The questions our enterprise buyers — CISOs, CTOs, security architects, compliance officers — actually ask before deploying. Straight answers, no marketing fluff. If your question isn't here, email info@titanaisec.com.
Where does my scan data go?
Stays on your machine. Reports write to ~/.titanai/reports/ locally. Our license server only ever sees your license_key + hostname at install time for validation. Scan findings, configurations, and credentials are never transmitted. In AIRLOCK mode, zero network traffic after one-time license preload.
Can this break my production environment?
Trial licenses are hard read-only — FORGE (our auto-fix agent) is disabled at the engine kernel via TITAN_READ_ONLY. Paid licenses require explicit [y/N] consent per fix — nothing auto-executes. Every action takes a pre-fix snapshot and generates a one-command rollback. A 12-point integrity check runs in 10 seconds before every scan.
What credentials does TITAN AI need?
Your existing cloud CLI session — az login, aws configure, gcloud auth login. We never store or transmit credentials. TITAN inherits whatever authentication you already have on your box. Read-only IAM is sufficient for scanning; remediation requires scoped write access per cloud.
What if the AI hallucinates and proposes a bad fix?
Three independent safeguards. (1) Every finding is cross-validated against the live cloud API before it becomes a ticket. (2) You hit [y/N] on every fix — nothing auto-runs without consent. (3) Every applied fix snapshots state, generates a change record, and keeps a one-command rollback. A feedback loop also learns from dismissals and tunes per-tenant.
Are you storing any of our secrets or credentials?
No. Our license server only stores license_key, licensee name, expires_at, and package tier. Nothing else. curl titanaisec.com/api/health is public; no per-client data is ever exposed.
How do I know the installer bundle hasn't been tampered with?
Every release bundle is signed with SLSA Level 3 provenance. The installer verifies SHA-256 against the manifest served from titanaisec.com/api/bundle before extraction. Tamper = install fails hard.
Can our internal security team review the code?
Yes, under NDA. We ship source-level review access for Banking + Enterprise tiers. MSA, NDA, DPA, and BAA templates are ready to send on request.
What does the agent actually run on?
Python 3.10 or newer — that's the entire runtime. No Docker, no Kubernetes, no compiler, no daemon. Installs into a venv at ~/.titanai/. Runs from the CLI via python agents/conductor.py.
Does it need a server, database, or cluster?
Zero infrastructure. Stateless. Each run is self-contained. Outputs write to ~/titan-ai/reports/ as HTML + PDF + DOCX + JSON. Tickets optionally post to your existing ITSM (ServiceNow, Jira, BMC Remedy, etc.) via a simple ticketing.yaml config.
Which clouds are supported?
Azure, AWS, and GCP — any combination. Same installer, same license. cloud_manager.py auto-detects whichever CLI you're already authenticated with. Covers the top ~40 cloud services per provider out of the box.
What about on-premises / VMware / bare metal?
BASTION (our 21st agent) covers on-prem networking, identity, firewalls, DNS, GPO, certificates, and service accounts. Works on VMware, Hyper-V, bare metal, and legacy midrange — 140+ checks. Same install path.
Can it run in a CI/CD pipeline?
Yes. CONDUCTOR has a --non-interactive mode that emits JSON and exits non-zero on P1/P2 findings — drop it into GitHub Actions, GitLab CI, Azure DevOps, Jenkins. Common pattern: nightly scan on main, gated scan on PR.
How often do I need to update?
Agents self-update detection rules from 36 threat-intel + compliance feeds every 24 hours (CISA, NIST NVD, OWASP, HIPAA Wall of Shame, PCI bulletins, etc.). The signed engine bundle refreshes monthly on stable channel, weekly on canary.
What's the network footprint at runtime?
In cloud mode: outbound calls only to the cloud provider APIs you're scanning (Azure Resource Manager, AWS STS/EC2/S3/IAM, etc.) plus the 36 feed URLs for updates. Nothing calls back to us after install. In AIRLOCK: zero outbound network.
Do you support SOC 2, HIPAA, PCI-DSS, ISO 27001?
Yes — all of them. Our TITAN AUDIT agent produces evidence for 247 controls across 9 frameworks: SOC 2 Type II, HIPAA, HITRUST, PCI-DSS v4, ISO 27001, NIST 800-53 / 800-171, CIS Controls v8, FedRAMP Moderate/High. Output JSON is directly ingestible by Vanta, Drata, Secureframe, and Thoropass.
