SOC 2 Compliance — NSAuditor AI EE

Q: How do I verify the scope of this report wasn't manipulated post-scan?

Three layered guarantees: (1) Integrity via SHA-256 sidecars on every artifact (always written, verifiable with shasum -a 256 -c). (2) Non-repudiation via opt-in RFC 3161 trusted-timestamp .tsr sidecars from a Time-Stamp Authority — a third-party time floor that an internal actor cannot backdate. (3) Suppression non-repudiation via Ed25519 signatures verified against a corporate identity registry.

Q: What if the security team marked a real finding as false positive to make the report look clean?

Multiple controls prevent this: every suppression is logged in Appendix B with rationale + approver; suppressions can carry Ed25519 signatures the auditor verifies independently; approvers are cross-referenced against a corporate identity registry with authorization-scope checks; suppressions renewed after expiration are flagged LATE or VERY_LATE; quarterly trend analysis surfaces governance degradation.

Q: How does the scanner handle clock drift?

An NTP probe measures local-clock drift against configurable NTP servers. Drift above threshold triggers a WARN or CRITICAL clock advisory on the cover page. In strict mode (complianceNtpStrict: true), critical drift aborts the compliance run entirely. Probe-staleness detection classifies the gap between probedAt and generatedAt to catch backdated or stale reports.

Q: This is a single-point-in-time scan. How does Type-II operating-effectiveness apply?

NSAuditor supports Type II evidence via recurring-scan attestation (multi-scan chronological matrix across 6–12 month windows), SLA/MTTR tracking with configurable per-severity thresholds, version-delta detection across scans, and quarterly suppression-renewal cadence trend analysis with governance bands.

Q: What about tabletop exercises for CC4.1 / CC7.3?

The tabletop simulation framework (EE-SOC2.14) provides a probe-event manifest and SIEM detection correlation. You define what you tested, import what was detected, and the correlator produces detection coverage percentage, per-category breakdown, undetected-probe list, and unmatched-SIEM-event list. Configurable coverage bands (50/80 liberal, 75/90 Type II, 85/95 high-assurance) classify the result as critical / acceptable / healthy.

TL;DR — what this does for SOC 2
Coverage matrix (TSC 2017)
How to run a SOC 2 scan
Environment variables reference
What you get — output artifacts
How to view & verify the results
Covered controls — direct evidence
Partial controls — single-dimension
Out of scope — what scanning can't evidence
Type I vs Type II support
Suppression workflow
GRC platform integration (Vanta)
WORM evidence storage (S3 Object Lock)
Tabletop simulation (CC4.1 / CC7.3)
Comparison vs the market
Auditor FAQ

TL;DR — what this does for SOC 2

NSAuditor AI EE generates a Type-I-friendly pre-audit gap report with institutional-level evidence controls. It maps cloud and network scan findings to specific Trust Services Criteria, produces signed evidence artifacts (cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, cryptographic suppression signing), and ships in machine-readable form suitable for GRC platform ingestion (native Vanta push connector shipped; Drata / Secureframe on roadmap).

It is not a SOC 2 Type II evidence pack on its own (Type II requires recurring-scan attestation across 6–12 months — supported via recurring-scan attestation + SLA/MTTR tracking, both shipped). It is not a replacement for governance, risk-assessment, or business-continuity evidence (those control families are explicitly out of scope). It is not a substitute for a CPA-firm audit — this is the pre-audit report you give your auditor so they don't bill you for finding what you already knew.

The market split: GRC platforms (Vanta, Drata, Secureframe) automate workflow but lack native vulnerability scanning; legacy scanners (Tenable, Qualys, Rapid7) produce voluminous CVE reports but don't map findings to TSC controls. NSAuditor's wedge is the bridge — deep scanning + auditor-mapped output + GRC API push.

Coverage matrix — AICPA TSC 2017

Source of truth is data/compliance/soc2.json; this matrix mirrors it. A test asserts the two stay in sync.

