NSAuditor AI is open core, runs offline, and ships with a typed plugin SDK. These docs cover the install, the architecture, the plugin model, the compliance evidence, and the air-gapped deployment guide that procurement asks about.
From zero to first scan in under two minutes — no signup, no credit card, no telemetry. Works on macOS, Linux, and Windows.
New customer? The linear path from your purchase email (license key + npm token) to your first signed audit report: install Node.js + the trio, activate your license, configure AWS/Azure/GCP credentials, run your first cloud audit, scope it with --aws-region (one region, a CSV list, or every enabled region), and drive it conversationally from Claude Desktop via MCP. Reflects EE 0.17.0.
Install in 30 seconds. Run your first scan, decode the output, point it at AWS / TLS / DNS / OT targets, export reports.
github · README →How the engine, plugins, AI providers, and report writers fit together. Where data flows. What stays local. Why nothing leaves.
github · README →All 42 plugins listed with what they probe, what they verify, false-positive notes, and the YAML manifest of controls each one satisfies. EE 0.4.0 adds 7 new AWS auditors: 1070 KMS, 1080 Lambda Security, 1090 Secrets Manager + SSM, 1100 CodePipeline + CodeBuild, 1110 IAM Effective Decrypt-Path, 1120 S3 Lifecycle + Replication, and 1130 AWS Backup Auditor (12-dimension air-gapped vault attestation — the A1.2 ransomware-defense substrate).
github · plugins/ →How the offline NVD feed works, how safe verification probes turn version-string guesses into VERIFIED / POTENTIAL / FALSE_POSITIVE classifications.
github · README →Run NSAuditor AI as an MCP server. Wire it into Claude Code, Cursor, or any MCP-aware client. 5 CE tools, 9 Pro tools, and a Skill package for agents.
github · README →AICPA TSC 2017 mapping — 10 covered + 4 partial controls with multi-cloud evidence (AWS S3 + IAM, Azure RBAC + NSG + Storage, GCP IAM + Cloud Storage, on-prem network). C1.2 Disposal with S3 Object Lock COMPLIANCE-mode. Cover-page Scope Attestation, SHA-256 chain-of-custody, RFC 3161 timestamps, Ed25519 suppression signing, native Vanta push. Type I & Type II.
read the SOC 2 guide →HIPAA §164.312 Technical Safeguards mapping — 7 covered + 3 partial + 45 explicit OOS (entire §164.308 Administrative + §164.310 Physical with named architectural-limit reasons). Per-control Required/Addressable discipline + HHS rule-text verbatim. §164.312(c)(1) ransomware-defense substrate via aws-backup-auditor Logically Air-Gapped Backup Vault cross-verification (HHS-OCR 2024 enforcement-relevant). Dual-framework one-scan workflow: --compliance soc2,hipaa. Zero BAA required — ePHI never leaves customer infrastructure.
NIST Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024) mapping at the auditor-canonical Subcategory level — 13 covered + 10 partial + 83 OOS across 106 of CSF 2.0's 107 Subcategories. Govern function OOS-by-design (GV.SC-04 partial as substrate exception). Respond function OOS-entirely (IR runbook execution). Implementation Tiers 1-4 OOS as organizational-maturity claims — cover-page disclaimer (markdown + HTML parity). Triple-framework one-scan workflow: --compliance soc2,hipaa,nist-csf produces three complete evidence packs. Air-gapped deployment for DFARS / CMMC / federal-contractor threat model.
PCI DSS v4.0.1 (PCI SSC, June 2024 errata; v3.2.1 retired March 31, 2024) mapping at the auditor-canonical sub-requirement level — 19 covered + 9 partial + 39 OOS across 67 of PCI DSS's ~250 sub-requirements (MVP-67). Req 12 Information Security Program OOS-by-design entirely (governance, policy, Targeted Risk Analysis Req 12.3.1 Defined-only, Customized Approach Documentation Req 12.3.2 Defined-only, TPSP Responsibility Matrix Req 12.8.5 Defined-only, IR program). Req 5 anti-malware + Req 9 physical OOS-entirely (endpoint EDR + facility-tier). Defined-vs-Customized Approach discipline per Appendix E — 15 Defined-only sub-requirements enforced at schema layer. CHD Scope operator-attested via CDE Data Flow Diagram per Req 1.2.4 + Req 12.5.1. CAO authorship per Appendix D populated on every customized-eligible entry (EE 0.11.1). Card-brand AOC enforcement view (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC).
