Cloud scanning (AWS / GCP / Azure), compliance mapping, Docker scan isolation, and air-gapped deployment. Built for teams that need audit-ready security — with zero data leaving your infrastructure.
Three tiers for every team size. All include the full Enterprise feature set — cloud scanning, compliance engine, Docker isolation, air-gapped deployment, and ZDE policy. Annual invoicing · net-30 · volume discounts available.
AWS security groups + IAM, GCP firewall rules + IAM bindings, Azure NSGs + RBAC. Uses your own credentials — nothing touches Nsasoft.
Map findings to NIST CSF, CIS Controls, HIPAA Security Rule, GDPR Art. 32, and PCI DSS. Gap reports with evidence references.
Each scan runs in an ephemeral container — isolated, parallel, destroyed after completion. Read-only filesystem with resource limits.
Evaluate segmentation boundaries, encryption-in-transit, identity posture, and lateral movement risk. Composite readiness score.
Docker images (amd64 + arm64), offline NVD feed bundles, and installation tarballs. Runs in fully isolated networks.
Data classification (public / internal / sensitive / secret), external call guard, policy-based redaction, and full audit logging.
PostgreSQL backend, unlimited scan history retention, query API for historical analysis, and compliance dashboards.
Transitive shadow-admin path detection — including PassRole privesc and group-inherited cross-principal chains. Every finding carries a verifiable [via policy: ARN] evidence trail with partialProvenance / provenanceComplete completeness signals for SOC 2 Type-II auditors.
Audits CloudTrail trail health (multi-region default-ON across 36 canonical AWS regions, log-file validation, KMS-CMK, IsLogging), CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 via the v2 metric-filter audit, AWS Config recorder + Organizations ConfigurationAggregator detection with deterministic STS account-coverage cross-reference, and cross-account S3 trail-destination WORM verification (Object Lock + Versioning + MFADelete per trail bucket) for SEC 17a-4 / FINRA 4511 retention evidence. Closes SOC 2 CC7.2 + CC7.3.
First entry-point evidence plugin for AWS Serverless-Framework deployments. Audits REST APIs (v1) + HTTP APIs (v2): per-method/route authorization classifier (NONE = CRITICAL, AWS_IAM / Cognito / JWT = PASS, JWT-with-wildcard-audience = INFO with IdP issuer/audience evidence, Lambda authorizer = INFO with manual-verification prompt), TLS policy with worst-policy tracking across mixed-config v2 domains (TLS_1_0 = HIGH), stage-level access logging, throttling (A1.2), and WAF association. SOC 2 mapping: CC6.1 + CC6.6 + CC6.7 + CC7.1 + A1.2.
The "audit-the-auditor" plugin — answers the question every Type-II auditor asks after the entry-point one: can the audit record itself be tampered with? Per-table PITR + deletion protection (worst-case CRITICAL "audit record itself not survivable" when both missing). KMS-CMK classifier with conservative LOW-unverifiable posture on :key/UUID ARN shapes (in 0.4.0 this becomes a deterministic PASS/MEDIUM when plugin 1070 is in the same scan — closes EE-RT.2.1.1). Resource-policy presence audit via the 2024 GetResourcePolicy API with soft-degrade. CloudTrail DynamoDB data-event coverage cross-reference (orthogonal composition with plugin 1040). Matrix shift: PI1.5 (Stored items) moves out-of-scope → partial. Mapping: CC6.6 + CC7.1 + C1.1 + PI1.5.
Validates cryptographic boundary integrity and key governance. Per-key rotation status (customer-managed CMKs flagged MEDIUM when rotation disabled; AWS-managed keys correctly identified as not-applicable). Wildcard-principal classifier across 5 severity tiers: CRITICAL unconditional kms:* takeover; HIGH for sensitive actions; INFO read-only-only; PASS no-wildcard. Coverage spans Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action coverage. Exports _describeKeyManager() helper consumed by plugin 1060. Maps to CC6.3 + C1.1. 77 new tests.
Runtime EOL detection (institutional-CRITICAL when Lambda returns EOL runtime like nodejs16.x / python3.7; case-normalized at boundary per aws_string_case_normalization), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: secret VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, dead-letter queue + reserved concurrency posture. Maps to CC6.1 / CC6.6 / CC7.1 / C1.1.