Status	Count	Trust Services Criteria
✓ Covered	7	CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, C1.1
⚠ Partial	5	CC6.3, CC7.2, CC7.3, CC8.1, A1.2
⚪ Out of scope	34	CC1., CC2., CC3., CC4., CC5., CC9., PI1.*, P1.0–P8.0, CC6.4, CC6.5

Read this: "Covered" means the engine produces direct evidence the auditor can attach to the control. "Partial" means we evidence one dimension of the control (e.g., a point-in-time snapshot) but not the cadence / multi-period dimension. "Out of scope" means the control is fundamentally not addressable by network scanning — a different evidence source is required.

How to run a SOC 2 scan

Once the EE package is installed and your license is activated, every scan can emit SOC 2 evidence by passing --compliance soc2. There are four common configurations — pick the one that matches the audit-readiness you need.

Install & activate

Install the EE package alongside the CE platform, then set your license key. Full install & activation steps live in the CE README and the EE package README — this is just the short version.

# EE package — requires npm read-token from your purchase email $ npm install -g @nsasoft/nsauditor-ai-ee # Activate (Enterprise license) $ export NSAUDITOR_LICENSE_KEY=ee_eyJhbGciOiJFUzI1NiIs... # Verify $ nsauditor-ai license --status ✓ Enterprise license active | Org: you@example.com | Expires: 2027-04-04
Run a basic SOC 2 scan

Single-scan, point-in-time. Produces the 10-file evidence bundle (gap report + scope attestation + chain-of-custody + integrity sidecars). Suitable for internal review and Type I gap analysis.

$ nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
Add trusted timestamps + SLA tracking

Adds RFC 3161 trusted-timestamp sidecars (third-party non-repudiation) and per-severity SLA / MTTR tracking. This is the configuration most enterprise customers run for ongoing audit-readiness.

$ COMPLIANCE_TSA_URL=https://freetsa.org/tsr \ COMPLIANCE_TRACK_SLA=true \ COMPLIANCE_IDENTITY_REGISTRY=data/compliance/identity_registry.json \ nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
Push results to your GRC platform

Ships the gap report straight into Vanta as TestResult objects with TSC outcome mapping. Drata / Secureframe on roadmap.

$ COMPLIANCE_GRC_PROVIDER=vanta \ COMPLIANCE_GRC_TOKEN=vanta_api_xxxx \ COMPLIANCE_TSA_URL=https://freetsa.org/tsr \ COMPLIANCE_TRACK_SLA=true \ nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
Run on a recurring schedule (Type II)

For Type II operating-effectiveness, run the same compliance scan on a fixed cadence (typically weekly or monthly). The recurring-attestation module automatically discovers prior scans, builds a chronological matrix across your assessment window, detects cadence gaps and scope drift, and emits the Type II evidence pack.

# Example: weekly SOC 2 scan via cron, 6-month assessment window $ crontab -e # 0 3 * * 0 cd /opt/nsauditor && nsauditor-ai scan --host 10.0.0.0/24 \ # --plugins all --compliance soc2 \ # --output-dir ./scans/$(date +\%Y-\%m-\%d) >> scan.log 2>&1 # Generate Type II recurring attestation across the last 6 months $ nsauditor-ai compliance recurring-attestation \ --root ./scans \ --framework soc2 \ --window 6m

Environment variables reference

All SOC 2-related environment variables (Enterprise license required):

Variable	Default	Purpose
COMPLIANCE_FRAMEWORKS	—	Set to `soc2` to enable SOC 2 mapping (auto-set when `--compliance soc2` passed).
COMPLIANCE_TSA_URL	—	RFC 3161 TSA endpoint for trusted-timestamp sidecars (e.g., `https://freetsa.org/tsr`).
COMPLIANCE_TRACK_SLA	`false`	Enable per-severity SLA / MTTR tracking with compensating-control flow.
COMPLIANCE_IDENTITY_REGISTRY	—	Path to identity-registry JSON for suppression approver verification.
COMPLIANCE_WORM_BUCKET	—	S3 bucket name for WORM evidence storage (Object Lock COMPLIANCE mode required).
COMPLIANCE_WORM_REDACTION	`off`	Resource redaction mode for WORM archive: `off` · `hash` · `remove`.
COMPLIANCE_GRC_PROVIDER	—	GRC platform: `vanta` (Drata / Secureframe planned).
COMPLIANCE_GRC_TOKEN	—	API token for GRC platform push.
COMPLIANCE_TABLETOP	`false`	Enable tabletop simulation with SIEM correlation (CC4.1 / CC7.3 evidence).
COMPLIANCE_NTP_STRICT	`false`	If `true`, abort the compliance run when NTP drift is CRITICAL.

