NSAuditor AI is open core, runs offline, and ships with a typed plugin SDK. These docs cover the install, the architecture, the plugin model, the compliance evidence, and the air-gapped deployment guide that procurement asks about.
From zero to first scan in under two minutes — no signup, no credit card, no telemetry. Works on macOS, Linux, and Windows.
Install in 30 seconds. Run your first scan, decode the output, point it at AWS / TLS / DNS / OT targets, export reports.
github · README →How the engine, plugins, AI providers, and report writers fit together. Where data flows. What stays local. Why nothing leaves.
github · README →All 42 plugins listed with what they probe, what they verify, false-positive notes, and the YAML manifest of controls each one satisfies. EE 0.4.0 adds 7 new AWS auditors: 1070 KMS, 1080 Lambda Security, 1090 Secrets Manager + SSM, 1100 CodePipeline + CodeBuild, 1110 IAM Effective Decrypt-Path, 1120 S3 Lifecycle + Replication, and 1130 AWS Backup Auditor (12-dimension air-gapped vault attestation — the A1.2 ransomware-defense substrate).
github · plugins/ →How the offline NVD feed works, how safe verification probes turn version-string guesses into VERIFIED / POTENTIAL / FALSE_POSITIVE classifications.
github · README →Run NSAuditor AI as an MCP server. Wire it into Claude Code, Cursor, or any MCP-aware client. 5 CE tools, 9 Pro tools, and a Skill package for agents.
github · README →AICPA TSC 2017 mapping — 10 covered + 4 partial controls with multi-cloud evidence (AWS S3 + IAM, Azure RBAC + NSG + Storage, GCP IAM + Cloud Storage, on-prem network). C1.2 Disposal with S3 Object Lock COMPLIANCE-mode. Cover-page Scope Attestation, SHA-256 chain-of-custody, RFC 3161 timestamps, Ed25519 suppression signing, native Vanta push. Type I & Type II.
read the SOC 2 guide →HIPAA §164.312 Technical Safeguards mapping — 7 covered + 3 partial + 45 explicit OOS (entire §164.308 Administrative + §164.310 Physical with named architectural-limit reasons). Per-control Required/Addressable discipline + HHS rule-text verbatim. §164.312(c)(1) ransomware-defense substrate via aws-backup-auditor Logically Air-Gapped Backup Vault cross-verification (HHS-OCR 2024 enforcement-relevant). Dual-framework one-scan workflow: --compliance soc2,hipaa. Zero BAA required — ePHI never leaves customer infrastructure.
NIST Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024) mapping at the auditor-canonical Subcategory level — 13 covered + 10 partial + 83 OOS across 106 of CSF 2.0's 107 Subcategories. Govern function OOS-by-design (GV.SC-04 partial as substrate exception). Respond function OOS-entirely (IR runbook execution). Implementation Tiers 1-4 OOS as organizational-maturity claims — cover-page disclaimer (markdown + HTML parity). Triple-framework one-scan workflow: --compliance soc2,hipaa,nist-csf produces three complete evidence packs. Air-gapped deployment for DFARS / CMMC / federal-contractor threat model.
PCI DSS v4.0.1 (PCI SSC, June 2024 errata; v3.2.1 retired March 31, 2024) mapping at the auditor-canonical sub-requirement level — 20 covered + 8 partial + 39 OOS across 67 of PCI DSS's ~250 sub-requirements (MVP-67). Req 12 Information Security Program OOS-by-design entirely (governance, policy, Targeted Risk Analysis Req 12.3.1 Defined-only, Customized Approach Documentation Req 12.3.2 Defined-only, TPSP Responsibility Matrix Req 12.8.5 Defined-only, IR program). Req 5 anti-malware + Req 9 physical OOS-entirely (endpoint EDR + facility-tier). Defined-vs-Customized Approach discipline per Appendix E — 15 Defined-only sub-requirements enforced at schema layer. CHD Scope operator-attested via CDE Data Flow Diagram per Req 1.2.4 + Req 12.5.1. CAO authorship per Appendix D populated on every customized-eligible entry (EE 0.11.1). Card-brand AOC enforcement view (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC).
read the PCI DSS guide →ISO/IEC 27001:2022 (ISO + IEC, October 2022; 2013 edition retired October 31, 2025) mapping at the auditor-canonical per-Annex-A-code level — 17 covered + 14 partial + 62 OOS across 93 Annex A controls (the complete Annex A universe across 4 themes: A.5 Organizational 37 + A.6 People 8 + A.7 Physical 14 + A.8 Technological 34). Statement of Applicability per Clause 6.1.3.d discipline — every control carries soaApplicability field; engine produces substrate for INCLUDED controls; SoA inclusion/exclusion is operator-side. ISMS Management-System Clauses 4-10 OOS-by-design with 7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2 (the most-frequent first-time certification failure mode). 11 NEW 2022 controls explicitly enumerated (3 COVERED + 2 PARTIAL + 6 OOS): A.5.7 Threat intelligence · A.5.23 Cloud services · A.5.30 ICT readiness for BC · A.7.4 Physical security monitoring · A.8.9 Configuration management · A.8.10 Information deletion · A.8.11 Data masking · A.8.12 DLP · A.8.16 Monitoring activities · A.8.23 Web filtering · A.8.28 Secure coding. 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts — 5 categories, NOT 6 like NIST CSF 2.0 / operationalCapabilities / securityDomains). 2013-to-2022 transition discipline enforced at schema layer (35 unchanged + 23 renamed + 57 merged-into-24 + 11 NEW = 93). Penta-framework one-scan workflow: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001 produces five complete evidence packs. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA + internal audit + management review workflow.
