NSAuditor AI is open core, runs offline, and ships with a typed plugin SDK. These docs cover the install, the architecture, the plugin model, the compliance evidence, and the air-gapped deployment guide that procurement asks about.
From zero to first scan in under two minutes — no signup, no credit card, no telemetry. Works on macOS, Linux, and Windows.
Install in 30 seconds. Run your first scan, decode the output, point it at AWS / TLS / DNS / OT targets, export reports.
github · README →How the engine, plugins, AI providers, and report writers fit together. Where data flows. What stays local. Why nothing leaves.
github · README →All 31 plugins listed with what they probe, what they verify, false-positive notes, and the YAML manifest of controls each one satisfies.
github · plugins/ →How the offline NVD feed works, how safe verification probes turn version-string guesses into VERIFIED / POTENTIAL / FALSE_POSITIVE classifications.
github · README →Run NSAuditor AI as an MCP server. Wire it into Claude Code, Cursor, or any MCP-aware client. 5 CE tools, 9 Pro tools, and a Skill package for agents.
github · README →AICPA TSC 2017 mapping — 7 covered + 5 partial controls. Cover-page Scope Attestation, SHA-256 chain-of-custody, RFC 3161 timestamps, suppression workflow with Ed25519 signing, native Vanta push. Type I & Type II.
read the SOC 2 guide →Docker images, offline tarballs, signed JWT licensing validated locally. No phone-home, no outbound calls, no exceptions. tcpdump-verifiable.
github · README →Write your own plugin in TypeScript. Typed signature, scaffolder, local test harness. Same SDK we use to ship the 31 built-in plugins.
github · sdk/ →Version history, breaking changes, security advisories. Subscribe to the RSS feed of releases or watch the repo on GitHub.
github · releases →Install via npm, run your first scan, browse the plugin source, write a custom plugin. Source-of-truth lives on GitHub.
→ github.com/nsasoft/nsauditor-aiVerified vulnerabilities reduce false-positive triage. CVE matching uses an offline NVD feed. Reports export as PDF, JSON, SARIF, or branded HTML.
→ NSAuditor AI ProMSA, DPA, net-30 invoicing. Air-gapped deployment for OT and regulated environments. SOC 2 (AICPA TSC) auditor-grade evidence with RFC 3161 timestamps and native Vanta push. NIST / HIPAA / PCI / ISO 27001 on roadmap.
→ Read the SOC 2 guideTry it free with the MIT-licensed Community Edition. Upgrade to Pro for CVE matching and verified vulnerabilities, or to Enterprise for cloud plugins and compliance frameworks.