Can I get a full audit log of what the agent did?
Yes — a tamper-evident hash-chained audit trail. Every scan, every proposed fix, every [y/N] decision, every rollback is captured. Written locally to ~/titan-ai/audit/, signed per-run, and consumable by your SIEM.
We need FedRAMP High / IL4+ / DoD CC SRG. Can you?
AIRLOCK mode is specifically built for FedRAMP High, DoD Impact Levels 4–6, and SCI environments. Offline SLSA-3 signed bundle, zero egress, air-gapped operation. See airlock.html for the deployment spec.
Who owns the scan data and findings?
You do, 100%. All outputs are written to your machine. We take no copy, run no telemetry, hold no rights. Data Processing Agreement (DPA) and Business Associate Agreement (BAA, for healthcare) available on request.
Do you have a patent / defensible IP?
USPTO Patent Application #19/645,524, filed 4/13/2026, under TITAN AI LLC. Covers the multi-agent orchestration + entitlement-gated remediation methodology. All rights reserved.
Can TITAN AI run outside the United States?
Yes — it runs anywhere Python runs. We have active deployments and interest across North America, EMEA, the Middle East, South Asia, and APAC. The product is jurisdiction-agnostic: same installer, same license flow, same agents.
Our regulator requires all data to stay in-country. Will that work?
Yes — this is exactly what AIRLOCK mode solves. TITAN runs fully air-gapped: the signed bundle is preloaded once, then zero network traffic. Scan data never leaves your DMZ. This satisfies strict data-residency regimes (EU GDPR, UK DPA, Singapore MAS, India DPDP, UAE ADGM, Pakistan SBP Cloud Framework, KSA SAMA, etc.).
Which cloud regions are supported for hyperscaler deployments?
All of them. Azure (60+ regions globally including UAE North, UK South, West Europe, Switzerland, India Central, Australia East), AWS (30+ regions including Bahrain me-south-1, UAE me-central-1, Mumbai, Singapore, Frankfurt), GCP (40+ regions including Tel Aviv, Mumbai, Jakarta, London, Zurich). Same installer works in every region.
We're a bank regulated by [SBP / RBI / MAS / SAMA / DFSA / FCA / BaFin]. Can you map findings to our local framework?
Yes. Our AUDIT agent ships with PCI-DSS, SOC 2, ISO 27001, and HIPAA mappings out of the box. Regional frameworks (State Bank of Pakistan Cloud Framework + ETPP, RBI Master Directions, MAS Technology Risk Management Guidelines, SAMA Cyber Security Framework) are added on request — typical lead time 1–2 weeks. The evidence collection is the same; only the control-ID mapping changes.
Do you have localization / non-English support?
The agent CLI and reports are English. Our typical enterprise buyer (IT + security team) operates in English regardless of country. Report templates can be customized; translated ticket descriptions are on the roadmap for Q3 2026.
Export controls — are we allowed to import TITAN AI into our country?
TITAN AI classifies as commercial security software (US EAR99). Exportable globally to any non-embargoed country without a specific export license. Full export classification language is included in the MSA. We screen all deals against OFAC SDN + EU/UK sanctions lists before contract execution.
How do we pay if we're outside the US?
USD wire transfer to our US business bank. Net 30 from invoice. SWIFT instructions provided with contract. Most international clients pre-clear with their central bank's foreign exchange desk — we can provide supporting documentation for the import.
Will support cover our time zone?
Banking and Enterprise tiers include 24×7 coverage — your time zone is covered. Cloud tier is 4-hour business-hours response (US Mountain Time); Launch tier is email-only. Critical-P1 escalation paths are always 24×7 regardless of tier.
How much does TITAN AI cost?
Launch $24,999/yr (3 core agents, 1 cloud). Cloud $64,999/yr (12 agents, multi-cloud). Healthcare $79,999/yr (+HIPAA + HITRUST). Banking $299,999/yr (+PCI + SOX + FFIEC + AUDIT bundled). Enterprise $199,999/yr (all 26 agents, unlimited clouds). AIRLOCK and AUDIT available standalone — see pricing.html.
Is there a multi-year discount?
Yes — 10% off 2-year prepay, 15% off 3-year prepay. Founding customer lock: $30K Y1 / $60K Y2+ for our first 10 enterprise customers — this is a permanent rate floor, not a promo.
What if it doesn't work for us?
