A security tool that runs out of time and reports the little it managed to see is quietly telling you “all clear” about everything it never reached. That is the failure mode NSAuditor AI EE 0.16.7 closes — on the most evidence-heavy auditor in the suite.

It started with a real bug report

An operator pointed Claude Desktop at their AWS account, asked it to “audit my AWS account,” and the CloudTrail auditor came back oddly thin. Not wrong, exactly — just far less than the account actually contained.

The reason was buried in how CloudTrail works. CloudTrail trails are a per-region resource, so to judge an account’s logging posture the auditor has to sweep across roughly 32 regions. On this account a handful of those regions were disabled or otherwise unreachable — and each one had no connect timeout, so it hung for about thirty seconds on connection retries before giving up. Multiply that across several dead regions and the whole pass blew past the assistant’s ~60-second tool-call budget. Faced with the deadline, the scan fell back to reporting only what a single region could see.

There was a second, quieter problem. A single errored region didn’t just slow things down — its error threw away every other region’s evidence too. On any real-world account, where some region almost always errors, multi-region enumeration effectively never completed. The scan looked finished, but it was silently single-region.

The fix: fail fast, and keep going

EE 0.16.7 makes the enumeration fail fast instead of stalling. Each region’s client now carries a short connect and request timeout and a low retry count, and the cross-region fan-out runs wider. A disabled or unreachable region now drops out in about two seconds instead of stalling for thirty. And one region’s error no longer aborts the whole pass: the successful regions’ trails are preserved and the failed region is recorded and skipped.

The result, measured against the same account: the CloudTrail audit went from 234 seconds and incomplete to about 13 seconds and fully multi-region — no single-region fallback.

An unreachable region is an evidence gap, not a silent miss

The principle that matters most here is what happens to a region the auditor genuinely cannot reach. In 0.16.7 it is treated as an explicit evidence gap, not a quiet omission. The unaudited region is surfaced two ways: as a finding routed to the CloudTrail controls — so the verdict fails closed over the gap rather than passing on incomplete evidence — and in the structured scan-scope record, so an auditor can see exactly which regions were and weren’t covered. No region silently vanishes from the report.

Verified the way operators actually run it

The fix was re-confirmed against the published build and then, after a configuration restart, live in Claude Desktop. The CloudTrail and CloudWatch findings that were previously cut short now show up — log-bucket Object Lock and MFA-Delete, a non-multi-region trail, and the missing CIS alarms for root-account usage, console sign-in without MFA, CMK changes, and configuration changes.

Availability

NSAuditor AI EE 0.16.7 is live on npm (@nsasoft/nsauditor-ai-ee@latest, Enterprise, licensed), paired with Community Edition (nsauditor-ai@latest) and the agent skill nsauditor-ai-agent-skill@0.1.66. The release adds no new plugin — the suite stays at 28 plugins across AWS, Azure, and GCP — and all six compliance coverage matrices (SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Controls v8) are unchanged. Everything runs locally, with zero data exfiltration. Full details are on the NSAuditor AI Enterprise page.