Your SOC 2, HIPAA Security Rule, NIST CSF 2.0, PCI DSS QSA, ISO/IEC 17021-1 certification body assessors, and CIS Controls v8 self-attestation (CSAT / CIS-CAT Pro) — plus the IG1 attestation your cyber-insurance underwriter wants — will all ask for proof your cloud enforces the controls you claim. One NSAuditor scan generates six signed, timestamped, framework-mapped evidence packs in parallel — across AWS, Azure, and GCP. No ePHI, no Cardholder Data, no cloud credentials, no scan data ever leaves your infrastructure. Zero BAA required. Air-gapped deployment for federal-contractor / DFARS / CMMC + payment-processing CDE-isolation + ISO 27001 ISMS-scope-controlled threat models.
An operator pointed Claude Desktop at their AWS account and the CloudTrail auditor came back oddly thin. CloudTrail trails live per-region, so the auditor sweeps ~32 regions — and a handful of unreachable regions, each hanging ~30s on connect, pushed the whole pass past the assistant's ~60-second tool-call limit, so it gave up and reported only one region. 0.16.7 makes that enumeration fail fast and keep going: a short per-region connect/request timeout plus a wider fan-out drops a dead region in ~2s instead of stalling for thirty, and one region's error no longer discards every other region's evidence. The CloudTrail audit went from 234 seconds (and incomplete) to ~13 seconds and fully multi-region — and the findings that were silently missing now reach the operator.
A region the auditor genuinely can't reach is now an explicit evidence gap, not a silent miss: the other regions' trails are preserved, and the unaudited region is surfaced both as a finding routed to the CloudTrail controls (the verdict fails closed over the gap) and in the structured scan-scope record. Confirmed in production via Claude Desktop — the CloudTrail and CloudWatch findings that were previously cut short (log-bucket Object Lock, MFA-Delete, non-multi-region trail, missing CIS root-usage / MFA / CMK / config-change alarms) now show up. No new plugin (count stays 28); all six coverage matrices UNCHANGED. This closes the 2026-05-31 CloudTrail arc — 0.16.5 fail-closed-on-abort → 0.16.6 soft-budget over the lower of both timeout knobs → 0.16.7 fast-fail multi-region. Paired CE 0.1.98 + agent-skill 0.1.66.
Three tiers for every team size. All include the full Enterprise feature set — cloud scanning, compliance engine, Docker isolation, air-gapped deployment, and ZDE policy. Annual invoicing · net-30 · volume discounts available.
AWS security groups + IAM, GCP firewall rules + IAM bindings, Azure NSGs + RBAC. Uses your own credentials — nothing touches Nsasoft.
Map findings to NIST CSF, CIS Controls, HIPAA Security Rule, GDPR Art. 32, and PCI DSS. Gap reports with evidence references.
Each scan runs in an ephemeral container — isolated, parallel, destroyed after completion. Read-only filesystem with resource limits.
Evaluate segmentation boundaries, encryption-in-transit, identity posture, and lateral movement risk. Composite readiness score.
Docker images (amd64 + arm64), offline NVD feed bundles, and installation tarballs. Runs in fully isolated networks.
Data classification (public / internal / sensitive / secret), external call guard, policy-based redaction, and full audit logging.
PostgreSQL backend, unlimited scan history retention, query API for historical analysis, and compliance dashboards.
The foundational S3 bucket-security auditor. EE 0.15.2 reworked the effective-public-exposure model: missing or partial PublicAccessBlock now escalates to MEDIUM (a guardrail gap, not current exposure), and top severity is reserved for confirmed-public via bucket policy OR a new GetBucketAcl check that completes the ACL × policy × PAB join. A public AllUsers / AuthenticatedUsers grant is top-severity unless the PAB IgnorePublicAcls neutralizes it (then LOW). Closes a public-via-ACL false-negative class while fixing the false-positive class — live-revalidated against a real prod account (12 top-severity findings → 11 verified not-public + 1 genuinely-public policy). Maps to CC6.6 + C1.1.