What you get — output artifacts

Each --compliance soc2 run writes the evidence bundle to out/<scan-id>/. The base bundle is 10 files (14+ when recurring-attestation is configured), and every artifact ships with a .sha256 integrity sidecar.

File	Purpose
scan_compliance_soc2.md	Markdown gap report — engineering / GRC consumption.
scan_compliance_soc2.html	Standalone HTML report (inline CSS, dark theme, "Print to PDF" button) — give this to the auditor.
scan_compliance_soc2.json	Full report data (machine-readable) — for GRC API push or custom downstream tooling.
scan_attestation_soc2.json	Cover-page Scope Attestation envelope — CIDR list, exclusions, scanner version, NTP status.
scan_chain_of_custody_soc2.json	Chain-of-custody envelope linking scan → findings → artifact hashes.
*.sha256	Per-artifact SHA-256 sidecars — verify with `shasum -a 256 -c <file>.sha256`.
.tsr / .tsr.bundle.json	RFC 3161 Time-Stamp Response + TSA cert chain bundle (when `COMPLIANCE_TSA_URL` is set).
compliance_recurring_attestation_soc2.{md,json}	Type II recurring-attestation report (when configured) — chronological scan matrix, cadence-gap table, scope-drift events.

The cover-page Scope Attestation

Every artifact opens with the same attestation block — this is the auditor's single source of truth for what was assessed:

Report ID + generation timestamp (NTP-synced when available; honest "local clock" note otherwise)
Assessment type — explicit Type-I disclaimer
Scanner version (EE + CE, both pinned across all artifacts in the scan)
Scan window (start / end) and parallelism
Targets in scope — explicit CIDR / domains / cloud account IDs
Targets explicitly excluded with one-line business justification each (missing justification flagged ⚠ NO JUSTIFICATION PROVIDED)
Framework + version — SOC 2 (AICPA TSC 2017, with 2022 points of focus) version 2017
Report integrity — SHA-256 in companion sidecar
Clock advisory — NTP drift status + probe staleness classification
TSA policy OID (when timestamps are configured)
Version delta verdict — stable / changed / unknown across scan comparisons

Report appendices

Appendix A — Full finding details with TSC control mappings and stable rationale text
Appendix B — Accepted Risks & False Positives (every suppression with rationale + approver + renewal cadence)
Appendix C — Per-Target SLA Override Trace (override definitions + matched findings)
MTTR section — Mean Time To Remediate by severity with SLA compliance status
Identity verification section — Approver verification band with per-reason breakdown

How to view & verify the results

1. Open the HTML report (the auditor-friendly view)

The HTML report is fully self-contained — inline CSS, dark theme, no external assets, "Print to PDF" button at the top. Open it in any browser and you have the same view your auditor will see.

# macOS
$ open out/<scan-id>/scan_compliance_soc2.html

# Linux
$ xdg-open out/<scan-id>/scan_compliance_soc2.html

# Windows
> start out\<scan-id>\scan_compliance_soc2.html

2. Verify the chain-of-custody hashes

Every artifact ships with a .sha256 sidecar. All four MUST return OK. If any FAIL, the artifact has been tampered with since generation — reject the report and rerun the scan.

$ cd out/<scan-id>/
$ shasum -a 256 -c scan_compliance_soc2.md.sha256
scan_compliance_soc2.md: OK
$ shasum -a 256 -c scan_compliance_soc2.html.sha256
scan_compliance_soc2.html: OK
$ shasum -a 256 -c scan_compliance_soc2.json.sha256
scan_compliance_soc2.json: OK
$ shasum -a 256 -c scan_attestation_soc2.json.sha256
scan_attestation_soc2.json: OK

3. Verify the RFC 3161 trusted timestamp (when configured)

The TSA's signature attests "this hash existed at <TSA timestamp>" — a third-party time floor that an internal actor cannot backdate.