Secrets Manager ListSecrets + DescribeSecret (rotation enabled/disabled, last-rotated cadence, KMS-CMK vs AWS-managed key custody, tag-driven prod-tier classification). SSM Parameter Store DescribeParameters (String vs SecureString classification with secret-suggestive name detection, KmsKeyId presence on SecureStrings). ZDE-critical: scanner NEVER calls GetSecretValue / GetParameter — only Describe* / List* metadata APIs; verb-prefix denylist regex enforces this at SDK boundary. Maps to CC6.1 / CC6.6 / C1.1.
Pipeline source-stage encryption (KMS-CMK presence), CodeBuild privilegedMode detection (HIGH for non-Docker-image builds), buildspec inlined-vs-S3 (configuration drift surface), secrets passed via environment variables vs Secrets Manager reference, IAM role least-privilege via wildcard-Action detection, S3 artifact-store encryption. EE-RT.9.1 runtime-state audit: stale-execution detection — pipeline's latest execution older than configured cadence isn't actively defending the build path. Maps to CC6.1 / CC7.1 / CC8.1 / C1.1.
Cross-plugin reconciler: walks IAM policies for kms:Decrypt / kms:ReEncrypt* / kms:GenerateDataKey grants then cross-references against destination KMS key policies (plugin 1070) to compute the effective decrypt path. Closes the institutional NotAction-implicit-decrypt false-PASS class (Allow + NotAction:[...] + Resource:* over-grants decrypt implicitly). EE-RT.10.1 cross-plugin sister-fix in plugin 1030 case-normalizes Effect+Action discriminators. Maps to CC6.1 / CC6.6 / C1.1 / C1.2.
S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). EE-RT.4.1 adds cross-region destination-bucket reachability verification (closes silent-PASS class where replication source FAILED but emitted clean — destination IAM denial or missing bucket now surfaces explicitly). Maps to C1.1 / C1.2 / A1.2.
The largest single-plugin institutional-hardening arc in the EE codebase: ~7800 lines across 18 sessions / 25 commits / 545 plugin tests, with 19 R2-strict recurrence-class same-session closures catalogued in 4 institutional-memory artifacts. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. Headline capability: 12-dimension air-gapped vault attestation arc for LogicallyAirGappedBackupVault resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (KMS / EC2 / Config / Backup). 74 new soc2.json titlePatterns across CC6.3 + CC6.6 + CC7.1 + CC8.1 + C1.1 + C1.2 + A1.2. Substantially closes the previously-documented A1.2 "Backup/recovery posture itself" ransomware-defense gap (SEC Rule 17a-4 / FINRA 4511).
The single most-asked-about audit substrate after S3. EE 0.4.5 grew this plugin from 3 to 7 SOC 2 substrate-evidence dimensions. Multi-AZ deployment (A1.2 availability), storage encryption at rest with KMS-key custody classification (C1.1 confidentiality — four-tier severity ladder), parameter-group SSL enforcement (C1.1 transit encryption — detects both postgres rds.force_ssl and mysql require_secure_transport), backup retention period (A1.2 cadence — operator-tunable 1–35 days; default ≥7 institutional baseline), public accessibility (CC6.6 perimeter — cross-plugin sister to plugin 1170), IAM database authentication (CC6.1 password-less auth on mysql/postgres/mariadb/aurora-variants), and snapshot encryption via DescribeDBSnapshots with explicit IncludeShared=false + IncludePublic=false (C1.1 cross-cycle). Headline v2 capability: kms:DescribeKey cross-reference promotes UNVERIFIABLE :key/UUID ARN shapes to deterministic PASS (KeyManager=CUSTOMER) or MEDIUM (KeyManager=AWS) — closes the v1 fixture-design gap without compromising the conservative_classifier_principle (AccessDenied / NotFound / unknown KeyManager still leaves at LOW). 18 new soc2.json titlePattern entries across A1.2 + C1.1 + CC6.1 + CC6.6. 103 tests total (51 v1 + 52 v2). Maps to A1.2 + C1.1 + CC6.1 + CC6.6.
