/ai/ docs/ sample-scan

Sample scan output — what auditors actually see

A real walk-through of NSAuditor AI Enterprise Edition 0.6.7 running against a fictional cloud account and a home-office router. Two scans, three plugin highlights, one auditor-grade evidence pack. No real data was used.

EE 0.6.7 LIVE on npm 22 enterprise plugins SOC 2 AICPA TSC 2017 Demo data only
⚠ All hosts, account IDs, ARNs, and findings on this page are synthetic. AWS account 123456789012 is the AWS-canonical example account. IPs use the 192.0.2.0/24 RFC 5737 documentation range. Org name Acme Corp Inc is fictional. No customer data is disclosed.
SCAN 1 / AWS CLOUD

AWS SOC 2 scan — plugin 1170 v3.1 + plugin 1200 v6.1 highlighted

Acme Corp's security engineer points NSAuditor at their AWS production account to get a Type I-friendly pre-audit gap report. The scan enumerates opted-in regions, walks SG ingress graphs from public-CIDR roots, and probes EventBridge target liveness with eventual-consistency defense. Results map to AICPA TSC 2017 controls and ship signed via RFC 3161 trusted timestamps.

acme-secops@laptop — nsauditor-ai scan 
# Acme audit engineer runs the full enterprise catalog against AWS
$ export AWS_PROFILE=acme-prod-audit
$ nsauditor-ai license --status
✓ Enterprise license active
  Org: audit@acmecorp.example
  Seats: 5 · Expires: 2027-05-07

$ nsauditor-ai scan --host aws --compliance soc2 --out ./acme-audit-evidence
[plugin] AWS EC2 SG Perimeter Auditor (1170 v3.1) ......... 9 findings  
[plugin] AWS Inspector / GuardDuty Auditor (1200 v6.1) ... 51 findings 
[plugin] AWS S3 Security Auditor (1020) .................. 3 findings  
[plugin] AWS IAM Deep Auditor (1010) ..................... 4 findings  
[plugin] AWS KMS Auditor (1070) .......................... 2 findings  
  ...17 more plugins, 22 total, all ran clean

✓ Scan complete · 132 findings across 22 plugins · 17 AWS regions
✓ SOC 2 evidence written to ./acme-audit-evidence/scan_compliance_soc2.{json,html,md}
✓ Chain-of-custody signed · SHA-256 sidecars · RFC 3161 timestamp affixed

Plugin 1170 v3.1 — Security Group transitive chain reachability

The headline feature in EE 0.6.7. Pre-v3 the plugin audited each SG in isolation — a SG with no direct public-CIDR ingress passed even if it was transitively reachable from the internet through a chain of UserIdGroupPairs references. Operators routinely miss these paths: each intermediary SG looks "private" in isolation. v3 closes the false-CLEAN class with deterministic BFS. v3.1 (this release) dedupes graph edges by (source, target) so multi-port references emit one chain per distinct exposure path, not N×.

FROM THE ACME SCAN

A publicly-facing ALB security group (sg-alb-acme-edge) was found to transitively reach the Acme production database SG (sg-db-acme-prod) through a 3-hop chain via the API tier. Each intermediary SG was clean in isolation; the chain was invisible to single-SG audit logic.

Pre-fold the plugin would have reported 3 chains here (one per port on the API tier's ALB-source rule); the v3.1 dedup collapses to 1 chain with port array [tcp:443-443, tcp:8080-8080, tcp:8443-8443] — accurate path count.