$ openssl ts -verify \
    -in out/<scan-id>/scan_compliance_soc2.json.tsr \
    -queryfile out/<scan-id>/scan_compliance_soc2.json.tsq \
    -CAfile /path/to/tsa-ca-bundle.pem
Verification: OK

4. Push to your GRC platform (optional)

If COMPLIANCE_GRC_PROVIDER=vanta was set on the scan, the connector already pushed; you'll find the TestResult objects in your Vanta workspace under the matching control IDs. If not, you can push retroactively:

$ COMPLIANCE_GRC_PROVIDER=vanta COMPLIANCE_GRC_TOKEN=vanta_api_xxxx \
  nsauditor-ai compliance push --scan out/<scan-id> --framework soc2

5. Inspect the JSON for custom tooling

The JSON envelope is the canonical machine-readable form — use it for GRC ingestion, dashboards, custom reports, etc.

$ jq '.controls[] | select(.status == "fail") | {id, title, evidence}' \
    out/<scan-id>/scan_compliance_soc2.json

Tip — what to send your auditor. Most CPA firms accept the HTML report + the .sha256 sidecars + (if configured) the .tsr sidecar bundle. Zip the entire out/<scan-id>/ directory and share via your usual evidence-collection workflow. The HTML is self-contained so it can be opened from a USB stick in an air-gapped audit room.

✓ Covered controls — direct evidence

For each control below, the engine produces a finding the auditor can attach to the control with stable rationale text.

CC6.1 — Logical access security software, infrastructure, and architectures

"The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives."

Source	Example finding	Why it violates CC6.1
auth_agent	SSH password authentication enabled	Password-only SSH violates least-privilege.
auth_agent	Exposed admin panel detected: phpmyadmin	Exposed admin panels violate boundary control.
auth_agent	Telnet service enabled (cleartext protocol)	Cleartext Telnet exposes credentials in transit.
aws-iam-deep-auditor	Console access enabled WITHOUT MFA	CC6.1 requires MFA on privileged accounts (2017 point of focus).
aws-iam-deep-auditor	SHADOW ADMIN: User has full wildcard (*) permissions	Shadow admins bypass intended access restrictions.
aws-iam-deep-auditor	Privilege escalation paths detected	Privesc paths violate access boundaries via self-elevation.

CC6.2 — User identification and authentication

Source	Example finding	Why it violates CC6.2
auth_agent	SNMP default community string 'public'	Default communities violate authentication uniqueness.
auth_agent	Anonymous FTP access enabled	Anonymous access bypasses identification entirely.
auth_agent	Telnet service enabled (cleartext protocol)	Cleartext credentials cannot satisfy identification integrity.

CC6.6 — Logical access boundaries and network segmentation

Source	Example finding	Why it violates CC6.6
exposure_agent	Database port 3306 (mysql) open	Databases reachable from outside the trust boundary violate segmentation.
exposure_agent	Management port 22 (ssh) open	Admin interfaces should be segmented from production network.
exposure_agent	Lateral movement risk: SMB + RDP both open	Co-located admin services fail lateral-movement-prevention requirement.
config_agent	RPC portmapper open on Linux host	RPC widens attack surface across segmentation lines.

CC6.7 — Data in transit protection

Source	Example finding	Why it violates CC6.7
crypto_agent	TLSv1 enabled on port 443	TLS 1.0 / 1.1 / SSLv2 / SSLv3 deprecated. (Mapping correctly excludes TLS 1.2 / 1.3.)
crypto_agent	Weak cipher suites on port 443	RC4, DES, NULL break in-transit confidentiality guarantee.
crypto_agent	Weak key exchange algorithms	Weak KEX compromises confidentiality retroactively.
crypto_agent	Expired TLS certificate	Expired certs invalidate the in-transit trust chain.
crypto_agent	Self-signed TLS certificate	Certificates from trusted CAs required in production.
crypto_agent	Missing HSTS header on HTTPS	HSTS is the baseline defense against TLS-stripping.

CC6.8 — Prevention and detection of unauthorized or malicious software

Source	Example finding	Why it violates CC6.8
service_agent	End-of-life Apache 2.2.x on port 80	EOL software no longer receives security updates.
intelligence_engine	CVE-2023-38408 — OpenSSH 8.2p1	Matched CVEs evidence unpatched components.
config_agent	Server version disclosed: nginx/1.18	Banner disclosure enables reconnaissance of vulnerable versions.

