiplier": 1 }, { "finding_id": "334cf97b2cdc", "attack_origin": "credential_compromise_or_default_sa", "path_length": 2, "trust_zones_crossed": [ "SA Token Compromise", "Project IAM", "All Resources Authorized to Role" ], "affected_resources": [ { "type": "service_account_or_binding", "count": 1, "names": [ "binding/roles/editor" ] } ], "co_located_findings": [], "risk_multiplier": 1 }, { "finding_id": "01d8579de578", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall default-allow-rdp", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "default-allow-rdp" ] } ], "co_located_findings": [ "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 }, { "finding_id": "6a5bc0773dde", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall default-allow-ssh", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "default-allow-ssh" ] } ], "co_located_findings": [ "01d8579de578", "ea3f388b38c8", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 }, { "finding_id": "ea3f388b38c8", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-mssql-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-mssql-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "8867d81b0e88", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 }, { "finding_id": "8867d81b0e88", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-pg-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-pg-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "ad836c730082", "421f296f9eef" ], "risk_multiplier": 3.5 }, { "finding_id": "ad836c730082", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-rdp-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-rdp-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "421f296f9eef" ], "risk_multiplier": 3.5 }, { "finding_id": "421f296f9eef", "attack_origin": "external_internet", "path_length": 2, "trust_zones_crossed": [ "Internet", "VPC Firewall fw-titandemo-bad-ssh-260426-1315", "Compute Instance Network" ], "affected_resources": [ { "type": "firewall_rule", "count": 1, "names": [ "fw-titandemo-bad-ssh-260426-1315" ] } ], "co_located_findings": [ "01d8579de578", "6a5bc0773dde", "ea3f388b38c8", "8867d81b0e88", "ad836c730082" ], "risk_multiplier": 3.5 }, { "finding_id": "6a1d5107e1e5", "attack_origin": "external_internet", "path_length": 1, "trust_zones_crossed": [ "Internet", "GCS Public Endpoint", "Bucket Objects" ], "affected_resources": [ { "type": "gcs_bucket", "count": 1, "names": [ "gs-titandemo-260426-1315-adroit-terminus-234522" ] } ], "co_located_findings": [], "risk_multiplier": 1 } ] }