CRITICAL sg-alb-acme-edge (public-ALB) sg-api-acme-tier (api) [tcp:443-443, tcp:8080-8080, tcp:8443-8443] sg-app-acme-tier (app) [tcp:8080-8080] sg-db-acme-prod (db) [tcp:5432-5432]
HIGH 2-hop sg-alb-acme-edge (public-ALB) sg-cache-acme-redis (elasticache) [tcp:6379-6379]
HIGH 2-hop sg-alb-acme-edge (public-ALB) sg-mq-acme-rabbit (message-queue) [tcp:5671-5672]
Critical CC6.6 plugin 1170 v3.1

Security Group sg-db-acme-prod is transitively reachable from a publicly-exposed Security Group via 1 chain (shortest = 3 hops)

Each chain traces a path from a public-CIDR ingress through UserIdGroupPairs SG references to this SG. Per-hop port-flow shown but NOT intersected (operator walkthrough verifies per-hop port sets actually align). Sample chain: sg-alb-acme-edge(public-ALB) → sg-api-acme-tier(api) [tcp:443-443, tcp:8080-8080, tcp:8443-8443] → sg-app-acme-tier(app) [tcp:8080-8080] → sg-db-acme-prod(db) [tcp:5432-5432].

category: sg-transitively-public-critical chainCount: 1 shortestChainLength: 3 walkthroughRequired: true
High CC6.6 plugin 1170 v3.1

Security Group sg-cache-acme-redis is transitively reachable from a publicly-exposed Security Group via 1 chain (shortest = 2 hops)

Direct exposure path from the public-ALB SG to the ElastiCache Redis SG on port 6379. ALB→Redis paths are common after a "let everything inside the VPC talk" mis-configuration; the chain is invisible to per-SG audits.

category: sg-transitively-public-high chainCount: 1 shortestChainLength: 2
High CC6.6 plugin 1170 v3.1

Security Group sg-mq-acme-rabbit is transitively reachable from a publicly-exposed Security Group via 1 chain (shortest = 2 hops)

RabbitMQ AMQP+AMQPS ports reachable through ALB chain. Compromised public web tier could publish directly into the internal message bus.

category: sg-transitively-public-high chainCount: 1 shortestChainLength: 2
Info plugin 1170 v3.1

SG→SG transitive reachability walk: 3 cross-VPC edges skipped (out-of-scope for v3 v1)

Cross-VPC peering and Transit Gateway connectivity surface as a separate audit dimension (plugin 1160 VPC Endpoints / PrivateLink Auditor + future VPC peering inventory). 3 cross-VPC UserIdGroupPair references were observed and skipped from the BFS walk; operator walkthrough should verify these paths separately if cross-VPC connectivity is in scope.

Plugin 1200 v6.1 — multi-region GuardDuty + Inspector2 enablement

Auditors need detection-substrate evidence per CC7.1. Plugin 1200 enumerates opted-in AWS regions and checks GuardDuty Detector enablement, protection-feature coverage, Inspector2 activation, and scan-target coverage. v6.1 (this release) closes the CloudWatch Logs probe retry-on-empty parity — freshly-created log groups now retry once before classifying DEAD, matching the eventual-consistency defense for IAM / Lambda / SNS / SQS branches.

Region GuardDuty Inspector2 Alerting destination Verdict
us-east-1 ENABLED, 4/6 features ENABLED, EC2+ECR+Lambda EventBridge → SNS PASS
us-west-2 ENABLED, 5/6 features ENABLED, EC2+ECR SecurityHub aggregation LOW
eu-west-1 SUSPENDED DISABLED HIGH
eu-central-1 DISABLED DISABLED HIGH
ap-southeast-2 ENABLED, 6/6 features ENABLED, all targets EventBridge → SNS PASS
us-gov-east-1 ENABLED, 4/6 features ENABLED, EC2+ECR EventBridge → Lambda PASS
…and 11 more regions various various various mixed
High CC7.1 plugin 1200 v6.1

GuardDuty Detector is DISABLED in region eu-central-1

Zero AWS-native threat-detection in this region. Compromised workloads here would emit no GuardDuty findings to your SIEM. Type II auditors will request evidence of equivalent coverage (CloudTrail-based detection rules, third-party EDR) or treat this region as out-of-scope.