First multi-service plugin in the EE codebase — SQS + SNS bundled because they share the same auth surface, region scoping, and SOC 2 control coverage. Audits queues + topics across 5 SOC 2 substrate-evidence dimensions: SQS encryption at rest (C1.1 — four-tier severity ladder matching plugin 1140's structure with conservative LOW+evidenceGap on :key/UUID ARN form), SQS transit-encryption policy (CC6.6 — analyzes Policy for aws:SecureTransport=false Deny defense-in-depth), SNS topic encryption at rest (C1.1 — SNS has no managed-SSE equivalent so absent = HIGH), SNS topic-policy permissive-Principal classifier (CC6.6 — full institutional posture with NotAction-Allow + NotPrincipal-Allow + Resource-scope filtering; severity CRITICAL unconditional-wildcard → HIGH conditional-wildcard → PASS no-wildcard), and SQS dead-letter queue presence (A1.2 availability + CC7.1 anomaly-detection, dual-mapped — missing DLQ is the canonical silent-message-loss class for event-driven architectures). 11 new soc2.json titlePattern entries. 95 new tests. First EE plugin to ship without a smoke-time SDK hotfix — institutionalized pre-implementation checklist now adds optionalDependencies entries preemptively. Maps to C1.1 + CC6.6 + A1.2 + CC7.1.
Orthogonal evidence to plugin 1023 zero-trust-checker: 1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy via DescribeSecurityGroups. The pair gives Type-II auditors complete coverage of "is this port reachable, and is it supposed to be?" EE 0.4.6 v2 grew RESTRICTED_PORTS from 13 to 23 ports per CIS AWS Foundations Benchmark v3.0 — added Redshift (5439), Kubernetes API server (6443), etcd (2379-2380), Kibana (5601), InfluxDB (8086), Kafka (9092), Consul (8500), ZooKeeper (2181), HashiCorp Vault (8200). New opts.additionalRestrictedPorts operator-config (integer-validated 0-65535 + deduped) lets tenants extend the list with custom ports. Per-SG cardinality cap (_USER_GROUP_DISPLAY_CAP=10) with rollup trailer defends against finding-size DoS on 1000+ SG accounts. System-managed-SG name-prefix exclusion list (ElasticMapReduce-, eks-cluster-sg-, AWSServiceRole, awseb-) excludes AWS-service-controlled non-deletable SGs from orphan-detection. 6 audit dimensions: IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS (CC6.6, CRITICAL), IPv6 ::/0 sibling (CC6.6, CRITICAL), all-protocol (-1) ingress (CC6.6, CRITICAL with SG-scope suppression), public ingress to non-restricted ports (INFO + walkthroughRequired), egress 0.0.0.0/0 (INFO substrate), orphan SGs (CC6.2 governance). 10 new soc2.json titlePattern entries total (v1+v2). 110 tests total (54 v1 + 56 v2). Maps to CC6.2 + CC6.6.
First plugin in the 1190-1199 ID range. Closes the canonical email-integrity SOC 2 evidence gap — AWS SES is the dominant transactional + marketing + bulk-email substrate for B2B SaaS workloads. Sister plugin to 1180 ElastiCache Redis (cache tier) + 1140 RDS (database tier) + 1170 SG Perimeter (network tier). Audits SES across 6 SOC 2 substrate-evidence dimensions: DKIM enablement + signing status (CC6.1 / Privacy — HIGH on SigningEnabled=false breaks SPF/DKIM/DMARC trust-chain; 5-enum classifier with PENDING/TEMPORARY_FAILURE/NOT_STARTED → INFO+walkthroughRequired, FAILED → MEDIUM DNS drift, unknown → LOW+evidenceGap per conservative_classifier_principle), custom MailFrom domain alignment (Privacy substrate — INFO+walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom; PASS on custom + Status=SUCCESS), configuration set TLS enforcement (C1.1 — REQUIRE=PASS (messages REJECTED if no STARTTLS), OPTIONAL=HIGH (silent SMTP-downgrade-attack window — network-layer adversary strips STARTTLS from EHLO, forcing cleartext delivery of message body + headers)), identity sending authorization policy permissive principals (CC6.6 — multi-class wildcard detector covers "*" + {AWS:"*"} + {Service:"*"} + {Federated:"*"} + {CanonicalUser:"*"} + array forms; distinct HIGH category ses-sending-auth-notprincipal-allow catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class per R-CRITICAL-1 fold; LOW+evidenceGap on malformed statements missing Effect field per R-HIGH-2 fold), dedicated IP pool sending posture (CC7.1 substrate, account-level), and suppression list state (CC7.1 deliverability substrate — INFO on count + reason distribution only). ZDE-CRITICAL invariant: NEVER reads suppressed-destination email addresses — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 fold. 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). 116 tests across 29 suites. 11 same-session reviewer folds — ties the single-cycle record. Fourth EE plugin to ship without a smoke-time SDK hotfix (preemptive @aws-sdk/client-ses + @aws-sdk/client-sesv2 in optionalDependencies — plugins 1150, 1170, 1180, 1190 all shipped without hotfix). Maps to CC6.1 + CC6.6 + C1.1.