read the PCI DSS guide →ISO/IEC 27001:2022 (ISO + IEC, October 2022; 2013 edition retired October 31, 2025) mapping at the auditor-canonical per-Annex-A-code level — 17 covered + 14 partial + 62 OOS across 93 Annex A controls (the complete Annex A universe across 4 themes: A.5 Organizational 37 + A.6 People 8 + A.7 Physical 14 + A.8 Technological 34). Statement of Applicability per Clause 6.1.3.d discipline — every control carries soaApplicability field; engine produces substrate for INCLUDED controls; SoA inclusion/exclusion is operator-side. ISMS Management-System Clauses 4-10 OOS-by-design with 7 Major Nonconformity classes — absence of internal audit per Clause 9.2 or management review per Clause 9.3 = auto-fail Stage 2 (the most-frequent first-time certification failure mode). 11 NEW 2022 controls explicitly enumerated (3 COVERED + 2 PARTIAL + 6 OOS): A.5.7 Threat intelligence · A.5.23 Cloud services · A.5.30 ICT readiness for BC · A.7.4 Physical security monitoring · A.8.9 Configuration management · A.8.10 Information deletion · A.8.11 Data masking · A.8.12 DLP · A.8.16 Monitoring activities · A.8.23 Web filtering · A.8.28 Secure coding. 5-attribute taxonomy NEW in 2022 (controlType / informationSecurityProperties / cybersecurityConcepts — 5 categories, NOT 6 like NIST CSF 2.0 / operationalCapabilities / securityDomains). 2013-to-2022 transition discipline enforced at schema layer (35 unchanged + 23 renamed + 57 merged-into-24 + 11 NEW = 93). Penta-framework one-scan workflow: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001 produces five complete evidence packs. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for SoA + internal audit + management review workflow.
CIS Controls v8 (Center for Internet Security, May 2021; v8.1 errata June 2024) mapping at the per-Safeguard level — 17 covered + 22 partial + 114 OOS across 153 Safeguards / 18 Controls (engine substrate IG1 23-of-56 / IG2-cumulative 37-of-130 / IG3-cumulative 39-of-153). NEW EE 0.13.1: CIS-Hardened-Image detection now LIVE across AWS + Azure + GCP (plugin 1210 aws-ec2-instance-auditor + Azure/GCP image-inventory producers; the renderer flips the credit from eligible → observed when a Hardened-Image is detected) + Safeguard 9.5 Implement DMARC OOS→partial. EE 0.13.2 added the NEW dedicated Azure Storage Account data-protection auditor (plugin 1220) and EE 0.13.3 deepened it with blob recoverability (→ CIS 11.1) + per-container public-access (→ CIS 3.3) dims; EE 0.14.0 added the NEW dedicated Azure NSG perimeter auditor (plugin 1221 — 27 plugins total; the Azure analog of AWS 1170, routing to CIS 4.4/12.2/4.2; matrix unchanged). Implementation Group cumulative discipline — IG1=56 (the cyber-insurance baseline; ~50-70% of mid-market policies require IG1 attestation), IG2 cumulative=130, IG3 cumulative=153; smallest-IG-membership tagging (NEVER report IG2 as 74-of-74 in isolation; the IG1 base must be intact before any IG2/IG3 claim). No-certification-body attestation discipline — CIS has no formal certification body; engine output is INPUT to CSAT / CIS-CAT Pro self-attestation OR a SOC 2 auditor cross-validating CIS scope OR CIS-SecureSuite peer review, NEVER "CIS certified." Cloud Companion Guide v8 shared-responsibility-model boundary per Safeguard + CIS-Hardened-Image substrate-evidence credit (Safeguards 4.1/4.2/4.6). 5 Security Functions (NOT 6 — no Govern) + 6 Asset Types + MS-ISAC/EI-ISAC/H-ISAC sector baselines + v7.1-to-v8 cross-reference. Hepta-framework one-scan workflow: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr produces seven complete evidence packs (the seventh being the GDPR Article 32 security-of-processing infrastructure substrate). Pair with CIS-aware GRC (Drata CIS / Vanta CIS / AuditBoard CIS) or CIS-CAT Pro for the self-attestation workflow.