Third leg of the cloud-storage audit triad, completing the multi-cloud picture alongside plugin 1020 (AWS S3) and plugin 1022 (Azure Storage). The first new EE plugin since EE 0.6.1 — six months of AWS-only depth followed by the first GCP parity expansion. Audits across 6 SOC 2 substrate-evidence dimensions: Bucket-level IAM public bindings (CC6.6 — allUsers = CRITICAL zero-trust bypass; allAuthenticatedUsers = HIGH Google-account-trust bypass; co-existence surfaces both findings with merged evidence), Uniform Bucket-Level Access (CC6.6 + C1.1 — enforces IAM as single source of truth, no legacy ACL surface; disabled = MEDIUM), Object Versioning (C1.1 + A1.2 — accidental object deletion reversibility; disabled = MEDIUM), Retention Policy / Bucket Lock (C1.1 + C1.2 — three-tier: missing = MEDIUM, unlocked = MEDIUM, locked = PASS; SEC 17a-4 / FINRA 4511 WORM alignment), CMEK via Cloud KMS (CC6.1 — four-tier key-custody ladder matching plugin 1140 RDS pattern; full-format 6-segment Cloud KMS resource-path regex gates PASS tier; malformed reference = LOW + evidenceGap per conservative_classifier_principle), and Bucket-level access logging (CC7.1 — missing = MEDIUM; separate destination bucket = PASS; self-logging = INFO + walkthroughRequired). _callGcsWithInstrumentation wraps GCS API calls with AccessDenied counter + throttle-retry + wall-budget (Thread H equivalent). ZDE — only GCS-public-namespace identifiers (bucket names, KMS paths) propagate to findings; operator labels never read. 20 new soc2.json titlePattern entries (5 CC6.6 + 3 CC6.1 + 2 CC7.1 + 5 C1.1 + 3 C1.2 + 2 A1.2). 101 new tests across 17 suites. Maps to CC6.1 + CC6.6 + CC7.1 + C1.1 + C1.2 + A1.2.
GCP counterpart to plugin 1030 AWS IAM Deep Auditor at the project boundary — audits the full GCP project IAM policy surface across 7 SOC 2 substrate-evidence dimensions (v2 scope). v1 dims (3): Project IAM public-member bindings (CC6.1 — allUsers CRITICAL / allAuthenticatedUsers HIGH); Sensitive-role inventory of 12 predefined roles (CC6.1 + CC6.6 MEDIUM); IAM Conditions classifier (CC6.1 — restrictive CEL = PASS; absent = MEDIUM; vacuous = LOW + evidenceGap). v2 dims (4, added in 0.7.1): Custom-role permission audit (CC6.1 — wildcard * sentinel = CRITICAL; 16-entry admin-equiv allowlist intersection = HIGH); Service-account key custody (CC6.1 + C1.1 — user-managed long-lived keys = HIGH; per-SA keysFetchError propagation for audit-principal partial-permission scenarios); Service-account impersonation graph BFS (CC6.1 — 4-hop cycle-safe traversal of 3 canonical impersonation roles; 2-hop = HIGH, 3+ hop = CRITICAL; project-scope fan-out bindings classified as CRITICAL _CAT_SA_IMPERSONATION_PROJECT_SCOPE — a real GCP privesc class missed by per-SA-only inventory); Org Policy constraint enumeration (CC6.6 + C1.1 — 4 sensitive constraints incl. iam.disableServiceAccountKeyCreation; explicit reset detection). NEW utils/gcp_auth.mjs shared helper for GOOGLE_IMPERSONATE_SERVICE_ACCOUNT credential chain (keyFile / ADC / ADC+impersonation). 33 soc2.json titlePattern entries total (11 v1 + 22 v2 across CC6.1 + CC6.6 + C1.1). +180 new tests this cycle (5715/5715). Maps to CC6.1 + CC6.6 + C1.1.
Transitive shadow-admin path detection — including PassRole privesc and group-inherited cross-principal chains. Every finding carries a verifiable [via policy: ARN] evidence trail with partialProvenance / provenanceComplete completeness signals for SOC 2 Type-II auditors.
Audits CloudTrail trail health (multi-region default-ON across 36 canonical AWS regions, log-file validation, KMS-CMK, IsLogging), CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 via the v2 metric-filter audit, AWS Config recorder + Organizations ConfigurationAggregator detection with deterministic STS account-coverage cross-reference, and cross-account S3 trail-destination WORM verification (Object Lock + Versioning + MFADelete per trail bucket) for SEC 17a-4 / FINRA 4511 retention evidence. Closes SOC 2 CC7.2 + CC7.3.
First entry-point evidence plugin for AWS Serverless-Framework deployments. Audits REST APIs (v1) + HTTP APIs (v2): per-method/route authorization classifier (NONE = CRITICAL, AWS_IAM / Cognito / JWT = PASS, JWT-with-wildcard-audience = INFO with IdP issuer/audience evidence, Lambda authorizer = INFO with manual-verification prompt), TLS policy with worst-policy tracking across mixed-config v2 domains (TLS_1_0 = HIGH), stage-level access logging, throttling (A1.2), and WAF association. SOC 2 mapping: CC6.1 + CC6.6 + CC6.7 + CC7.1 + A1.2.