CC7.1 — Detection of changes to system configurations / vulnerabilities

This is the vulnerability-management control. Major audit firms typically interpret CC7.1 as requiring automated scanning, even though SOC 2 itself never uses the phrase "vulnerability scanning."

Source	Example finding	Why it violates CC7.1
intelligence_engine	CVE-2023-38408 (CVSS 9.8) — OpenSSH 8.2p1	CVE matching is the canonical CC7.1 evidence per major audit-firm guidance.
service_agent	End-of-life Apache 2.2.x	EOL detection is a positive CC7.1 signal.
config_agent	Debug endpoint(s) exposed on port 8080	CC7.1 expects detection of misconfigurations introducing vulnerability.
config_agent	HTTP directory listing enabled on port 80	Misconfiguration introducing vulnerability.

C1.1 — Identification and disposition of confidential information

(Only assessed if Confidentiality is in your audit scope — this is one of the optional categories.)

Source	Example finding	Why it violates C1.1
aws-s3-auditor	No public access block configured	Public-readable S3 buckets violate confidentiality boundary.
aws-s3-auditor	Bucket policy grants public access	Permissive bucket policy violates confidentiality boundary at storage layer.
aws-s3-auditor	No default encryption configured	C1.1 requires encryption-at-rest for confidential data.

⚠ Partial controls — single-dimension evidence

NSAuditor evidences one dimension of these controls (typically the configuration-state-at-this-moment dimension). The CADENCE / multi-period / process dimension requires additional evidence sources. The renderer surfaces a ⚠ Coverage caveat: line on every partial control.

Control	TSC title	What we evidence	What's missing (and from where)
CC6.3	System access removal and modification	Stale IAM access keys, multiple active keys (`aws-iam-deep-auditor`)	Removal cadence — recurring-scan attestation provides the multi-period evidence dimension.
CC7.2	Monitoring of system components	Lateral-movement-risk anomaly detection + tabletop simulation SIEM correlation	Continuous SIEM monitoring + alert routing.
CC7.3	Evaluation of security events for response	Finding inventory + tabletop simulation proving detection controls fire	The IR routing itself (Jira ticket, PagerDuty page, SIEM alert) — lives in your ITSM.
CC8.1	Change management and authorization	Snapshot of current configuration + scanner version delta detection	Multi-scan delta detection (CTEM) and change-authorization linkage (ITSM / Git PR webhook).
A1.2	Environmental protections, backup processes	Exposed-availability-target inventory + S3 versioning posture + GRC connector duration cap	Backup / recovery posture itself — pair with infrastructure attestations (e.g., AWS RTO/RPO docs).

⚪ Out of scope — what network scanning fundamentally cannot evidence

A SOC 2 audit covers technical, administrative, and physical controls. NSAuditor evidences the technical-network-and-cloud slice. Everything else is genuinely not our job — pretending otherwise would create what auditors call "scope illusion": the false belief that buying a scanner replaces governance work.

TSC family	Why scanning can't evidence it	What you need instead
CC1.1–CC1.5	Governance / ethics / board oversight (COSO Principles 1–5)	HR systems, signed Code of Conduct, board minutes, org charts
CC2.1–CC2.3	Internal/external policy communication	Corporate communication policies, awareness-training logs, whistleblower hotline
CC3.1–CC3.4	Enterprise risk identification (technical vuln ≠ enterprise risk)	Risk register, vendor questionnaires, executive risk meetings
CC4.1, CC4.2	Governance-layer monitoring of internal controls	SOC management reviews, control-effectiveness audits. Partial via tabletop simulation.
CC5.1–CC5.3	Policy and procedural controls at governance layer	Documented policies and procedures
CC9.1, CC9.2	Business continuity, vendor management, cyber insurance	BCP, DR tabletop logs, vendor SLA reviews, cyber-insurance policy
CC6.4 / CC6.5	Physical access (keycards, cameras, data center)	Keycard logs, security cameras, data-center SOC 2 attestations (AWS / GCP / Azure)
PI1.1–PI1.5	Application-logic correctness	App unit / integration tests, code-review records
P1.0–P8.0	Application-level data handling and disclosure	Privacy policy, DSAR workflows, consent management

The renderer emits all of these as out_of_scope controls in every gap report — auditors immediately see the engine's known boundaries and don't have to guess what wasn't evaluated.

