LAS VEGAS, NV — May 12, 2026 — Nsasoft US LLC, a network-security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.8, an institutional-grade hardening release for the v0.4.0 Runtime Assurance stack that 0.3.7 shipped 24 hours prior. The paired releases close the AWS CloudTrail / CloudWatch / Config Operational Integrity work end-to-end: CC7.2 (System Monitoring) and CC7.3 (Security Event Detection) transitioned from partial to covered, the AICPA Trust Services Criteria coverage matrix shifted 8/5/34 → 10/3/34, and the v2 metric-filter audit now reads the auditor-canonical logs:DescribeMetricFilters evidence stream against the CIS AWS Foundations Benchmark v1.5 §3.1–3.14 baseline.

The new EE plugin — 040 AWS CloudTrail Operational Integrity Auditor

This release introduces a sixth EE plugin alongside the existing five. The full EE plugin list as of 0.3.8:

• 020 AWS S3 Security Auditor — S3 misconfiguration, public access blocks, Object Lock COMPLIANCE-mode validation, MFA Delete (C1.1, C1.2, CC7.1)
• 021 GCP Security Audit — Firewall rules, IAM bindings, GCS bucket exposure (CC6.1, CC6.6, C1.1)
• 022 Azure Security Audit — NSG rules, RBAC, Storage (CC6.1, CC6.6, C1.1)
• 023 Zero Trust Assessment — Segmentation, encryption-in-transit, identity posture
• 030 AWS IAM Deep Auditor — Shadow-admin paths (AssumeRole + PassRole), restrictive-Condition allowlist, OIDC heuristic, per-hop evidence trail (CC6.1)
• 040 AWS CloudTrail Operational Integrity Auditor — NEW in 0.3.7 / hardened in 0.3.8. Trail health (multi-region default-ON across 36 canonical AWS regions, log-file validation, KMS-CMK, IsLogging), CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 via the v2 metric-filter audit, AWS Config recorder + Organizations ConfigurationAggregator detection with deterministic STS account-coverage cross-reference, and cross-account S3 trail-destination WORM verification (Object Lock + Versioning + MFADelete per trail bucket) for SEC Rule 17a-4 / FINRA 4511 retention evidence. Defensive caps + exponential-backoff throttle retry + 5-minute wall-clock budget for large-fleet (>1000 trails) enterprise customers. Closes CC7.2 + CC7.3.

Why this paired release matters

The 0.3.x line had, through 0.3.6, delivered SOC 2 evidence-quality improvements within existing covered controls. EE 0.3.7 was the first matrix-shift release of the year. EE 0.3.8 then closes every deferred EE-RT.1.x follow-up in a 12-commit institutional-hardening session: v2 metric-filter audit; multi-region trail enumeration default-ON; AWS Organizations ConfigurationAggregator detection paired with deterministic STS account-coverage cross-reference; cross-account S3 trail-destination WORM verification for SEC 17a-4 / FINRA 4511; defensive caps + throttle handling; OIDC custom-IdP heuristic; npm test infrastructure unblock.

0.3.8 highlights

• EE-RT.1.1 — v2 metric-filter audit. Replaces the v1 alarm-name substring heuristic with the auditor-canonical logs:DescribeMetricFilters evidence stream. v2-covered semantics: “filter pattern matches CIS hint AND alarm correlates.” Cross-account LogGroup AccessDenied emits a synthetic HIGH evidence-gap finding.
• EE-RT.1.2 — Multi-region trail enumeration DEFAULT-ON. 36 canonical AWS regions (32 commercial-aws + 2 aws-cn + 2 aws-us-gov; region-list version stamp 2026-05). BEHAVIOR CHANGE with explicit single-region opt-out preserved.
• EE-RT.1.3 + 1.3.x — Config Aggregator detection + STS deterministic check. Converts the walkthrough-dependent MEDIUM into a deterministic PASS or HIGH via current-account-in-aggregator-source-list cross-reference.
• EE-RT.1.4 — Cross-account S3 trail-destination audit (SEC 17a-4 / FINRA 4511 WORM evidence). Per-trail Object Lock + Versioning + MFADelete; configurable retention baseline (default 7y SEC 17a-4).
• EE-RT.1.5 — Defensive caps + rate-limit-aware throttle handling. Exponential-backoff retry, per-region trail cap with deterministic TrailARN-lex sort, total-trail-audit cap, wall-clock budget.
• Threads CT.3 + CT.4 + CT.5 — Plugin 030 IAM-telemetry polish. Configurable MAX_TELEMETRY_ENTRIES; distinct-dropped-key sentinel; OIDC :sub/:aud heuristic for Auth0/Okta/Cognito User Pool/Keycloak/CircleCI.
• EE-INFRA.1 — utils/file_lock.mjs busy-loop fix. npm test works again at 2577/2577.

Combined 0.3.7 + 0.3.8 stats

57 reviewer folds across 12 same-session two-reviewer cycles. ~325 new tests. 2577/2577 full npm test green. Matrix shifted 8/5/34 → 10/3/34.

peerDependencies floor bump

nsauditor-ai ^0.1.31 → ^0.1.38. Pre-0.1.37 CE versions silently bypassed MCP authentication + license verification when invoked via the published nsauditor-ai-mcp bin shim. EE 0.3.8 now formally refuses to install against vulnerable CE versions.

Availability

npm install -g nsauditor-ai@0.1.38 @nsasoft/nsauditor-ai-ee@0.3.8
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins 030,040 --compliance soc2 --out evidence.json

Resources

• npm package: @nsasoft/nsauditor-ai-ee@0.3.8 (restricted; requires Pro/Enterprise license)
• CE pairing: nsauditor-ai@0.1.38 (public; MIT; security-fix floor: ≥ 0.1.37)
• SOC 2 coverage table: nsauditor.com/ai/docs/soc2/
• CIS AWS Foundations Benchmark v1.5, SEC Rule 17a-4, FINRA 4511
• Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise

Press & analyst contact

Nsasoft US LLC — press@nsasoft.us · nsasoft.us