The "audit-the-auditor" plugin — answers the question every Type-II auditor asks after the entry-point one: can the audit record itself be tampered with? Per-table PITR + deletion protection (worst-case CRITICAL "audit record itself not survivable" when both missing). KMS-CMK classifier with conservative LOW-unverifiable posture on :key/UUID ARN shapes (in 0.4.0 this becomes a deterministic PASS/MEDIUM when plugin 1070 is in the same scan — closes EE-RT.2.1.1). Resource-policy presence audit via the 2024 GetResourcePolicy API with soft-degrade. CloudTrail DynamoDB data-event coverage cross-reference (orthogonal composition with plugin 1040). Matrix shift: PI1.5 (Stored items) moves out-of-scope → partial. Mapping: CC6.6 + CC7.1 + C1.1 + PI1.5.
Validates cryptographic boundary integrity and key governance. Per-key rotation status (customer-managed CMKs flagged MEDIUM when rotation disabled; AWS-managed keys correctly identified as not-applicable). Wildcard-principal classifier across 5 severity tiers: CRITICAL unconditional kms:* takeover; HIGH for sensitive actions; INFO read-only-only; PASS no-wildcard. Coverage spans Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action coverage. Exports _describeKeyManager() helper consumed by plugin 1060. Maps to CC6.3 + C1.1. 77 new tests.
Runtime EOL detection (institutional-CRITICAL when Lambda returns EOL runtime like nodejs16.x / python3.7; case-normalized at boundary per aws_string_case_normalization), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: secret VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, dead-letter queue + reserved concurrency posture. Maps to CC6.1 / CC6.6 / CC7.1 / C1.1.
Secrets Manager ListSecrets + DescribeSecret (rotation enabled/disabled, last-rotated cadence, KMS-CMK vs AWS-managed key custody, tag-driven prod-tier classification). SSM Parameter Store DescribeParameters (String vs SecureString classification with secret-suggestive name detection, KmsKeyId presence on SecureStrings). ZDE-critical: scanner NEVER calls GetSecretValue / GetParameter — only Describe* / List* metadata APIs; verb-prefix denylist regex enforces this at SDK boundary. Maps to CC6.1 / CC6.6 / C1.1.
Pipeline source-stage encryption (KMS-CMK presence), CodeBuild privilegedMode detection (HIGH for non-Docker-image builds), buildspec inlined-vs-S3 (configuration drift surface), secrets passed via environment variables vs Secrets Manager reference, IAM role least-privilege via wildcard-Action detection, S3 artifact-store encryption. EE-RT.9.1 runtime-state audit: stale-execution detection — pipeline's latest execution older than configured cadence isn't actively defending the build path. Maps to CC6.1 / CC7.1 / CC8.1 / C1.1.
Cross-plugin reconciler: walks IAM policies for kms:Decrypt / kms:ReEncrypt* / kms:GenerateDataKey grants then cross-references against destination KMS key policies (plugin 1070) to compute the effective decrypt path. Closes the institutional NotAction-implicit-decrypt false-PASS class (Allow + NotAction:[...] + Resource:* over-grants decrypt implicitly). EE-RT.10.1 cross-plugin sister-fix in plugin 1030 case-normalizes Effect+Action discriminators. Maps to CC6.1 / CC6.6 / C1.1 / C1.2.
S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). EE-RT.4.1 adds cross-region destination-bucket reachability verification (closes silent-PASS class where replication source FAILED but emitted clean — destination IAM denial or missing bucket now surfaces explicitly). Maps to C1.1 / C1.2 / A1.2.
The largest single-plugin institutional-hardening arc in the EE codebase: ~7800 lines across 18 sessions / 25 commits / 545 plugin tests, with 19 R2-strict recurrence-class same-session closures catalogued in 4 institutional-memory artifacts. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. Headline capability: 12-dimension air-gapped vault attestation arc for LogicallyAirGappedBackupVault resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (KMS / EC2 / Config / Backup). 74 new soc2.json titlePatterns across CC6.3 + CC6.6 + CC7.1 + CC8.1 + C1.1 + C1.2 + A1.2. Substantially closes the previously-documented A1.2 "Backup/recovery posture itself" ransomware-defense gap (SEC Rule 17a-4 / FINRA 4511).
