LAS VEGAS, NV — May 8, 2026 — Nsasoft US LLC, a network security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.2 alongside the open-core Community Edition (CE) v0.1.30. Both prior versions (0.3.1 / 0.1.29) are explicitly deprecated on npm.
The “false-clean” SOC 2 reporting bug is fixed
Live since EE v0.3.0 (April 2026), AWS scans run with --compliance soc2 produced gap reports labelled “0 findings analyzed · 7 / 7 controls passing” — even when the underlying scan emitted real S3 / IAM violations. Cloud-plugin findings live in pm.run().results[] but the compliance engine only read from the network-side finding queue. The engine never saw plugin output.
A CISO reading a clean-looking report would have no idea the underlying buckets were missing public-access blocks, lacked Object Lock, or were KMS-keyless. A silent green-light is more dangerous than a missing report.
EE 0.3.2 introduces harvestCloudFindings() + CLOUD_PLUGIN_SOURCE_MAP in the engine; CE 0.1.30 forwards the per-plugin results array through enrichScan(). On every customer’s first scan after upgrade, the report now reflects reality.
New covered control: C1.2 — Disposal of Confidential Information
Coverage matrix moves from 7 covered → 8 covered. The new C1.2 control evidences the institutional WORM and tamper-resistance primitives auditors expect for confidential workloads:
- Object Lock not configured — S3 Object Lock is the institutional WORM control. Without it, retention windows can’t be cryptographically enforced.
- Object Lock GOVERNANCE mode (use COMPLIANCE for WORM) — COMPLIANCE is immutable; GOVERNANCE allows any principal with
s3:BypassGovernanceRetentionto delete. SEC Rule 17a-4 and FINRA 4511 require COMPLIANCE. - MFA Delete not enabled — Versioning alone is not tamper-resistant; an insider with bucket-write IAM can permanently delete a version. MFA Delete requires a second factor at delete-version time.
Other shipped findings under EE 0.3.2
Server-side encryption uses AES256 (not KMS-CMK)→ C1.1. KMS customer-managed keys give the customer rotation, audit, and crypto-shredding control AES256 does not.Access logging not enabled — audit trail gap→ CC7.1. S3 server-access logs are the canonical AWS evidence stream for object-level access detection.Partial public access block — missing: …→ C1.1. A partial PAB still leaves at least one bypass route.
Customer onboarding: three lines, no shell-rc edits
CE 0.1.30 introduces nsauditor-ai license install <KEY> — verifies the JWT signature before persisting and stores the key in the platform-appropriate location (macOS Keychain, or ~/.nsauditor/.env mode 0600 on Linux/Windows). The day-1 install flow:
npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
nsauditor-ai license install enterprise_eyJ...
nsauditor-ai license --statusA multi-source license loader resolves keys from env var → platform Keychain → ~/.nsauditor/.env, in priority order. CI/CD env-var override still wins.
Coverage Matrix — AICPA TSC 2017
| Status | Count | Trust Services Criteria |
|---|---|---|
| ✅ Covered | 8 | CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, C1.1, C1.2 (new) |
| 🟡 Partial | 5 | CC6.3, CC7.2, CC7.3, CC8.1, A1.2 |
| ⚪ Out of scope | 34 | CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.*, P1.0–P8.0, CC6.4, CC6.5 |
Resources
- SOC 2 coverage matrix: nsauditor.com/ai/docs/soc2/
- CE on npm: npmjs.com/package/nsauditor-ai
- EE on npm: npmjs.com/package/@nsasoft/nsauditor-ai-ee
- Product home: nsauditor.com/ai
About Nsasoft US LLC
Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching happen against customer-controlled API keys or fully offline NVD feeds.
Press contact: info@nsasoft.us · License & enterprise sales: enterprise@nsasoft.us