category: gd-not-enabled region: eu-central-1
High CC7.2 plugin 1200 v6.1

Inspector2 is SUSPENDED in region eu-west-1 — silent CVE-detection blindness

Inspector2 status SUSPENDED still appears in BatchGetAccountStatus but emits zero CVE findings against this region's EC2 / ECR / Lambda fleet. This is operator-blindness: the substrate looks present in metadata but is not actually scanning.

category: inspector2-suspended-silent-blind region: eu-west-1
Medium CC7.1 plugin 1200 v6.1

GuardDuty in us-west-2: alerting via SecurityHub only — no proactive paging path verified

SecurityHub aggregates findings but doesn't guarantee an EventBridge rule routes them to a pager. Companion-LOW: auditor walkthrough must confirm the aws.securityhub EventBridge rule downstream of SecurityHub exists and has a non-empty targets list.

category: alerting-destination-sh-only region: us-west-2
Low CC7.1 plugin 1200 v6.1

EventBridge rule acme-gd-routing targets a CloudWatch log group that probed empty on first attempt — retried once → LIVE

New in 0.6.1: the CWL Logs dead-target probe now passes a retry-on-result predicate to _retryOnNotFound. First-call DescribeLogGroups returned logGroups: [] (eventual-consistency lag on a freshly-created /aws/lambda/acme-billing-api log group). Probe retried once after 750ms, confirmed exact-name match, classified LIVE. Logged as an INFO substrate detail for evidence completeness — pre-0.6.1 this would have false-DEAD.

category: dead-target-probe-recovered retryFired: true logGroupName: /aws/lambda/acme-billing-api
SCAN 2 / LOCAL NETWORK

Network scan — home-office router — 41 plugins, AI-conclusion synthesized

Different mode, same engine. The same EE CLI scans an arbitrary IP host on the local network. Acme's IT lead points the scanner at a home-office router (192.0.2.1) for a CVE sweep + service inventory. The OUI database identifies the device vendor from the ARP MAC, every relevant service plugin probes its port, and the AI conclusion synthesizes a prioritized remediation plan.

acme-it@laptop — nsauditor-ai scan local 
$ NSA_ALLOW_ALL_HOSTS=1 nsauditor-ai scan --host 192.0.2.1 --out ./acme-router-scan
# NSA_ALLOW_ALL_HOSTS=1 explicitly authorizes scanning of RFC 1918 private IPs.
# Default policy blocks private/loopback ranges to prevent accidental internal SSRF.

[discovery]   Ping Checker .................... host UP, TTL=65
[discovery]   ARP Scanner ..................... vendor: ACME-NETWORKS (OUI 00:1F:7A)
[discovery]   Port Scanner .................... 53/udp 443/tcp open
[service]     DNS Security Auditor ............ 7 actionable / 0 critical / 3 high / 2 medium / 2 low
[service]     TLS Scanner ..................... TLS 1.2, server banner unknown
[service]     OpenSearch Scanner .............. probed 5601, 9200 — filtered/closed
[service]     mDNS / DNS-SD / NetBIOS / SMB ... no advertised services
[osfp]        OS Detector ..................... TTL=65 → Custom/Proprietary (embedded firmware)
[ai]          AI Concluder .................... synthesized markdown + html report

✓ Scan complete · 41 plugins · 1 host · 7 actionable findings
✓ Report: ./acme-router-scan/scan_response_ai.html (network-ops view)
✓ Report: ./acme-router-scan/scan_conclusion_raw.json (machine-readable)
High DNS Security Auditor

DNS service banner identifies dnsmasq-2.78 — outdated; multiple CVEs apply

Banner grabbed via version.bind CHAOS-class query. Confirmed-affected: CVE-2020-25681 (heap-based buffer overflow, CVSS 8.1), CVE-2020-25682 (cache poisoning), CVE-2020-25687, CVE-2017-15107 (heap overflow in EDNS0 parsing), CVE-2022-0934, CVE-2023-28450, CVE-2023-50387 (KeyTrap DNS exhaustion). Network appliance compromise via DNS service would affect all DHCP/DNS resolution for connected devices.