The single most-asked-about audit substrate after S3. EE 0.4.5 grew this plugin from 3 to 7 SOC 2 substrate-evidence dimensions. Multi-AZ deployment (A1.2 availability), storage encryption at rest with KMS-key custody classification (C1.1 confidentiality — four-tier severity ladder), parameter-group SSL enforcement (C1.1 transit encryption — detects both postgres rds.force_ssl and mysql require_secure_transport), backup retention period (A1.2 cadence — operator-tunable 1–35 days; default ≥7 institutional baseline), public accessibility (CC6.6 perimeter — cross-plugin sister to plugin 1170), IAM database authentication (CC6.1 password-less auth on mysql/postgres/mariadb/aurora-variants), and snapshot encryption via DescribeDBSnapshots with explicit IncludeShared=false + IncludePublic=false (C1.1 cross-cycle). Headline v2 capability: kms:DescribeKey cross-reference promotes UNVERIFIABLE :key/UUID ARN shapes to deterministic PASS (KeyManager=CUSTOMER) or MEDIUM (KeyManager=AWS) — closes the v1 fixture-design gap without compromising the conservative_classifier_principle (AccessDenied / NotFound / unknown KeyManager still leaves at LOW). 18 new soc2.json titlePattern entries across A1.2 + C1.1 + CC6.1 + CC6.6. 103 tests total (51 v1 + 52 v2). Maps to A1.2 + C1.1 + CC6.1 + CC6.6.
First multi-service plugin in the EE codebase — SQS + SNS bundled because they share the same auth surface, region scoping, and SOC 2 control coverage. Audits queues + topics across 5 SOC 2 substrate-evidence dimensions: SQS encryption at rest (C1.1 — four-tier severity ladder matching plugin 1140's structure with conservative LOW+evidenceGap on :key/UUID ARN form), SQS transit-encryption policy (CC6.6 — analyzes Policy for aws:SecureTransport=false Deny defense-in-depth), SNS topic encryption at rest (C1.1 — SNS has no managed-SSE equivalent so absent = HIGH), SNS topic-policy permissive-Principal classifier (CC6.6 — full institutional posture with NotAction-Allow + NotPrincipal-Allow + Resource-scope filtering; severity CRITICAL unconditional-wildcard → HIGH conditional-wildcard → PASS no-wildcard), and SQS dead-letter queue presence (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). 11 new soc2.json titlePattern entries. 95 new tests. First EE plugin to ship without a smoke-time SDK hotfix — institutionalized pre-implementation checklist now adds optionalDependencies entries preemptively. Maps to C1.1 + CC6.6 + A1.2 + CC7.1.
Audits VPC endpoint coverage for AWS-service traffic kept off the public internet. Enumerates interface endpoints (com.amazonaws.region.svc) and gateway endpoints (S3 + DynamoDB) across the audited regions. Endpoint-policy permissive-Principal classifier (wildcard "*" / {"AWS":"*"} / NotPrincipal-Allow shapes), private-DNS posture for interface endpoints (private resolution prevents accidental public-DNS fallback), and route-table attachment verification for gateway endpoints. Closes the silent class where data-plane traffic to AWS services is routed via the public internet despite a hardened SG perimeter. Maps to CC6.6.
Orthogonal evidence to plugin 1023 zero-trust-checker: 1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy via DescribeSecurityGroups. The pair gives Type-II auditors complete coverage of "is this port reachable, and is it supposed to be?" EE 0.4.6 v2 grew RESTRICTED_PORTS from 13 to 23 ports per CIS AWS Foundations Benchmark v3.0 — added Redshift (5439), Kubernetes API server (6443), etcd (2379-2380), Kibana (5601), InfluxDB (8086), Kafka (9092), Consul (8500), ZooKeeper (2181), HashiCorp Vault (8200). New opts.additionalRestrictedPorts operator-config (integer-validated 0-65535 + deduped) lets tenants extend the list with custom ports. Per-SG cardinality cap (_USER_GROUP_DISPLAY_CAP=10) with rollup trailer defends against finding-size DoS on 1000+ SG accounts. System-managed-SG name-prefix exclusion list (ElasticMapReduce-, eks-cluster-sg-, AWSServiceRole, awseb-) excludes AWS-service-controlled non-deletable SGs from orphan-detection. 6 audit dimensions: IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS (CC6.6, CRITICAL), IPv6 ::/0 sibling (CC6.6, CRITICAL), all-protocol (-1) ingress (CC6.6, CRITICAL with SG-scope suppression), public ingress to non-restricted ports (INFO + walkthroughRequired), egress 0.0.0.0/0 (INFO substrate), orphan SGs (CC6.2 governance). 10 new soc2.json titlePattern entries total (v1+v2). 110 tests total (54 v1 + 56 v2). Maps to CC6.2 + CC6.6.