First plugin in the 1170-1180 ID range. Closes the canonical cache-tier SOC 2 evidence gap — sister plugin to 1140 RDS for the database tier. Audits Redis clusters across 6 SOC 2 substrate-evidence dimensions: transit encryption (C1.1 — TransitEncryptionEnabled wraps RESP in TLS for client → cluster + primary → replica; cannot be toggled in place), at-rest encryption with KMS key custody (C1.1 four-tier ladder: HIGH unencrypted → MEDIUM AWS-owned-default → MEDIUM alias/aws/elasticache → PASS customer-managed CMK + LOW+evidenceGap on :key/UUID ARN form per conservative_classifier_principle), Redis AUTH / IAM-auth user groups (CC6.1 + CC6.2 — UserGroupIds for Redis 7+ ACL replace long-lived AUTH passwords; cross-plugin sister with plugin 1170 SG-perimeter audit), Multi-AZ deployment (A1.2 availability), SnapshotRetentionLimit cadence (A1.2 — ≥7 days default, operator-tunable 1-35), and subnet placement (CC6.6 perimeter — INFO+walkthroughRequired on default subnet group per conservative-classifier discipline). Dual-API enumeration with inter-API dedup: DescribeReplicationGroups + DescribeCacheClusters covers both replication-group + standalone surfaces; CacheClusters with ReplicationGroupId set are skipped. _ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"])) — Memcached out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). 41 new tests. Third EE plugin to ship without a smoke-time SDK hotfix — preemptive @aws-sdk/client-elasticache (1150 + 1170 + 1180 all shipped without hotfix; now institutional discipline). Maps to C1.1 + CC6.1 + CC6.2 + CC6.6 + A1.2.
Extended Model Context Protocol tools for AI assistants: start_assessment, compliance_check, export_report.
# @nsasoft/nsauditor-ai-ee is a private (restricted) package. # Use the npm read-token delivered with your license email. npm config set //registry.npmjs.org/:_authToken npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Or, project-scoped, in an .npmrc file echo "//registry.npmjs.org/:_authToken=npm_xxxx..." >> ~/.npmrc
npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
# CE 0.1.30+ verifies the JWT signature before persisting # and stores the key in macOS Keychain (or ~/.nsauditor/.env mode 0600 on Linux/Windows). nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs... ✓ Enterprise license installed Stored at: macOS Keychain (service=nsauditor-ai) Org: you@example.com Seats: 5 Expires: 2027-04-04T... # CI/CD alternative: env var still works (highest priority in the multi-source loader) export NSAUDITOR_LICENSE_KEY=enterprise_eyJ...
nsauditor-ai license --status ✓ Enterprise license active | Org: you@example.com | Seats: 5 | Expires: 2027-04-04 nsauditor-ai license --capabilities ✓ intelligenceEngine ✓ riskScoring ✓ complianceEngine ✓ cloudScanners ✓ zeroTrust ✓ dockerIsolation
# SOC 2 compliance scan with auditor-grade evidence artifacts (on-prem network) nsauditor-ai scan --host 10.0.0.0/24 --plugins all \ --compliance soc2
The same Enterprise binary scans AWS, Azure, and GCP via cloud-native plugins and writes findings into the unified soc2.json evidence ledger. 