Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition v0.14.1 — a patch cycle on the EE 0.14.0 Azure NSG Perimeter Auditor that closes a class of false negatives most cloud scanners still ship with. The community edition (0.1.80) and agent skill (0.1.47) shipped alongside it — the thirty-seventh consecutive trio-publish across all three packages, all LIVE on npm latest as of 2026-05-27.

Why this matters for mobile-network-adjacent infrastructure

Telco and edge-mobile workloads on Azure tend to lean heavily on UDP — SNMP for inventory, NTP for time, IPsec for tunnels, sometimes IPMI for out-of-band on lab racks. A perimeter auditor that audits only TCP misses the lane the operator actually exposes. EE 0.14.0 introduced plugin 1221 (the Azure analog of AWS 1170) with port-tiering, IPv6, attachment-awareness, and priority/deny-override resolution — but it tiered only TCP ports. The Move T-2 adversarial pass caught the gap.

The new UDP lane

EE 0.14.1 adds a dedicated UDP transport lane to plugin 1221. A new 17-port RESTRICTED_UDP_PORTS set is evaluated in parallel with the existing TCP lane:

• DNS 53, TFTP 69, NTP 123, SSDP 1900, Memcached 11211 — classic amplification ports.
• SNMP 161 / 162, NetBIOS 137 / 138, LDAP-CLDAP 389 — management-plane discovery and CLDAP reflection.
• rpcbind 111, IPMI 623, MSSQL-Monitor 1434 — high-blast-radius management-tier services that simply should not be reachable from the public internet.
• IKE 500, IPsec-NAT-T 4500, OpenVPN 1194 — VPN-endpoint fingerprinting and brute-force surface.
• Syslog 514 — log injection on internet-exposed loggers.

Two new dimensions, attachment-aware

Plugin 1221 now emits:

• Dim 2u — UDP inbound from a public source (*, 0.0.0.0/0, or the Internet service tag) to a restricted UDP service.
• Dim 3u — the same from ::/0 (the IPv6 wildcard — operators lock IPv4 and forget IPv6).

Severity is attachment-aware. An NSG attached to a subnet or NIC with the offending rule yields a CRITICAL effective finding. An orphaned NSG with the same rule yields a MEDIUM latent finding — the finding becomes effective the moment the operator attaches it.

Resolution is per-transport. A higher-priority UDP Deny suppresses a lower UDP Allow correctly. A TCP Deny does not suppress a UDP Allow on the same port — because they ride independent transport lanes. The TCP and UDP sets are deliberately split (unlike a single protocol-agnostic set) because a port restricted over UDP is not necessarily restricted over TCP, and treating them as one is itself a false-negative class.

Dim-4 made protocol-aware

The pre-0.14.1 Dim-4 (“intentional public web tier” INFO bucket) was protocol-blind. A public UDP/161 rule was silently INFO’d. A 160-170 range that already produced a restricted CRITICAL on port 161 also produced a contradictory web-tier INFO line. 0.14.1 makes Dim-4 protocol-aware so neither happens. The bucket still records non-restricted public TCP for evidence-pack completeness; it no longer launders restricted UDP as benign.

Six-framework routing — substrate-depth uplift, no coverage drift

The two per-port 1221 titlePatterns were generalized from permits TCP inbound … to permits (?:TCP|UDP) inbound … across all six framework JSONs. The change preserves the SOC 2 inheritance contract and routes UDP findings to the same controls as the existing TCP exposures — SOC 2 CC6.6, HIPAA §164.312(a)(1), NIST CSF PR.IR-01 + ID.AM-03, PCI DSS 1.2.1/1.3.1/1.4.1/6.4.1/11.4.1, ISO 27001 A.8.20/A.8.22/A.8.9, CIS v8 4.4/12.2/4.2.

Plugin count is UNCHANGED at 27 (cloud-audit 26). All six coverage matrices are UNCHANGED: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114. The fix is substrate-depth uplift, not new control surface — the perimeter control was always there, and now its evidence is complete.

Validation

Test-first and reviewed through the dedicated false-negatives lens, with three folds applied same-session (adding the three highest-blast-radius missing ports, fixing the Dim-4 range contradiction, removing a stale comment). 14 new tests; EE full regression 6495/6495 green. The post-publish Azure hexa-framework smoke confirmed the all-protocol NSG now emits the 17-port UDP line live from the published artifact — and that existing NSG verdicts remained unchanged.

Install

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

Hexa-framework one-scan workflow: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence is generated inside your infrastructure.

Documentation: nsauditor.com/ai/enterprise.