First plugin in the 1170-1180 ID range. Closes the canonical cache-tier SOC 2 evidence gap — sister plugin to 1140 RDS for the database tier. Audits Redis clusters across 6 SOC 2 substrate-evidence dimensions: transit encryption (C1.1 — TransitEncryptionEnabled wraps RESP in TLS for client → cluster + primary → replica; cannot be toggled in place), at-rest encryption with KMS key custody (C1.1 four-tier ladder: HIGH unencrypted → MEDIUM AWS-owned-default → MEDIUM alias/aws/elasticache → PASS customer-managed CMK + LOW+evidenceGap on :key/UUID ARN form per conservative_classifier_principle), Redis AUTH / IAM-auth user groups (CC6.1 + CC6.2 — UserGroupIds for Redis 7+ ACL replace long-lived AUTH passwords; cross-plugin sister with plugin 1170 SG-perimeter audit), Multi-AZ deployment (A1.2 availability), SnapshotRetentionLimit cadence (A1.2 — ≥7 days default, operator-tunable 1-35), and subnet placement (CC6.6 perimeter — INFO+walkthroughRequired on default subnet group per conservative-classifier discipline). Dual-API enumeration with inter-API dedup: DescribeReplicationGroups + DescribeCacheClusters covers both replication-group + standalone surfaces; CacheClusters with ReplicationGroupId set are skipped. _ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"])) — Memcached out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). 41 new tests. Third EE plugin to ship without a smoke-time SDK hotfix — preemptive @aws-sdk/client-elasticache (1150 + 1170 + 1180 all shipped without hotfix; now institutional discipline). Maps to C1.1 + CC6.1 + CC6.2 + CC6.6 + A1.2.
First plugin in the 1190-1199 ID range. Closes the canonical email-integrity SOC 2 evidence gap — AWS SES is the dominant transactional + marketing + bulk-email substrate for B2B SaaS workloads. Sister plugin to 1180 ElastiCache Redis (cache tier) + 1140 RDS (database tier) + 1170 SG Perimeter (network tier). Audits SES across 6 SOC 2 substrate-evidence dimensions: DKIM enablement + signing status (CC6.1 / Privacy — HIGH on SigningEnabled=false breaks SPF/DKIM/DMARC trust-chain; 5-enum classifier with PENDING/TEMPORARY_FAILURE/NOT_STARTED → INFO+walkthroughRequired, FAILED → MEDIUM DNS drift, unknown → LOW+evidenceGap per conservative_classifier_principle), custom MailFrom domain alignment (Privacy substrate — INFO+walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom; PASS on custom + Status=SUCCESS), configuration set TLS enforcement (C1.1 — REQUIRE=PASS (messages REJECTED if no STARTTLS), OPTIONAL=HIGH (silent SMTP-downgrade-attack window — network-layer adversary strips STARTTLS from EHLO, forcing cleartext delivery of message body + headers)), identity sending authorization policy permissive principals (CC6.6 — multi-class wildcard detector covers "*" + {AWS:"*"} + {Service:"*"} + {Federated:"*"} + {CanonicalUser:"*"} + array forms; distinct HIGH category ses-sending-auth-notprincipal-allow catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class per R-CRITICAL-1 fold; LOW+evidenceGap on malformed statements missing Effect field per R-HIGH-2 fold), dedicated IP pool sending posture (CC7.1 substrate, account-level), and suppression list state (CC7.1 deliverability substrate — INFO on count + reason distribution only). ZDE-CRITICAL invariant: NEVER reads suppressed-destination email addresses — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold. 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). 116 tests across 29 suites. 11 same-session reviewer folds — ties the single-cycle record. Fourth EE plugin to ship without a smoke-time SDK hotfix (preemptive @aws-sdk/client-ses + @aws-sdk/client-sesv2 in optionalDependencies — plugins 1150, 1170, 1180, 1190 all shipped without hotfix). Maps to CC6.1 + CC6.6 + C1.1.