Type I vs Type II support

Audit type	NSAuditor support	Evidence produced
Type I — point-in-time control design	Full	Single scan + cover-page attestation + integrity hashes + TSA timestamps.
Type II — operating effectiveness over 6–12 months	Supported	Recurring-scan attestation + SLA / MTTR tracking with per-severity thresholds + suppression renewal cadence + version-delta detection across scans + quarterly trend analysis.

Recurring-scan attestation

The recurring-attestation module discovers prior scans, filters by your assessment window, detects cadence gaps and scope drift, and emits a chronological matrix. Compliance status taxonomy:

pass — scans within cadence, no scope drift
pass_with_drift_review — within cadence; scope-drift events surfaced for CC8.1 change-management review
cadence_breach — any inter-scan gap exceeds threshold (CC7.1 finding)
no_evidence — zero scans in the window (distinguishes "scans on disk but outside window" from "truly empty rootDir" via discoveredCount)

SLA & MTTR tracking

Per-severity SLA thresholds from sla.json. Three statuses per finding: compliant, approaching (default 75% of threshold), breached. The renderer separates breachedTotal (raw count of all overdue findings) from breachedEffective (post-compensating-control). Auditors read both — breachedEffective > 0 is a hard CC7.1 finding.

Suppressions with status: accepted_risk + non-empty compensating_control flip a finding's effective SLA status from breached → breached_with_compensating_control. The renderer surfaces an inline disclaimer requiring auditor verification of each compensating-control text.

Suppression workflow — the "what about false positives?" answer

Every real scan produces findings the security team has triaged out — false positives, accepted risks with compensating controls, etc. SOC 2 auditors reject silent deletion of findings (looks like under-reporting) but accept documented exclusions when each one carries a specific match, a non-empty rationale, and an approver.

The compliance engine reads out/<scan-id>/suppressions.json if present and enforces all three fields. Suppressions missing any of them are rejected and the underlying finding stays in fail status — the engine refuses to silently absorb undocumented suppressions.

CLI

# Create a new suppression (auto-generates id, approvedAt, expiresAt)
$ nsauditor-ai compliance suppress --finding-id <id> --status accepted_risk

# Walk scan history, classify each suppression as active / approaching / expired / no_expiry
$ nsauditor-ai compliance review

# Refresh expiry; appends renewal entry (audit trail) capturing previous + new expiresAt + approver + rationale
$ nsauditor-ai compliance renew --finding-id <id>

Per-status default expiry

accepted_risk — 90 days (compensating controls decay; quarterly review is institutional norm)
false_positive — 365 days (scanner-error classifications don't go stale)
Caller can override via explicit expiresInDays

Cryptographic signing & identity verification

Each suppression can be Ed25519-signed with signSuppression(). The signature payload is NFC-normalized per RFC 5198 and capped at 64KiB. Verification via verifySuppression() or verifyAgainstRegistry() cross-references identity-registry public keys.

Approvers are validated against a corporate identity registry binding names to Ed25519 public keys and authorization scopes (which frameworks an approver may authorize suppressions for). The suppression-audit module detects governance gaps — late renewals, per-approver patterns, quarterly cadence trends — surfaced as governance bands (HEALTHY / ACCEPTABLE / DEFICIENT / CRITICAL).

Where suppressions show up in the report

Every suppression appears in Appendix B — Accepted Risks & False Positives with control ID, finding text, status (accepted_risk vs false_positive), approver, rationale, and renewal chain. Expired suppressions surface as report.expiredSuppressions[] with a "REVIEW REQUIRED" callout when non-empty.

GRC platform integration — Vanta

The Vanta connector maps NSAuditor findings to Vanta TestResult objects and pushes them via API. Drata and Secureframe are on the roadmap.

