Azure NSG Depth Lands: NSAuditor AI EE 0.14.0 Ships Plugin 1221 With Attachment-Aware Severity, IPv6 Coverage, and Effective Priority Resolution

MobNS

Las Vegas, NV — May 26, 2026 — Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.14.0, a minor-version cycle the team designates internally as Move C-2.2: bringing Azure Network Security Group (NSG) perimeter analysis to parity with the long-standing AWS Security Group auditor. The cycle ships one new plugin — 1221 azure-nsg-perimeter-auditor — and takes the total Enterprise Edition plugin count from 26 to 27 (cloud-audit subset 25 → 26).

This is the 36th consecutive trio-publish in Nsasoft’s institutionalized release cadence: restricted Enterprise Edition 0.14.0 alongside public Community Edition 0.1.79 and public agent-skill 0.1.46.

All six supported compliance coverage matrices remain unchanged across SOC 2, HIPAA Security Rule §164.312, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Critical Security Controls v8. The 0.14.0 release is substrate-depth uplift on already-covered perimeter controls.

The evidence gap the cycle closes

Before EE 0.14.0, Azure NSG evidence ran through the multi-purpose 1022 scanner. The NSG dimension of 1022 is a flat per-rule lint: any inbound Allow rule with source *, 0.0.0.0/0, or Internet emits one CRITICAL. There is no port tiering, no IPv6 coverage, no priority/deny-override resolution, no attachment-awareness.

That left a real false-negative surface. An NSG exposing SSH over ::/0 (the IPv6 internet wildcard), or via the 0.0.0.0/1 + 128.0.0.0/1 split-range trick (which covers the entire IPv4 internet without literally being 0.0.0.0/0), or where a higher-priority Deny rule actually neutralizes a permissive Allow — all of these slipped through or were mis-reported. EE 0.14.0 ships a dedicated, deeper auditor for exactly this surface.

Five dimensions in Azure priority order

Plugin 1221 evaluates each NSG’s inbound rules in Azure priority order (first-match-wins; DenyAllInbound default at priority 65500) across five dimensions per restricted management/data-tier port:

  1. All-protocol (*) public Allow — every TCP/UDP port reachable from the internet, the worst-possible perimeter posture.
  2. Public-source to a RESTRICTED_PORT — public source reaching SSH, RDP, MSSQL, MySQL, Postgres, Redis, Memcached, MongoDB, Elasticsearch, CouchDB, SMB, WinRM, Oracle, Docker, or Kubelet.
  3. ::/0 IPv6-wildcard to a restricted port — the dimension 1022’s flat lint misses; operators routinely lock IPv4 and forget IPv6.
  4. Public-to-non-restricted port — INFO substrate, likely an intentional public web tier, recorded for the auditor evidence pack but not raised as a finding.
  5. PASS substrate — no public restricted exposure after effective resolution.

Attachment-aware severity — EFFECTIVE vs LATENT

The defining design choice of the cycle is attachment-aware severity. Plugin 1221 reads the back-references Azure populates on the NSG list call — nsg.subnets[] and networkInterfaces[] — and uses them to tier severity. An attached permissive NSG is an EFFECTIVE exposure → CRITICAL (reachable from the public internet right now). An orphaned permissive NSG is LATENT → MEDIUM (the misconfiguration exists and becomes effective the instant the NSG is attached). This is the NSG analog of plugin 1220’s storage latent-toggle pattern.

Auditors evaluating Type-II evidence packs get a clean signal-versus-noise separation: EFFECTIVE findings are the work-list, LATENT findings are the cleanup list.

Effective resolution — what the flat lint missed

Plugin 1221 implements effective priority and deny-override resolution. If a permissive Allow at priority 200 is preceded by a more-specific Deny at priority 100, the Deny wins and 1221 does not raise a false-positive finding on the unreachable Allow. The plugin walks rules in priority order until a first-match wins — exactly how Azure evaluates traffic.

Additional resolution dimensions: port-range expansion (the catalog supports start-end, comma-separated, and wildcards), 0.0.0.0/1 + 128.0.0.0/1 split-range coverage (mask ≤ 1 = public), and service-tag/Application Security Group source normalization (VirtualNetwork, AzureLoadBalancer, and named ASGs are not public sources).

Deliberately non-overlapping with plugin 1022

Plugin 1221 is non-overlapping-by-depth with 1022’s coarse NSG dimension — no double-emission of a verdict on the same NSG. This mirrors the AWS 1023-observed / 1170-declared two-plugin precedent.

Six-framework routing — all matrices unchanged

Findings route across every supported framework at AWS-1170 parity: SOC 2 CC6.6, HIPAA §164.312(a)(1), NIST CSF 2.0 PR.IR-01 + ID.AM-03, PCI DSS v4.0.1 1.2.1 / 1.3.1 / 1.4.1 / 6.4.1 / 11.4.1, ISO/IEC 27001:2022 A.8.20 / A.8.22 / A.8.9, and CIS Controls v8 4.4 / 12.2 / 4.2. 185 insertions across the six framework JSONs, zero deletions, all 160 anchor-drift and inheritance and citation-discipline tests green.

Adversarial review, regression, and live smoke

Plugin 1221 was built and reviewed through the audit-cloud-plugin-false-negatives lens: SHIP-WITH-FOLDS (0 CRITICAL / 0 HIGH / 0 MEDIUM / 2 LOW folded same-session). Both LOWs folded in the same session — 0.0.0.0/1 split-range source-publicness and per-NSG error isolation. The catalog’s NSG blind-spots are all covered: three internet-spellings, priority/deny-override, ASG-as-source, ::/0, wide-range-includes-restricted-port.

The Enterprise Edition test suite runs 6,481 tests and passes all of them — a +27 net increase against the EE 0.13.3 baseline of 6,454. Live Azure + AWS hexa-framework smoke (against the published 0.14.0 CLI) confirmed plugin 1221 fixture oracle 3/3, all matrices unchanged on both clouds, Azure finding count 299→302 (+3 from 1221), AWS held at 243 (the new plugin is Azure-only — additive only).

Availability

NSAuditor AI EE 0.14.0 is recommended for every existing customer auditing Azure workloads. The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.3, Community Edition 0.1.78, and agent-skill 0.1.45 are deprecated on this publish with paired-pointer messages.

Install (Enterprise Edition; restricted npm token required):

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

The full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices live at nsauditor.com/ai/docs; a synthetic-fixture sample scan is at nsauditor.com/ai/docs/sample-scan. Trial requests and enterprise inquiries: enterprise@nsasoft.us.

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us.

]]>

Related Posts:

  • nsauditor-ai-ee-0-13-2-azure-storage-auditor
  • nsauditor-ai-ee-045-enhances-cloud-security-with-new-aws-plugins-and-comprehensi
  • nsauditor-ai-ee-0-13-3-azure-storage-deepening
  • nsauditor-ai-ee-080-azure-soc2
  • nsauditor-ai-ee-0-3-3-azure-soc2-multicloud