First EE plugin to audit AWS managed-threat-detection substrates. Produces the foundation-layer evidence SOC 2 auditors expect under CC7.1 (detection procedures) and CC7.2 (monitoring of system components for anomalies). A SOC 2 evidence pack without GuardDuty signal has no AWS-native anomaly-detection stream — credential-exfiltration attempts, cryptocurrency-mining indicators, malicious-IP communication, and reconnaissance patterns all go unobserved. A pack without Inspector2 signal has no managed CVE-detection coverage on the compute surface (EC2 AMIs, ECR images, Lambda functions). Plugin 1200 audits enablement state across 4 SOC 2 substrate-evidence dimensions: GuardDuty Detector enablement (CC7.1 — flags any audited region with no GuardDuty Detector configured; HIGH on absence), GuardDuty protection-feature coverage (CC7.1 — checks each Detector against the institutional baseline of S3 data events / EKS audit logs / EBS malware protection / RDS login events / Lambda network logs / runtime monitoring; MEDIUM on each missing baseline feature with explicit name in the finding details), Inspector2 enablement (CC7.2 — flags accounts where Inspector2 is not enabled, suspended, or disabled; HIGH on absence), and Inspector2 scan-target coverage (CC7.2 — confirms the institutional baseline resource types EC2 / ECR / Lambda are all enabled for scanning; HIGH on zero coverage, MEDIUM on partial with the disabled list in finding details). For each dimension, plugin 1200 distinguishes auditor-side IAM gaps (the auditor role lacks the GuardDuty or Inspector2 read permission) from genuine service-side absence, so remediation paths are unambiguous. Conservative classification — ambiguous AWS-SDK responses emit LOW+evidenceGap with a walkthrough prompt, never silent-PASS. Case-insensitive enum handling at the SDK boundary defends against case variation across SDK versions. Zero data exfiltration — findings carry only AWS-public-namespace identifiers (Detector IDs, region, status enums); operator-supplied tags / descriptions are never read. Soft-degrade — GuardDuty and Inspector2 SDKs load independently; failure of one does not block the other. 7 new soc2.json titlePattern entries (4 CC7.1 + 3 CC7.2). Maps to CC7.1 + CC7.2.
Multi-region EC2 + EBS instance-level coverage via DescribeRegions (single-region fallback emits an evidence-gap, never silent-PASS). IMDSv1 detection + IMDSv2 hop-limit > 1 with profile-aware severity (CC6.1), EBS volume unencrypted + account default-EBS-encryption disabled (C1.1 + CIS 3.11), public-IP exposure including IPv6 GUA + secondary-ENI / EIP (CC6.6), instance-store evidence-gap, and AMI inventory → cisImageInventory producer — the enablement substrate for CIS-Hardened-Image substrate-evidence credit across the CIS v8 mapping (Safeguards 4.1 / 4.2 / 4.6). Survived 3 review rounds across 5 adversarial skill lenses. Maps to CC6.1 + CC6.6 + C1.1.
First dedicated Azure auditor beyond the multi-purpose plugin 1022. Owns the Azure Storage Account encryption-at-rest + encryption-in-transit + authorization-mode surface across 7 dimensions: HTTPS-only transit (enableHttpsTrafficOnly), minimum TLS version, Shared Key authorization (allowSharedKeyAccess), infrastructure double encryption (requireInfrastructureEncryption), customer-managed-key reachability + rotation (encryption.keyVaultProperties — verifies key access, not just key reference), blob recoverability (soft-delete + versioning via blobServices.getServiceProperties), and per-container anonymous public access (account-toggle-aware via blobContainers.list). Deliberately non-overlapping with plugin 1022's network-exposure dims — mirrors the AWS 1020+1120 two-plugin S3 split. Maps to CC6.1 + CC6.7 + C1.1 + C1.2 + A1.2.
Azure NSG perimeter analysis at AWS-1170 parity. Evaluates each NSG's inbound rules in Azure priority order (first-match-wins; DenyAllInbound default) across 5 dims: all-protocol (*) public Allow, public-source to RESTRICTED_PORT (SSH/RDP/MSSQL/MySQL/Postgres/Redis/Memcached/MongoDB/Elasticsearch/CouchDB/SMB/WinRM/Oracle/Docker/Kubelet), ::/0 IPv6-wildcard to a restricted port (the dimension 1022's flat lint misses), public→non-restricted INFO substrate, and PASS substrate. Attachment-aware severity via nsg.subnets[] / networkInterfaces[] back-references — attached permissive = EFFECTIVE exposure; orphaned = LATENT. UDP transport lane with 27-port set (expanded by +10 in 0.15.2: RADIUS 1812/1813 + legacy 1645/1646, L2TP 1701, SIP 5060, mDNS 5353, RIP 520, XDMCP 177, chargen 19) for auth backplanes / VPN endpoints / amplification vectors. Effective priority + deny-override resolution; service-tag / ASG-source normalization. Maps to CC6.6.