10 covered + 4 partial AICPA TSC controls across 20 Enterprise plugins. EE 0.4.9 (May 16, 2026) is the seventh-ship-cycle in the 0.4.x stream — extends plugin 1180 ElastiCache Redis Auditor to v2 with two headline capabilities: kms:DescribeKey cross-reference promotion (closes UNVERIFIABLE :key/UUID ARN shape — mirrors plugin 1140 v2 pattern) + subnet route-table verifier (ec2:DescribeRouteTables --filter association.subnet-id per cache subnet; IGW-route detection; cross-plugin sister of plugin 1170 SG perimeter — layer-3 + layer-4 cache-tier coverage now complete). Headline reviewer-fold: default-VPC main-RT-inheritance false-NEGATIVE closure — pre-fold emitted INFO on cache subnets with no explicit RT associations (default-VPC main route typically carries 0.0.0.0/0 → igw-*); v2 emits LOW + evidenceGap, demonstrably firing in production smoke. Fifth consecutive trio-publish across EE + CE 0.1.48 + agent-skill 0.1.15. EE 0.4.8 grew plugin 1140 AWS RDS Auditor 7 → 10 dimensions adding database audit-logging coverage (pgAudit + CloudWatch Logs exports + retention) — closed the canonical database-activity-logs SOC 2 evidence gap (CC7.2 + CC7.3). EE 0.4.7 (May 16 evening) added NEW plugin 1190 AWS SES Email Integrity Auditor. EE 0.4.6 added plugin 1180 ElastiCache Redis v1 + plugin 1170 v2 RESTRICTED_PORTS 13 → 23. EE 0.4.5 added plugin 1170 EC2 SG Perimeter v1 + grew plugin 1140 RDS Auditor to 7 dimensions (headline kms:DescribeKey cross-reference). EE 0.4.4 added plugin 1150 AWS SQS/SNS Auditor. EE 0.4.3 added the 1140 AWS RDS Auditor. EE 0.4.0 shipped 7 new AWS auditors anchored by the 18-session 545-test 1130 AWS Backup Auditor 12-dimension air-gapped vault attestation arc, substantially closing the documented A1.2 ransomware-defense gap.
CLOUD_PROVIDER=aws AWS_REGION=us-east-1 \ nsauditor-ai scan --host aws --plugins 1020,1030,1040,1050,1060,1070,1080,1090,1100,1110,1120,1130,1140,1150,1170,1180,1190 \ --compliance soc2 --out tasks/aws-scan-out # 1020 S3 · 1030 IAM Deep · 1040 CloudTrail · 1050 API Gateway · 1060 DynamoDB Audit Integrity · # 1070 KMS · 1080 Lambda · 1090 Secrets+SSM · 1100 CodePipeline+CodeBuild · 1110 IAM Decrypt-Path · # 1120 S3 Lifecycle+Replication · 1130 AWS Backup Auditor (12-dim air-gap attestation) · # 1140 AWS RDS Auditor (grown 7 → 10 dims in 0.4.8 — pgAudit + CWL exports + log retention; CC7.2/CC7.3 database audit-logging) · # 1150 AWS SQS/SNS Auditor (multi-service; 5 substrate dimensions) · # 1170 AWS EC2 SG Perimeter Auditor (grown 13 → 23 ports in 0.4.6 — CIS AWS Foundations v3.0) · # 1180 AWS ElastiCache Redis Auditor (grown to v2 in 0.4.9 — kms:DescribeKey promotion + subnet route-table verifier with default-VPC main-RT-inheritance false-NEGATIVE closure; cross-plugin sister of 1170 SG perimeter) · # 1190 AWS SES Email Integrity Auditor (new in 0.4.7 — DKIM + TLS + NotPrincipal+Allow + ZDE suppression list; 6 dimensions). # Run just the headline plugin: --plugins 1130 (SEC 17a-4 / FINRA 4511 ransomware-defense substrate). # Tune VPC-endpoint PAGE_CAP for large fleets: --plugin-opts '{"1130":{"vpcEndpointsPageCap":50}}'
CLOUD_PROVIDER=azure \ AZURE_TENANT_ID=<your-tenant-id> \ AZURE_CLIENT_ID=<sp-app-id> \ AZURE_CLIENT_SECRET=<sp-secret> \ AZURE_SUBSCRIPTION_ID=<subscription-id> \ nsauditor-ai scan --host azure --plugins 022 \ --compliance soc2 --out tasks/azure-scan-out # Baseline (test subscription): findingCount=2, byStatus pass=6 fail=2 # Maps to: CC6.1 (RBAC Owner / Contributor / User Access Administrator at sub-scope), # CC6.6 (NSG inbound from * / 0.0.0.0/0 / Internet), # C1.1 (Storage defaultAction=Allow, allowBlobPublicAccess=true)
CLOUD_PROVIDER=gcp GCP_PROJECT_ID=my-project \ nsauditor-ai scan --host gcp --plugins 021 --out tasks/gcp-scan-out
Pick the Enterprise tier that fits your team — Base, Growth, or Scale. All tiers include the full Enterprise feature set, with onboarding call included.