Cloud scanning (AWS / GCP / Azure), compliance mapping, Docker scan isolation, and air-gapped deployment. Built for teams that need audit-ready security — with zero data leaving your infrastructure.
Three tiers for every team size. All include the full Enterprise feature set — cloud scanning, compliance engine, Docker isolation, air-gapped deployment, and ZDE policy. Annual invoicing · net-30 · volume discounts available.
AWS security groups + IAM, GCP firewall rules + IAM bindings, Azure NSGs + RBAC. Uses your own credentials — nothing touches Nsasoft.
Map findings to NIST CSF, CIS Controls, HIPAA Security Rule, GDPR Art. 32, and PCI DSS. Gap reports with evidence references.
Each scan runs in an ephemeral container — isolated, parallel, destroyed after completion. Read-only filesystem with resource limits.
Evaluate segmentation boundaries, encryption-in-transit, identity posture, and lateral movement risk. Composite readiness score.
Docker images (amd64 + arm64), offline NVD feed bundles, and installation tarballs. Runs in fully isolated networks.
Data classification (public / internal / sensitive / secret), external call guard, policy-based redaction, and full audit logging.
PostgreSQL backend, unlimited scan history retention, query API for historical analysis, and compliance dashboards.
Transitive shadow-admin path detection — including PassRole privesc and group-inherited cross-principal chains. Every finding carries a verifiable [via policy: ARN] evidence trail with partialProvenance / provenanceComplete completeness signals for SOC 2 Type-II auditors.
Audits CloudTrail trail health (multi-region default-ON across 36 canonical AWS regions, log-file validation, KMS-CMK, IsLogging), CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 via the v2 metric-filter audit, AWS Config recorder + Organizations ConfigurationAggregator detection with deterministic STS account-coverage cross-reference, and cross-account S3 trail-destination WORM verification (Object Lock + Versioning + MFADelete per trail bucket) for SEC 17a-4 / FINRA 4511 retention evidence. Closes SOC 2 CC7.2 + CC7.3.
First entry-point evidence plugin for AWS Serverless-Framework deployments. Audits REST APIs (v1) + HTTP APIs (v2): per-method/route authorization classifier (NONE = CRITICAL, AWS_IAM / Cognito / JWT = PASS, JWT-with-wildcard-audience = INFO with IdP issuer/audience evidence, Lambda authorizer = INFO with manual-verification prompt), TLS policy with worst-policy tracking across mixed-config v2 domains (TLS_1_0 = HIGH), stage-level access logging, throttling (A1.2), and WAF association. SOC 2 mapping: CC6.1 + CC6.6 + CC6.7 + CC7.1 + A1.2.
The "audit-the-auditor" plugin — answers the question every Type-II auditor asks after the entry-point one: can the audit record itself be tampered with? Per-table PITR + deletion protection (worst-case CRITICAL "audit record itself not survivable" when both missing). KMS-CMK classifier with conservative LOW-unverifiable posture on :key/UUID ARN shapes (defers to kms:DescribeKey cross-reference rather than false-clean PASS). Resource-policy presence audit via the 2024 GetResourcePolicy API with soft-degrade. CloudTrail DynamoDB data-event coverage cross-reference (orthogonal composition with plugin 1040). Matrix shift: PI1.5 (Stored items) moves out-of-scope → partial. Mapping: CC6.6 + CC7.1 + C1.1 + PI1.5.
Extended Model Context Protocol tools for AI assistants: start_assessment, compliance_check, export_report.
# @nsasoft/nsauditor-ai-ee is a private (restricted) package. # Use the npm read-token delivered with your license email. npm config set //registry.npmjs.org/:_authToken npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Or, project-scoped, in an .npmrc file echo "//registry.npmjs.org/:_authToken=npm_xxxx..." >> ~/.npmrc
npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
# CE 0.1.30+ verifies the JWT signature before persisting # and stores the key in macOS Keychain (or ~/.nsauditor/.env mode 0600 on Linux/Windows). nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs... ✓ Enterprise license installed Stored at: macOS Keychain (service=nsauditor-ai) Org: you@example.com Seats: 5 Expires: 2027-04-04T... # CI/CD alternative: env var still works (highest priority in the multi-source loader) export NSAUDITOR_LICENSE_KEY=enterprise_eyJ...
nsauditor-ai license --status ✓ Enterprise license active | Org: you@example.com | Seats: 5 | Expires: 2027-04-04 nsauditor-ai license --capabilities ✓ intelligenceEngine ✓ riskScoring ✓ complianceEngine ✓ cloudScanners ✓ zeroTrust ✓ dockerIsolation
# SOC 2 compliance scan with auditor-grade evidence artifacts (on-prem network) nsauditor-ai scan --host 10.0.0.0/24 --plugins all \ --compliance soc2
The same Enterprise binary scans AWS, Azure, and GCP via cloud-native plugins and writes findings into the unified soc2.json evidence ledger. 10 covered + 4 partial AICPA TSC controls across AWS (S3 + IAM + CloudTrail/CloudWatch/Config + API Gateway + DynamoDB), Azure (RBAC + NSG + Storage), and GCP (firewall + IAM). CC7.2 + CC7.3 transitioned from partial to covered in EE 0.3.7 via the new 1040 AWS CloudTrail Operational Integrity Auditor; institutional-grade hardening shipped in 0.3.8 (v2 metric-filter audit, multi-region default-ON, SEC 17a-4 / FINRA 4511 trail-bucket WORM verification). EE 0.3.9 ships two new plugins — 1050 AWS API Gateway Assurance (first entry-point evidence for Serverless-Framework deployments) and 1060 AWS DynamoDB Audit Integrity ("audit-the-auditor"; PI1.5 Stored items partial — first SOC 2 Processing Integrity evidence stream).
CLOUD_PROVIDER=aws AWS_REGION=us-east-1 \ nsauditor-ai scan --host aws --plugins 1020,1030,1040,1050,1060 \ --compliance soc2 --out tasks/aws-scan-out # 1020 S3 · 1030 IAM Deep · 1040 CloudTrail Operational Integrity (NEW 0.3.7) · # 1050 API Gateway Assurance (NEW 0.3.9) · 1060 DynamoDB Audit Integrity (NEW 0.3.9, PI1.5 matrix shift). # Plugin IDs moved to disjoint 1000+ namespace in 0.3.9 — closed a silent CE plugin-040 collision. # Optional escalation: AWS_S3_AUDIT_CONFIDENTIAL_BUCKETS=payroll,hr,backups (LOW → MEDIUM)
CLOUD_PROVIDER=azure \ AZURE_TENANT_ID=<your-tenant-id> \ AZURE_CLIENT_ID=<sp-app-id> \ AZURE_CLIENT_SECRET=<sp-secret> \ AZURE_SUBSCRIPTION_ID=<subscription-id> \ nsauditor-ai scan --host azure --plugins 022 \ --compliance soc2 --out tasks/azure-scan-out # Baseline (test subscription): findingCount=2, byStatus pass=6 fail=2 # Maps to: CC6.1 (RBAC Owner / Contributor / User Access Administrator at sub-scope), # CC6.6 (NSG inbound from * / 0.0.0.0/0 / Internet), # C1.1 (Storage defaultAction=Allow, allowBlobPublicAccess=true)
CLOUD_PROVIDER=gcp GCP_PROJECT_ID=my-project \ nsauditor-ai scan --host gcp --plugins 021 --out tasks/gcp-scan-out
Pick the Enterprise tier that fits your team — Base, Growth, or Scale. All tiers include the full Enterprise feature set, with onboarding call included.