TITAN AI - TELECOM TIER - LIVE PROOF

Detector: telco.sip_trunk_auth_check
SIP trunk endpoint on the voice gateway is accepting unauthenticated INVITE and REGISTER requests. Without digest authentication or mutual TLS on the SIP trunk, any attacker who can reach the gateway can initiate or redirect calls, enabling toll fraud and call interception. The gateway listener on port 5060 has requireAuthentication: false and no IP ACL is bound.

Detector: voice.srtp_enforcement_check
Media relay is configured with mediaEncryption: optional, allowing RTP streams to fall back to unencrypted transport. Unencrypted voice media is trivially interceptable via packet capture on any intermediate hop, exposing customer call audio and DTMF tones containing PINs, account numbers, and authentication codes. CDR logs confirm 38% of active sessions are negotiating plain RTP.

Detector: sentinel.storage_public_access_cdr
Storage account containing call detail records has allowBlobPublicAccess: true and encryption.requireInfrastructureEncryption: false. CDRs contain calling/called numbers, timestamps, duration, cell tower IDs, and IMSI values. Public access to this data constitutes a CPNI violation and exposes subscriber location patterns. Over 2.4 million CDR files detected in the container.

Detector: bastion.signaling_gateway_exposure
Network security group for the signaling gateway has inbound rules allowing 0.0.0.0/0 on ports 2905 (M3UA/SCTP), 3868 (Diameter), and 7000-7010 (SIGTRAN). SS7 and Diameter protocols lack native authentication, meaning any internet-reachable attacker can send MAP/CAP messages to intercept SMS, track subscriber locations via ATI queries, or redirect calls. NSG rule priority 100 allows all source IPs.

Detector: scout.radius_auth_protocol_check
RADIUS gateway is configured with authenticationProtocol: MD5-CHAP for subscriber authentication. MD5-CHAP is cryptographically broken and vulnerable to offline dictionary attacks. An attacker capturing RADIUS Access-Request packets can recover subscriber credentials within minutes using commodity hardware. Over 14,000 subscriber sessions authenticate through this gateway daily.

Detector: telco.voip_fraud_detection_check
Cloud PBX has no fraud detection rules configured. No thresholds for international call volume spikes, no premium-rate number blocking lists, and no concurrent call limits per extension. Historical CDR analysis shows 3 extensions made 142 calls to premium-rate destinations in the last 30 days with no alerting triggered. Estimated fraud exposure is Custom/month if exploited at scale.

Detector: comply.cpni_retention_check
CPNI database contains subscriber call detail records with timestamps dating back 47 months. FCC rules require carriers to purge CPNI data that is no longer necessary for the purpose it was collected. Records older than 24 months include calling patterns, cell site data, and service feature usage for 312,000 subscribers. No automated retention policy or purge job is configured on the database.

Detector: pulse.dns_amplification_check
DNS resolver accepts recursive queries from any source IP with no rate limiting. The resolver responds to ANY-type queries with amplification factors up to 70x, making it an ideal reflector for DDoS amplification attacks. Query logs show 8,400 spoofed-source queries in the last 24 hours originating from known botnet IP ranges. The resolver is also configured with EDNS0 buffer size of 4096 bytes, maximizing amplification potential.

Detector: secure_code.hardcoded_credential_scan
Application settings for the CDN origin API contain hardcoded credentials: CDN_ORIGIN_SECRET is stored as a plaintext string in app configuration rather than referenced from Key Vault. The same credential has been present for 11 months with no rotation. If the CDN origin secret is compromised, attackers can bypass CDN caching and directly access origin servers, enabling content injection and cache poisoning across the entire subscriber content delivery network.

Detector: audit.calea_intercept_logging_check
The SIEM workspace has no dedicated audit table for lawful intercept access events. CALEA requires carriers to maintain tamper-evident logs of all access to intercept systems, including who initiated a wiretap, when it was activated, and the target identifier. Without these logs, the organization cannot demonstrate compliance during FCC or DOJ audits and cannot detect unauthorized intercept access by insiders.

Detector: voice.sip_registration_flood_check
SIP TLS listener accepts unlimited REGISTER requests per source IP with no rate limiting or throttling configured. An attacker can exhaust the registrar capacity by sending thousands of REGISTER requests per second, preventing legitimate subscribers from registering and effectively causing a denial of service for all voice services. Load testing shows the gateway saturates at 2,200 concurrent registrations with no backpressure mechanism.

Detector: forge.tls_version_check
Subscriber self-service portal has minTlsVersion: 1.0 configured, allowing connections using deprecated TLS 1.0 and TLS 1.1 protocols. These protocols are vulnerable to BEAST, POODLE, and downgrade attacks. Subscribers access this portal to view bills, manage CPNI preferences, and update account PINs. TLS handshake logs show 2.1% of sessions still negotiating TLS 1.1.

Detector: sentinel.nfv_integrity_monitoring_check
Virtual machine scale set hosting network functions (vEPC, vIMS, vSBC) has no file integrity monitoring agent installed. VNF hosts are high-value targets because compromising them grants access to subscriber voice and data traffic. Without FIM, unauthorized modifications to VNF binaries, configuration files, or kernel modules will go undetected. The scale set runs 8 instances with no guest attestation configured.

Detector: bastion.bgp_peering_auth_check
ExpressRoute private peering BGP session is configured with the factory-default MD5 authentication key. Default keys are publicly documented by equipment vendors and trivially guessable. An attacker with access to the peering fabric can inject malicious BGP route advertisements, redirecting subscriber traffic through attacker-controlled paths for interception or blackholing. The peering carries routes for 4 production VNets and 2 transit VNets.

Detector: comply.location_consent_check
Subscriber location API v2 returns cell tower triangulation data without verifying opt-in consent status. The API policy pipeline has no inbound policy checking the subscriber consent database before returning location coordinates. API call logs show 42,000 location queries in the last 7 days with zero consent validation checks. FCC rules require explicit opt-in consent before disclosing location data to third-party applications.

Detector: scout.network_tap_encryption_check
Network tap subnet is forwarding mirrored traffic to analytics collectors using unencrypted VXLAN encapsulation. The mirrored traffic includes raw subscriber session data, voice packets, and signaling messages. An attacker with access to any host in the transit path between the tap point and the collector can passively capture all mirrored traffic. The tap covers 3 core network interfaces carrying 12 Gbps aggregate subscriber traffic.