Outcome mapping

NSAuditor status	Vanta outcome
`pass`	`passed`
`fail` (all violations compensated)	`passed_with_compensating_control`
`fail` (any uncompensated)	`failed`
`partial`	`failed` (Vanta has no partial; `partialReason` in description)
`accepted_risk`	`passed_with_compensating_control`
`false_positive`	`passed`

Reliability features

Pre-flight — single-shot GET to vendor identity endpoint with AbortController timeout
Streaming response cap — MAX_RESPONSE_BYTES=1MiB (CC7.1 input validation at vendor API boundary)
Duration cap — maxTotalDurationMs=180s per push (A1.2 availability bound under Retry-After saturation)
Foreign-token detection — 18 well-known non-GRC token format patterns (GitHub, Slack, AWS, OpenAI, Stripe, GCP, npm) prevent misconfigured tokens reaching Vanta
Idempotency — idempotencyKey() with scanId collision disambiguation (~<sha16> suffix)
Description truncation — control descriptions truncate at 8KB with explicit count + scan reference

WORM evidence storage — S3 Object Lock

Write-Once-Read-Many archival for SEC Rule 17a-4 / FINRA 4511 audit compliance. The module ships with strict fail-CLOSED Object Lock validation:

GOVERNANCE mode explicitly rejected — citing s3:BypassGovernanceRetention as the override permission auditors reject. GOVERNANCE-mode allows bucket owners to override retention, making it functionally equivalent to /tmp from the auditor's perspective. This is the #1 institutional rejection cause for "WORM" claims.
COMPLIANCE mode required; minimum retention validation (default 7 years / 2555 days)
Integer-only Years/Days — fractional values rejected (prevents silent threshold bypass)
Resource redaction — three modes: off · hash (canonical-JSON SHA-256 fingerprints, key-order-independent) · remove (target/resource fields stripped)
Path-traversal defense in archive manifest (rejects entries containing /, \, .., .)

Tabletop simulation — CC4.1 / CC7.3 monitoring evidence

Structured probe-event manifest + SIEM detection correlation proving the organization tests its monitoring controls. You define probe events (what you tested), import SIEM detection events (what was detected), and the correlator produces auditor-grade evidence: detection coverage percentage, per-category breakdown, undetected-probe list, unmatched-SIEM-event list.

Coverage bands (configurable)

Liberal baseline — 50% / 80% (Type I / first-year)
Type II — 75% / 90% (practitioner heuristic for Type II annual)
High assurance — 85% / 95% (PCI-DSS L1 / FedRAMP)

Correlation guarantees

Strict UTC timestamp enforcement (naive timestamps rejected per CC7.1 / CC7.2)
IPv6 case-insensitive normalization (RFC 5952) + /128 CIDR strip
Hostname normalization (case-insensitive + trailing-dot strip)
SIEM event deduplication (structural identity)
O(P×S) safeguard with CORRELATION_SIZE_WARNING_THRESHOLD=1M + onWarn callback

Comparison vs the market

Caveat: competitor capability lists evolve quickly; this table reflects publicly-available 2026-Q1 product documentation. Verify against your actual contract before relying on these comparisons.

Capability	GRC platforms (Vanta / Drata / Secureframe)	Legacy scanners (Tenable / Qualys / Rapid7)	NSAuditor AI EE
Workflow automation + auditor portal	✓	—	integrates with GRC platforms (push)
Native vulnerability scanning	— (relies on 3rd-party)	✓ deep enterprise scanning	✓
TSC control mapping per finding	policy/config only — not vuln findings	partial — policy-pack mapping, not per-finding	✓ direct per-finding mapping with rationale
Cover-page Scope Attestation	varies (workflow-style)	—	✓
SHA-256 chain-of-custody on report bytes	varies	—	✓
RFC 3161 trusted-timestamp signing	—	—	✓ opt-in via `complianceTsaUrl`
TSA cert chain bundling + validation	—	—	✓ EKU / expiry / role validation
Documented suppression workflow	workflow only	—	✓ engine enforces rationale + approver
Cryptographic suppression signing (Ed25519)	—	—	✓ + identity-registry verification
SLA/MTTR tracking per severity	varies	✓ enterprise tiers	✓ configurable thresholds + approaching/breached status
Suppression renewal cadence auditing	—	—	✓ per-approver, quarterly trend, governance bands
Tabletop simulation SIEM correlation	—	—	✓ probe manifest + SIEM correlation + coverage
WORM evidence storage (S3 Object Lock)	varies	—	✓ COMPLIANCE-mode only; SEC 17a-4 / FINRA 4511
GRC platform API push	N/A (they are the platform)	partial (plugins)	✓ Vanta native; Drata / Secureframe planned
Air-gapped operation	— SaaS-only	✓ on-prem	✓ ZDE on-prem
Multi-operator concurrency safety	N/A	—	✓ atomic file locking with stale-PID detection