CIS Controls v8 (Center for Internet Security, May 2021; v8.1 errata June 2024) mapping at the per-Safeguard level — 17 covered + 22 partial + 114 OOS across 153 Safeguards / 18 Controls (engine substrate IG1 23-of-56 / IG2-cumulative 37-of-130 / IG3-cumulative 39-of-153). NEW EE 0.13.1: CIS-Hardened-Image detection now LIVE across AWS + Azure + GCP (plugin 1210 aws-ec2-instance-auditor + Azure/GCP image-inventory producers; the renderer flips the credit from eligible → observed when a Hardened-Image is detected) + Safeguard 9.5 Implement DMARC OOS→partial. EE 0.13.2 added the NEW dedicated Azure Storage Account data-protection auditor (plugin 1220) and EE 0.13.3 deepened it with blob recoverability (→ CIS 11.1) + per-container public-access (→ CIS 3.3) dims; EE 0.14.0 added the NEW dedicated Azure NSG perimeter auditor (plugin 1221 — 27 plugins total; the Azure analog of AWS 1170, routing to CIS 4.4/12.2/4.2; matrix unchanged). Implementation Group cumulative discipline — IG1=56 (the cyber-insurance baseline; ~50-70% of mid-market policies require IG1 attestation), IG2 cumulative=130, IG3 cumulative=153; smallest-IG-membership tagging (NEVER report IG2 as 74-of-74 in isolation; the IG1 base must be intact before any IG2/IG3 claim). No-certification-body attestation discipline — CIS has no formal certification body; engine output is INPUT to CSAT / CIS-CAT Pro self-attestation OR a SOC 2 auditor cross-validating CIS scope OR CIS-SecureSuite peer review, NEVER "CIS certified." Cloud Companion Guide v8 shared-responsibility-model boundary per Safeguard + CIS-Hardened-Image substrate-evidence credit (Safeguards 4.1/4.2/4.6). 5 Security Functions (NOT 6 — no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. Hexa-framework one-scan workflow: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six complete evidence packs. Pair with CIS-aware GRC (Drata CIS / Vanta CIS / AuditBoard CIS) or CIS-CAT Pro for the self-attestation workflow.
Walk-through of EE 0.11.0 quad-framework scan against a fictional Acme Corp AWS account 111122223333. One scan, 11 AWS EE plugins, 76 findings routed across SOC 2 AICPA TSC 2017 + HIPAA Security Rule §164.312 + NIST CSF 2.0 + PCI DSS v4.0.1 (MVP-67). 28 evidence artifacts per scan with RFC 3161 trusted timestamps + SHA-256 chain-of-custody. Includes PCI DSS deep-dive showing 4 load-bearing schema enrichments + 15 Defined-only Appendix-E sub-requirements + CDE-scope operator-attestation disclaimer. All data synthetic — no real infrastructure disclosed.
view the sample scan →Docker images, offline tarballs, signed JWT licensing validated locally. No phone-home, no outbound calls, no exceptions. tcpdump-verifiable.
github · README →Write your own plugin in TypeScript. Typed signature, scaffolder, local test harness. Same SDK we use to ship the 32 built-in plugins.
github · sdk/ →Version history, breaking changes, security advisories. Subscribe to the RSS feed of releases or watch the repo on GitHub.
github · releases →Install via npm, run your first scan, browse the plugin source, write a custom plugin. Source-of-truth lives on GitHub.
→ github.com/nsasoft/nsauditor-aiVerified vulnerabilities reduce false-positive triage. CVE matching uses an offline NVD feed. Reports export as PDF, JSON, SARIF, or branded HTML.
→ NSAuditor AI ProMSA, DPA, net-30 invoicing. Air-gapped deployment for OT, federal-contractor (DFARS / CMMC), payment-processing CDE-isolation, ISO 27001 ISMS-scope-controlled, and regulated environments. Penta-framework auditor-grade evidence — SOC 2 + HIPAA §164.312 + NIST CSF 2.0 Core + PCI DSS v4.0.1 + ISO/IEC 27001:2022 — with RFC 3161 timestamps and native Vanta push. Zero BAA required (ZDE). CIS Controls v8 on roadmap.
→ SOC 2 guide · HIPAA guide · NIST CSF 2.0 guide · PCI DSS guide →Try it free with the MIT-licensed Community Edition. Upgrade to Pro for CVE matching and verified vulnerabilities, or to Enterprise for cloud plugins and compliance frameworks.