14-day trial is free, read-only, no credit card. If you then buy and after 30 days of paid deployment you're not seeing value, we refund. We'd rather have you as a reference than a reluctant customer.
What's the ROI?
Typical first scan surfaces 40–120 misconfigurations and 20+ P1/P2 findings. At industry-standard $3K–$15K per pentester-surfaced finding, the tool pays for itself on day one. Continuous monitoring typically replaces 1–2 junior SOC FTEs (~$150K–$300K/yr loaded cost).
Can we pay quarterly or monthly?
Enterprise and Banking tiers can structure quarterly payments. Cloud, Healthcare, and Launch tiers are annual prepay. Founding customer program is annual prepay to lock the rate.
How does TITAN AI compare to cloud-posture scanners (CSPM category)?
Scanners find, they don't fix. TITAN scans and files a ticket and (with consent) auto-fixes and keeps rollback. Typical CSPM tools are 3–5× our price for comparable coverage, and compliance evidence is usually an add-on SKU. With us, AUDIT is bundled at the Banking tier.
How do you compare to EDR / endpoint vendors?
Different category entirely. EDR is endpoint behavior detection. We're cloud posture + compliance + data-layer (ORACLE DLP, LATTICE for Databricks, FLUX for Azure Data Factory) + network (BASTION) + ticket-level remediation. We complement EDR rather than replace it.
How do you compare to compliance platforms (Vanta-category)?
Those platforms collect evidence via integration hooks — they dashboard what your other tools already produce. We generate the evidence by actually scanning. Our AUDIT output is directly ingestible by Vanta-category platforms. We're upstream of them, not in competition.
Why would we choose you over an incumbent?
Four things: (1) price — 1/3 to 1/5 of incumbents for comparable coverage. (2) true air-gap / AIRLOCK — most incumbents are SaaS-native and physically can't run offline. (3) auto-fix with rollback, not just alerts. (4) founding customer pricing locks your rate permanently.
What's the false-positive rate?
2–4% in production deployments. Every finding is cross-validated against the live cloud API before it becomes a ticket. A feedback loop learns from user dismissals and tunes detection rules per-tenant.
How fast do we see value?
First scan: 10–30 minutes depending on cloud size. First full report (HTML + PDF + DOCX + tickets): within 40 minutes. P1/P2 findings surface in under an hour. Week 1 value: stop doing manual posture audits. Week 4: FORGE auto-fixes the boring stuff.
How many people do we need to run it?
One part-time security engineer. CONDUCTOR is single-command, reports are self-explanatory, tickets route to your existing ITSM. Typical client runs it with 0.25–0.5 FTE loading, not a dedicated team.
Does it integrate with ServiceNow / Jira / our ticketing system?
Yes — and BMC Remedy, Azure DevOps Boards, GitHub Issues, Zendesk, and webhook-anywhere. Point it at your ticketing system via ticketing.yaml (examples provided). Tickets land with full finding + fix recommendation + (when applicable) one-click remediation button.
What happens if the scan finds something critical?
P0/P1 findings get immediate webhook/email/Slack/PagerDuty alert (configurable). A change-request ticket is filed with full reproduction steps, CVSS score, and remediation playbook. If you've authorized FORGE for that category, a proposed fix is staged pending your [y/N] approval.
What's your SLA?
Launch: business-hours email, best-effort. Cloud: 4-hour business-hours response. Healthcare / Banking / Enterprise: 1-hour response 24×7 + dedicated Customer Success Manager. Critical-P1 escalations are 24×7 on every tier.
What if you go out of business?
Source code escrow is available for Banking and Enterprise tiers via a neutral third-party (Iron Mountain or Escrow.com). The signed bundle is self-contained and runs indefinitely without phoning home. The license server is a Cloudflare Worker — trivially self-hostable from the escrowed source.
What about breaking changes / backward compatibility?
Pinned bundle versions are available — set TITAN_VERSION=v2.4.1 and the installer grabs that exact signed build forever. Channels: stable (monthly), beta (weekly), canary (nightly). You pick your risk appetite per environment.
Who do we call if something breaks?
Email info@titanaisec.com with the CONDUCTOR output line that failed. Typical response under 4 business hours on Cloud+, under 1 hour on Healthcare/Banking/Enterprise. On-call phone rotation included for Banking + Enterprise tiers.
14-day free trial · read-only · no credit card · installs in 10 minutes. If the product doesn't answer your question faster than we can on a call, the question wasn't worth asking.