Third dedicated Azure auditor (after 1220 storage + 1221 NSG). The Key Vault analog of how plugin 1221 deepens plugin 1022's flat NSG dim. Enumerates each vault's keys, role assignments, and diagnostic settings across 5 dimensions: key auto-rotation policy, key expiry (epoch-s/ms/Date/string coerced), diagnostic logging → Log Analytics via @azure/arm-monitor, privileged-access depth (RBAC roleAssignments admin/data-plane/scope-aware tiering + legacy accessPolicies export/wide-crypto breadth + custom-role resolution via roleDefinitions.getById so custom RBAC roles granting KV wildcards are no longer a silent PASS), and HSM-backing software-vs-HSM key.kty discrimination (FIPS 140-2 Level 2/3 hardening recommendation on RSA / EC software-backed keys). Deliberately orthogonal to plugin 1022's vault-property dims — no double-emission. Secret/cert expiry is a stated data-plane scope boundary. Maps to CC6.1 + CC6.3 + CC7.2 + C1.1.
Extended Model Context Protocol tools for AI assistants: start_assessment, compliance_check, export_report.
# @nsasoft/nsauditor-ai-ee is a private (restricted) package. # Use the npm read-token delivered with your license email. npm config set //registry.npmjs.org/:_authToken npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Or, project-scoped, in an .npmrc file echo "//registry.npmjs.org/:_authToken=npm_xxxx..." >> ~/.npmrc
npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
# CE 0.1.30+ verifies the JWT signature before persisting # and stores the key in macOS Keychain (or ~/.nsauditor/.env mode 0600 on Linux/Windows). nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs... ✓ Enterprise license installed Stored at: macOS Keychain (service=nsauditor-ai) Org: you@example.com Seats: 5 Expires: 2027-04-04T... # CI/CD alternative: env var still works (highest priority in the multi-source loader) export NSAUDITOR_LICENSE_KEY=enterprise_eyJ...
nsauditor-ai license --status ✓ Enterprise license active | Org: you@example.com | Seats: 5 | Expires: 2027-04-04 nsauditor-ai license --capabilities ✓ intelligenceEngine ✓ riskScoring ✓ complianceEngine ✓ cloudScanners ✓ zeroTrust ✓ dockerIsolation
# Dual-framework SOC 2 + HIPAA §164.312 audit in one scan — both evidence packs from the same findings (NEW in 0.9.0) nsauditor-ai scan --host aws --plugins all \ --compliance soc2,hipaa
--compliance soc2 or --compliance hipaa. For per-cloud and on-prem recipes, see the Cloud audit samples section below.SOC 2 auditors don't accept "we configured it that way once" — they need contemporaneous, attested evidence that your AWS, Azure, and GCP environments actually enforce the controls you claim. Most teams gather this manually: screenshots, CSV exports, IAM JSON pasted into a shared drive. It takes weeks, and the evidence is rejected the first time half the time.
scan_compliance_soc2.json + .html + .md, mapped directly to AICPA Trust Services Criteria controls. Hand it to your auditor.
A complete sample scan against a fictional Acme Corp AWS account + home-office router. See the transitive SG chain reachability finding, the multi-region GuardDuty audit, the dnsmasq CVE detection, and the signed evidence pack. No signup required.
