Las Vegas, NV — May 26, 2026 — Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.13.3, a focused deepening cycle on the Azure Storage Account Data-Protection Auditor that landed three days ago in EE 0.13.2. The release closes the two coverage-boundary items the 0.13.2 adversarial false-negative review explicitly flagged as scope-deferred — now testable end-to-end against newly-provisioned Azure fixtures.
Plugin count remains at 26 Enterprise Edition plugins. This is a deepening of an existing plugin — number 1220 — not a new plugin. All six supported compliance coverage matrices remain unchanged at their current values across SOC 2, HIPAA Security Rule §164.312, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Critical Security Controls v8. The release is pure substrate-depth uplift on already-covered controls.
The cycle ships as the 35th consecutive trio-publish in the institutionalized release cadence — restricted Enterprise Edition 0.13.3 alongside public Community Edition 0.1.78 and public agent-skill 0.1.45.
The gaps the 0.13.2 review surfaced
When EE 0.13.2 shipped the first dedicated Azure auditor three days ago, the team published the result of the adversarial review explicitly: results-trustworthy-with-caveats. The plugin read the account-level data-protection surface accurately, but two real exposure classes lived on secondary resource paths the scanner never walked. EE 0.13.3 walks them.
The first gap: an Azure Storage Account fully hardened on the original five dimensions can still be one deletion command away from permanent data loss if blob soft-delete and versioning are off. The second gap: a blob container marked publicAccess=Blob or publicAccess=Container is anonymous-internet-readable when the account-level allowBlobPublicAccess toggle is also true — and the existing multi-purpose Azure scanner catches only the account-level toggle, never the specific public container.
Dimension 6 — Blob recoverability
Plugin 1220 now reads the secondary blobServices.getServiceProperties path on every audited Storage Account. Blob soft-delete is checked via deleteRetentionPolicy: disabled is a MEDIUM finding (no recovery window for deleted blobs); enabled passes the substrate. Blob versioning is checked via isVersioningEnabled: disabled is a LOW finding (no prior-version recovery on overwrite or delete); enabled passes the substrate. A denied or failed read degrades to a LOW evidence-gap, never a silent recoverability PASS.
Findings route to SOC 2 A1.2 (Availability — Recovery Procedures), HIPAA §164.312(c)(1) Integrity, NIST CSF 2.0 PR.DS-11, ISO/IEC 27001:2022 A.8.13 Backup, and CIS Controls v8 11.1.
Dimension 7 — Per-container anonymous public access
Plugin 1220 now enumerates blob containers and reasons about the account toggle. A public container combined with allowBlobPublicAccess=true is a HIGH finding labelled “EFFECTIVE exposure” — the Azure analog of a public S3 bucket. A public container while the account toggle is false is a MEDIUM latent finding — Azure overrides to private today, but the exposure becomes effective the instant the toggle is enabled. All containers private passes the substrate; a denied enumeration degrades to evidence-gap.
Findings route to SOC 2 C1.1, HIPAA §164.312(a)(1), NIST CSF 2.0 PR.DS-01, PCI DSS v4.0.1 7.2.1, ISO/IEC 27001:2022 A.8.3, and CIS Controls v8 3.3.
Live-validated against purpose-built fixtures
Two Azure fixtures were provisioned for this arc and made both new dimensions live-testable. A deliberately-misconfigured account containing a public blob container emitted the expected HIGH finding on Dim 7 — anonymous public access AND account-level toggle true. The Dim 6 read flagged the accounts lacking blob soft-delete and versioning. The COMPLIANT fixtures were then tuned — soft-delete and versioning enabled — so they stay all-green under the deepened plugin.
Adversarial review — SHIP
The deepened plugin was re-reviewed through the platform’s audit-cloud-plugin-false-negatives lens against the 14-class taxonomy and shipped clean. Both new dimensions walk their class-C secondary resource paths, apply class-D Azure field defaults (absent soft-delete / versioning = disabled; absent container publicAccess = private), degrade to class-G evidence-gap on denied reads, apply class-B enum case-normalization, and use class-H for await pagination to exhaustion.
Three scope-deferred items are explicit, not missed: deeper recoverability signals (containerDeleteRetentionPolicy, point-in-time-restore, change feed), SAS-token scope and stored-access-policy container exposure beyond publicAccess, and a pinned-or-disabled-key fixture to live-exercise the CMK degrade tiers.
Regression and availability
The Enterprise Edition test suite runs 6,454 tests and passes all of them — a +9 net increase against the EE 0.13.2 baseline of 6,445, with 24 tests in the plugin-1220 suite. Additive only, no breaking changes.
The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.2, Community Edition 0.1.77, and agent-skill 0.1.44 are deprecated on this publish with paired-pointer messages.
Install (Enterprise Edition; restricted npm token required):
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices live at nsauditor.com/ai/docs; a synthetic-fixture sample scan demonstrating the new Dim-6 and Dim-7 findings is at nsauditor.com/ai/docs/sample-scan. Trial requests and enterprise inquiries: enterprise@nsasoft.us.
About Nsasoft US LLC
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us.
]]>
