Las Vegas, NV — May 26, 2026 — Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.13.2 — a cycle the team designates internally as Move C-2: the first dedicated Azure auditor since the original multi-purpose Azure scanner shipped, and the closest the product has come to evidence parity between Azure and the longstanding deep AWS auditor stack.

The cycle ships a single new plugin — 1220 azure-storage-hardening-auditor — taking total Enterprise Edition plugin count from 25 to 26 (cloud-audit subset 24 → 25). It is the 34th consecutive trio-publish in Nsasoft’s institutionalized release cadence, where restricted-access Enterprise Edition publishes alongside the public nsauditor-ai Community Edition (now 0.1.77) and the public nsauditor-ai-agent-skill package (now 0.1.44).

All six supported compliance coverage matrices stay unchanged — SOC 2 (AICPA TSC 2017) at 10 covered / 4 partial / 33 out-of-scope; HIPAA Security Rule §164.312 at 7/3/45; NIST CSF 2.0 at 13/10/83; PCI DSS v4.0.1 at 20/8/39; ISO/IEC 27001:2022 at 17/14/62; and CIS Critical Security Controls v8 at 17/22/114. The 0.13.2 release is positioned as substrate-depth uplift on already-covered transit, authentication, and at-rest controls.

The Azure evidence gap this cycle closes

Before this release, Azure storage evidence was generated by a single multi-purpose scanner (plugin 1022) whose storage dimension read only two of the six data-protection signals that matter on an Azure Storage Account — leaving plaintext-HTTP-allowed, TLS 1.0, Shared-Key authorization, and missing infrastructure encryption to a manual auditor walkthrough. By contrast, AWS S3 has been audited from two angles for several cycles (plugin 1020 + plugin 1120 lifecycle/replication). EE 0.13.2 mirrors that two-plugin pattern on Azure with a deliberately non-overlapping plugin: 1220 owns encryption and authorization; 1022 retains the network-exposure dimensions.

Five dimensions audited by Plugin 1220

• HTTPS-only transit via enableHttpsTrafficOnly — HIGH severity on plaintext HTTP. Routes to SOC 2 CC6.7, HIPAA §164.312(e)(1), NIST CSF 2.0 PR.DS-02, PCI DSS 4.2.1, ISO 27001 A.8.24, and CIS Controls v8 3.10.
• Minimum TLS version — anything below TLS 1.2 is treated as downgrade-attackable.
• Shared Key authorization via allowSharedKeyAccess — a long-lived shared secret that bypasses Azure AD identity and per-principal audit. Absent fields are treated as ENABLED per Azure’s documented default — never a silent PASS.
• Infrastructure (double) encryption via requireInfrastructureEncryption, routing to Confidentiality C1.1 and equivalents.
• Customer-managed-key reachability and rotation via encryption.keyVaultProperties. A CMK reference is credited only when the key is currently resolvable and auto-rotating; disabled, revoked, soft-deleted, or version-pinned CMKs degrade rather than silently passing.

The customer-managed-key fold

The defining design choice of this cycle is the customer-managed-key reachability and rotation fold. Plugin 1220 shipped through Nsasoft’s audit-cloud-plugin-false-negatives adversarial review lens — a red-team perspective on the misconfigurations a cloud scanner can silently pass over. The independent review surfaced a HIGH-severity false-clean class: the original PASS path trusted keySource alone, which would credit a CMK reference even when the underlying key was disabled, revoked, soft-deleted, or version-pinned. The shipped version of the plugin folds that finding — the PASS now verifies key reachability and rotation rather than treating a CMK pointer as custody.

The philosophical framing the team is publishing alongside the release: encryption is a key-access question, not a key-existence question. A CMK pointer is not custody; the key must be reachable and rotating.

Two additional folds shipped the same session. Blob recoverability (soft-delete, versioning, point-in-time-restore) is surfaced as an explicit stated scope gap rather than an implied clean. Single-subscription scope appears in the evidence pack as a row, so other subscriptions are never an implied clean.

False-negative discipline across the 14-class taxonomy

Every PASS path was pressure-tested against Nsasoft’s 14-class false-negative taxonomy: Azure field-default discipline, enum case-normalization, indeterminate-field becomes an evidence-gap finding with a verification prompt, an AccessDenied response becomes an evidence-gap finding (never a fabricated clean), for await pagination runs to exhaustion, and an explicit single-subscription scope evidence row makes the boundary visible to the auditor.

Regression and live cloud smoke

The Enterprise Edition test suite runs 6,445 tests across 1,056 suites and passes 6,445 of them — a +15 net increase against the EE 0.13.1 baseline of 6,430, and the 80th consecutive session preserving the 100% green streak.

Live Azure smoke testing on the team’s hexa-framework test resource group confirmed plugin 1220 fires on all three storage fixtures with the fixture tag-oracle matching field-for-field. A deliberately leaky configuration produced a HIGH plaintext-HTTP finding plus MEDIUM TLS 1.0 plus MEDIUM Shared-Key plus LOW no-infrastructure-encryption plus LOW Microsoft-managed-key. The compliant fixture passed the substrate (HTTPS, TLS 1.2, Azure AD only, infrastructure-encryption on) while still surfacing a stricter-than-oracle key-custody LOW — the design choice that custody is an access question, not an existence question. The baseline fixture produced MEDIUM Shared-Key plus LOW no-infrastructure-encryption.

An AWS regression smoke run on the same release confirmed every existing matrix and every existing plugin behaves identically — the 1220 addition is additive-only.

Cross-framework routing — all matrices unchanged

Plugin 1220’s findings route across every supported framework, all to already-covered controls: SOC 2 picks up at CC6.7 / CC6.1 / C1.1; HIPAA at §164.312(e)(1) / (d) / (a)(2)(iv); NIST CSF 2.0 at PR.DS-02 / PR.AA-03 / PR.DS-01; PCI DSS v4.0.1 at 4.2.1 / 8.3.1 / 3.5.1; ISO/IEC 27001:2022 at A.8.24 / A.8.5; and CIS Controls v8 at 3.10 / 5.4 / 3.11. Every framework anchor-drift test in the suite is green.

Customer impact and availability

NSAuditor AI EE 0.13.2 is recommended for every existing customer auditing Azure workloads. The hexa-framework one-scan workflow — --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — produces six separate auditor-ready evidence packs from a single scan. The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.1, Community Edition 0.1.76, and agent-skill 0.1.43 are deprecated on this publish with paired-pointer messages.

Install (Enterprise Edition; restricted npm token required):

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

For trial requests, enterprise pricing, and pre-audit readiness reviews against Azure storage workloads, contact enterprise@nsasoft.us. The full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices and the comparison tables live at nsauditor.com/ai/docs; a synthetic-fixture sample scan demonstrating the new plugin-1220 finding shape is published at nsauditor.com/ai/docs/sample-scan.

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us. Enterprise sales: enterprise@nsasoft.us.

]]>