Citadel — TitusOS

Citadel is the autonomous defense system that monitors and protects every TitusOS workspace. Concentric defense-in-depth, founder-in-the-loop on anything customer-impacting, and a tamper-evident audit chain over every decision.

How Citadel works

Citadel is structured as a fortress: every component has a single, named job, and they reinforce each other. Perception, decision, response, and verification are separate layers — a single compromise can't cascade.

The Watchtower

Perception. Every auth event, RBAC denial, rate-limit trip, and anomaly streams here in real time.

The Garrison

Autonomous response. Correlates bursts, opens incidents, executes safe playbooks within seconds.

The Keep

Central decision brain. Routes incidents, evaluates confidence, decides what's autonomous vs. founder-gated.

The War Room

Founder-only command center. Every autonomous action lands here for review and sign-off.

The Archive

Tamper-evident audit. Forward-chained SHA-256 hashes today; immutable storage planned.

The Scouts

Threat intelligence. External feeds for known-bad IPs, leaked credentials, novel exploit chatter.

The Traps

Deception. Honey accounts and tokens that, if touched, page the founder instantly.

The Training Yard

Continuous self-attack. Automated red-team exercises against staging on every release.

The Drawbridge

Ingress control. WAF + edge filtering at the network boundary.

The Banner

This page. Public posture, design transparency, public commitments.

The Siege Log

Quarterly transparency report. What attacks were attempted, what we caught, what we missed.

Founder-in-the-loop

Citadel acts on its own only for low-risk, high-confidence responses (rate-limit a noisy IP, revoke a session, quarantine a token). The <30s containment target applies to that set. For anything customer-impacting, a founder must approve.

TitusOS Citadel

How Citadel works

Founder-in-the-loop

Public commitments