GDPR Article 32 infrastructure substrate — security of processing. 4 covered + 5 partial + 2 OOS across 11 sub-measure units. Art. 32 substrate only, NOT GDPR compliance; Art. 83(4) lower fine tier.
read the GDPR Article 32 guide →The 6-page brochure customers and resellers ask for: what NSAuditor AI Enterprise does, how one scan produces seven framework-mapped evidence packs (SOC 2 · HIPAA · NIST CSF 2.0 · PCI DSS v4.0.1 · ISO/IEC 27001:2022 · CIS v8 · GDPR Article 32 substrate), the full Enterprise capability set (cloud scanners, Docker isolation, air-gapped deployment, ZDE policy engine, CTEM), current coverage counts, edition comparison with tier pricing, and the Reseller Partner Program. Letter format, ~110 KB — built to forward to procurement, security review, and partners.
download the brochure (PDF) →A practical, vendor-neutral walkthrough of the complete audit lifecycle from the team that has built network security auditors since 2004: what a network security audit is, the role of a network auditor, the 10-step audit checklist (scope & inventory → discovery → configuration review → verified vulnerabilities → IAM → DNS/email → cloud accounts → logging/backups → compliance mapping → remediation & re-audit), manual vs. automated auditing, audit frequency, and best practices — including read-only audit credentials and keeping evidence on your own infrastructure. Embeds the 6-minute "Network Security Audits" explainer video.
read the audit guide →Walk-through of EE 0.11.0 quad-framework scan against a fictional Acme Corp AWS account 111122223333. One scan, 11 AWS EE plugins, 76 findings routed across SOC 2 AICPA TSC 2017 + HIPAA Security Rule §164.312 + NIST CSF 2.0 + PCI DSS v4.0.1 (MVP-67). 28 evidence artifacts per scan with RFC 3161 trusted timestamps + SHA-256 chain-of-custody. Includes PCI DSS deep-dive showing 4 load-bearing schema enrichments + 15 Defined-only Appendix-E sub-requirements + CDE-scope operator-attestation disclaimer. All data synthetic — no real infrastructure disclosed.
view the sample scan →Docker images, offline tarballs, signed JWT licensing validated locally. No phone-home, no outbound calls, no exceptions. tcpdump-verifiable.
github · README →Write your own plugin in TypeScript. Typed signature, scaffolder, local test harness. Same SDK we use to ship the 32 built-in plugins.
github · sdk/ →Version history, breaking changes, security advisories. Subscribe to the RSS feed of releases or watch the repo on GitHub.
github · releases →Install via npm, run your first scan, browse the plugin source, write a custom plugin. Source-of-truth lives on GitHub.
→ github.com/nsasoft/nsauditor-aiVerified vulnerabilities reduce false-positive triage. CVE matching uses an offline NVD feed. Reports export as PDF, JSON, SARIF, or branded HTML.
→ NSAuditor AI ProMSA, DPA, net-30 invoicing. Air-gapped deployment for OT, federal-contractor (DFARS / CMMC), payment-processing CDE-isolation, ISO 27001 ISMS-scope-controlled, and regulated environments. Hepta-framework auditor-grade evidence — SOC 2 + HIPAA §164.312 + NIST CSF 2.0 Core + PCI DSS v4.0.1 + ISO/IEC 27001:2022 + CIS Controls v8 + GDPR Article 32 security-of-processing substrate — with RFC 3161 timestamps and native Vanta push. Zero BAA required (ZDE).
→ SOC 2 guide · HIPAA guide · NIST CSF 2.0 guide · PCI DSS guide · ISO 27001 guide · CIS v8 guide · GDPR Art. 32 guide →Try it free with the MIT-licensed Community Edition. Upgrade to Pro for CVE matching and verified vulnerabilities, or to Enterprise for cloud plugins and compliance frameworks.