Auditor FAQ — questions your CPA firm asks, answered up front

How do I verify the scope of this report wasn't manipulated post-scan?

Three layered guarantees:

Integrity (against bit-rot, accidental edits, unsophisticated tampering): the cover page is part of the report bytes; .sha256 sidecars verify the report bytes. If the cover-page scope is wrong, the hashes won't match. Always written.
Non-repudiation (against an insider who can regenerate both the report AND the matching sidecar): opt-in via complianceTsaUrl. When configured, each artifact ships a .tsr sidecar containing a Time-Stamp Response from the configured RFC 3161 Time-Stamp Authority. The TSA's signature attests "this hash existed at <TSA timestamp>" — a third-party time floor that an internal actor cannot backdate. Recommended TSAs: FreeTSA.org (free, testing), DigiCert / Sectigo / GlobalSign (paid commercial), or your internal corporate TSA.
Suppression non-repudiation: each suppression can be Ed25519-signed. Signatures are verified against a corporate identity registry binding approver names to public keys.

What if the security team marked a real finding as "false positive" to make the report look clean?

Multiple controls prevent this:

Suppressions are visible — every one is logged in Appendix B with rationale + approver.
Cryptographic signing (optional) — suppressions carry Ed25519 signatures the auditor can independently verify.
Identity verification — approvers are cross-referenced against a corporate identity registry with authorization-scope checks.
Late-renewal flagging — suppressions renewed after expiration are flagged LATE or VERY_LATE with governance-band classification.
Quarterly trend analysis — rising late-renewal rates across quarters surface as governance degradation.

How does the scanner handle clock drift?

The NTP probe measures local-clock drift against configurable NTP servers. Drift above threshold triggers a WARN or CRITICAL clock advisory on the cover page. In strict mode (complianceNtpStrict: true), critical drift aborts the compliance run entirely. Probe staleness detection classifies the gap between probedAt and generatedAt to catch backdated or stale reports.

This is a single-point-in-time scan. How does Type-II operating-effectiveness apply?

NSAuditor supports Type II evidence through several mechanisms:

Recurring-scan attestation — multi-scan chronological matrix across 6–12 month windows
SLA / MTTR tracking — mean-time-to-remediate by severity with configurable thresholds
Version delta detection — identifies scanner-version changes to distinguish genuine findings from lifecycle artifacts
Suppression renewal cadence — quarterly trend analysis with governance bands

Why is CC1 (control environment) marked out of scope?

CC1 is about board oversight and organizational ethics — these are inherently human / process artifacts, not network state. We could pretend, but pretending creates more audit risk than admitting the boundary. Pair NSAuditor with a GRC platform (Vanta / Drata / Secureframe) for the governance layer.

What about tabletop exercises for CC4.1 / CC7.3?

The tabletop simulation framework (EE-SOC2.14) provides probe-event manifests + SIEM detection correlation. You define what you tested, import what was detected, and the correlator produces auditor-grade evidence: detection coverage percentage, per-category breakdown, undetected-probe list, unmatched-SIEM-event list. Configurable coverage bands (50/80 liberal, 75/90 Type II, 85/95 high-assurance) classify the result as critical / acceptable / healthy.

Where can I see the canonical mapping?

The source of truth is data/compliance/soc2.json in the EE package. The full SOC 2 coverage matrix in the EE repo mirrors that file, and a test asserts the two stay in sync.

Ready to ship a SOC 2 audit?

Talk to us about an Enterprise license, or grab the EE package via npm if you've already purchased. Audit-ready evidence in under five minutes from your first scan.

→ See pricing → enterprise@nsasoft.us ★ Star on GitHub

SOC 2 evidence the auditor actually accepts.

On this page