service: dns/53/udp banner: dnsmasq-2.78 cveCount: 7
Medium TLS Scanner

HTTPS administrative interface on 192.0.2.1:443 — TLS 1.2 only, no server identification

TLS 1.2 negotiated with strong cipher suite, but the underlying web server emits no identifying banner. If this hosts the device management interface, version visibility is required for vulnerability tracking. Recommend network-level access control around the management interface.

service: https/443/tcp tls-version: TLS 1.2 server-banner: <empty>
Low ARP Scanner

Network appliance vendor identified as ACME-NETWORKS via OUI (MAC 00:1F:7A:**:**:**)

OUI lookup matched 39,227-entry IEEE database. Vendor + likely device class (router appliance, TTL=65 embedded OS) recorded for asset inventory. No vulnerability per se; evidence captured for the host inventory section of the SOC 2 report.

AI conclusion (excerpt — auto-synthesized by the Concluder plugin)

scan_response_ai.txt 
## Executive Summary

OS (from scan): Custom/Proprietary (TTL=65)

This host presents a moderate security posture with limited internet exposure. Only two
services are confirmed open to external access: DNS (port 53/UDP) and HTTPS (port 443/TCP).
The DNS service runs a significantly outdated version of dnsmasq (2.78) with multiple known
vulnerabilities, representing the primary security concern.

## Prioritized Remediation Plan

1. Update dnsmasq immediately (Priority: Critical, Timeline: 24 hours)
   - Action: Update dnsmasq to version 2.89 or later via vendor firmware update
   - Rationale: Addresses multiple CVEs with public exploits

2. Identify and secure HTTPS service (Priority: High, Timeline: 7 days)
   - Action: Determine web server software/version behind port 443; enforce network-level ACL

3. Establish firmware management process (Priority: Low, Timeline: 60 days)
   - Action: Create inventory and update schedule for network appliances
CAPABILITY SUMMARY

What's in the box — EE 0.6.7 today

Coverage is measured against AICPA Trust Services Criteria 2017. Plugin count is what auditors actually care about — the plugins are the evidence-acquisition surface, not just a feature count. Numbers below are current as of EE 0.6.7 / 2026-05-19.

22
Enterprise-tier plugins for AWS + Azure + cross-cloud + on-prem evidence acquisition.
10 / 4 / 33
SOC 2 TSC controls — fully covered / partial / out-of-scope for static substrate scanning. Coverage matrix is institutionally honest — depth grows release-over-release without inflating the count.
5,314
Tests in the EE regression suite, 100% green for 59 consecutive ship cycles. Pre-publish gate is contractual, not aspirational.
17
AWS regions enumerated per scan via ec2:DescribeRegions — opt-in respected; GovCloud + ISO partition support for FedRAMP / StateRAMP / IL5+ auditors.
18
Consecutive trio-publish cycles (EE + CE + agent-skill) — institutionalized release discipline since v0.4.5.
RFC 3161
Trusted timestamps + Ed25519 evidence signing + SHA-256 chain-of-custody sidecars. SEC Rule 17a-4 / FINRA 4511 retention-evidence compatible.

Evidence pipeline

Every scan that emits compliance findings also emits an auditor-grade evidence pack. This is what makes the difference between "we ran a scan" and "here is the contemporaneous artifact chain proving we ran the scan and it has not been altered since."

WHAT'S NEW IN 0.6.7

Why this release matters

EE 0.6.7 is a patch-level cleanup cycle that closes the two reviewer-deferred items from 0.6.6. Small change-set; big trust signal. Both folds eliminate classes of false-CLEAN findings (where the scanner emits PASS on a substrate that's actually compromised) — the worst possible outcome for SOC 2 evidence.