CLOUD_PROVIDER=aws AWS_REGION=us-east-1 \ nsauditor-ai scan --host aws --plugins 1020,1030,1040,1050,1060,1070,1080,1090,1100,1110,1120,1130,1140,1150,1160,1170,1180,1190,1200 \ --compliance soc2,hipaa --out tasks/aws-scan-out # 1020 S3 · 1030 IAM Deep · 1040 CloudTrail · 1050 API Gateway · 1060 DynamoDB Audit Integrity · # 1070 KMS · 1080 Lambda · 1090 Secrets+SSM · 1100 CodePipeline+CodeBuild · 1110 IAM Decrypt-Path · # 1120 S3 Lifecycle+Replication · 1130 AWS Backup Auditor (12-dim air-gap attestation) · # 1140 AWS RDS Auditor (grown 7 → 10 dims in 0.4.8 — pgAudit + CWL exports + log retention; CC7.2/CC7.3 database audit-logging) · # 1150 AWS SQS/SNS Auditor (grown to v2 in 0.5.1 — 5 → 7 dims adding CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; R-CRITICAL empty-AlarmActions silent-PASS closure) · # 1170 AWS EC2 SG Perimeter Auditor (grown 13 → 23 ports in 0.4.6 — CIS AWS Foundations v3.0) · # 1180 AWS ElastiCache Redis Auditor (grown to v2 in 0.4.9 — kms:DescribeKey promotion + subnet route-table verifier with default-VPC main-RT-inheritance false-NEGATIVE closure; cross-plugin sister of 1170 SG perimeter) · # 1190 AWS SES Email Integrity Auditor (grown to v2 in 0.5.0 — DKIM CNAME DNS resolution + DMARC TXT parser with R-CRITICAL-1 pct=0 closure + R-HIGH-1 sp override + SES classic API parity; first network-layer cross-reference in the EE evidence baseline). # Run just the headline plugin: --plugins 1130 (SEC 17a-4 / FINRA 4511 ransomware-defense substrate). # Tune VPC-endpoint PAGE_CAP for large fleets: --plugin-opts '{"1130":{"vpcEndpointsPageCap":50}}'
CLOUD_PROVIDER=azure \ AZURE_TENANT_ID=<your-tenant-id> \ AZURE_CLIENT_ID=<sp-app-id> \ AZURE_CLIENT_SECRET=<sp-secret> \ AZURE_SUBSCRIPTION_ID=<subscription-id> \ nsauditor-ai scan --host azure --plugins 022 \ --compliance soc2,hipaa --out tasks/azure-scan-out # Baseline (test subscription): findingCount=2, byStatus pass=6 fail=2 # Maps to: CC6.1 (RBAC Owner / Contributor / User Access Administrator at sub-scope), # CC6.6 (NSG inbound from * / 0.0.0.0/0 / Internet), # C1.1 (Storage defaultAction=Allow, allowBlobPublicAccess=true)
GCP_PROJECT_ID=my-project \ GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa.json \ nsauditor-ai scan --host gcp --plugins 1024 \ --compliance soc2,hipaa --out tasks/gcp-scan-out # Plugin 1024: 6 SOC 2 dimensions — IAM public bindings (CC6.6) · UBLA (CC6.6 + C1.1) · # Object Versioning (C1.1 + A1.2) · Retention Policy / Bucket Lock (C1.1 + C1.2) · # CMEK via Cloud KMS (CC6.1) · Bucket-level access logging (CC7.1). # Full GCP discovery: GCP_PROJECT_ID=my-project nsauditor-ai scan --host gcp --plugins all --compliance soc2,hipaa
GCP_PROJECT_ID=my-project \ GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa.json \ nsauditor-ai scan --host gcp --plugins 1025 \ --compliance soc2,hipaa --out tasks/gcp-iam-scan-out # Plugin 1025 v2: 7 SOC 2 dimensions — Public-member bindings (CC6.1 CRITICAL/HIGH) · # Sensitive-role inventory: 12 predefined roles incl. owner/editor/iam.securityAdmin/serviceAccount* (CC6.1+CC6.6 MEDIUM) · # IAM Conditions classifier on sensitive roles: restrictive CEL = PASS · absent = MEDIUM · vacuous = LOW+evidenceGap (CC6.1). # Run all GCP plugins: GCP_PROJECT_ID=my-project nsauditor-ai scan --host gcp --plugins 1024,1025 --compliance soc2,hipaa
# One per-account dotenv file each — credentials, region, CLOUD_PROVIDER live in the file: nsauditor-ai scan --host aws --env ~/envs/dev.env --compliance soc2 nsauditor-ai scan --host aws --env ~/envs/prod.env --compliance soc2 # Or a named profile from the OS-default ~/.aws/credentials (no .env needed) — implies CLOUD_PROVIDER=aws: nsauditor-ai scan --host aws --aws-profile prod --compliance soc2 # GCP / Azure per-account via --env (key-file path / service-principal vars live in the file): nsauditor-ai scan --host gcp --env ~/envs/gcp-prod.env --compliance soc2,cis-v8 nsauditor-ai scan --host azure --env ~/envs/azure-prod.env --compliance soc2 # --env is a dotenv (KEY=value) file; for ~/.aws/credentials (multiple profiles) use --aws-profile. # Missing --env file = hard error (fail-fast — never silently audit the wrong/empty account). # On a sentinel host, --plugins all AUTO-SCOPES to that cloud's plugins (other clouds + non-cloud skipped + logged). # Your license is resolved independently of --env — no key needed in the per-account file.
Pick the Enterprise tier that fits your team — Base, Growth, or Scale. All tiers include the full Enterprise feature set, with onboarding call included.