LAS VEGAS, NV — May 12, 2026 — Nsasoft US LLC today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.9, the first SOC 2 Processing Integrity evidence release in the v0.4.0 Runtime Assurance track. EE 0.3.9 is the first matrix-shift release since 0.3.7 — PI1.5 (Stored Items) moves out-of-scope to partial via the new aws-dynamodb-auditor plugin (1060). Coverage matrix shifts 10/3/34 → 10/4/33.
The new EE plugins
1060 AWS DynamoDB Audit Integrity (the “audit-the-auditor” plugin)
Answers the Type-II auditor’s second walkthrough question: can the audit record itself be tampered with, lost, or bypassed?
- Per-table PITR + deletion protection — worst-case CRITICAL “audit record itself not survivable” when both missing.
- KMS-CMK classifier with conservative LOW-unverifiable posture on
:key/UUIDARN shapes — defers tokms:DescribeKeycross-reference rather than false-clean PASS. - Resource-policy presence audit via the 2024
GetResourcePolicyAPI with soft-degrade. - CloudTrail DynamoDB data-event coverage cross-reference — orthogonal plugin composition with plugin 1040. HIGH when no trail logs
AWS::DynamoDB::Tabledata events while tables exist.
SOC 2 mapping: CC6.6 + CC7.1 + C1.1 + PI1.5 (the partial transition). 9 reviewer folds + 57 new tests.
1050 AWS API Gateway Assurance (first Serverless entry-point evidence)
- Per-method/route authorization classifier —
NONE= CRITICAL, AWS_IAM / Cognito / JWT = PASS, JWT-with-wildcard-audience = INFO with IdP issuer/audience evidence, Lambda authorizer = INFO with manual-verification prompt. - TLS policy with worst-policy tracking across mixed-config v2 domains (TLS_1_0 = HIGH).
- Stage-level access logging, throttling, WAF association.
SOC 2 mapping: CC6.1 + CC6.6 + CC6.7 + CC7.1 + A1.2. 11 reviewer folds + 86 new tests.
Institutional disclosure — plugin-ID range realignment
A plugin-ID collision between CE and EE was discovered during pre-publish review: CE plugin 040 (TLS Cert Auditor) ID-shadowed EE plugin 040 (CloudTrail Operational Integrity). Customers running --plugins 040 on EE 0.3.7 or 0.3.8 received CE TLS evidence (not EE CloudTrail evidence). --plugins all was unaffected.
All 8 EE plugins moved to a disjoint 1000+ namespace in 0.3.9: 020→1020 (S3), 021→1021 (GCP), 022→1022 (Azure), 023→1023 (Zero Trust), 030→1030 (IAM), 040→1040 (CloudTrail), plus NEW 1050 (API Gateway) and 1060 (DynamoDB). CE retains 001–099. Type-II auditors evaluating EE evidence from prior 0.3.7 + 0.3.8 scans should re-scan with 0.3.9 + --plugins 1040.
Coverage matrix
- ✅ Covered (10): CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, CC7.2, CC7.3, C1.1, C1.2
- 🟡 Partial (4): CC6.3, CC8.1, A1.2, PI1.5 (NEW)
- ⚪ Out of scope (33): CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.1–PI1.4, P1.0–P8.0, CC6.4, CC6.5
PI1.5 partial-coverage scope: substrate-only — full PASS requires EE-RT.7 Lambda Runtime Assurance application-tier evidence (planned v0.4.1+).
Validation
4 same-session two-reviewer cycles. 20 reviewer folds total. 143 new tests + golden-fixture updates. 2720/2720 full regression green at ~131s wall. 0 CRITICAL ship-blockers after fold. ZDE maintained.
Availability
npm install -g nsauditor-ai@0.1.38 @nsasoft/nsauditor-ai-ee@0.3.9
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins 1020,1030,1040,1050,1060 --compliance soc2 --out evidence.jsonResources
- npm package:
@nsasoft/nsauditor-ai-ee@0.3.9(restricted; requires Pro/Enterprise license) - CE pairing:
nsauditor-ai@0.1.38(public; MIT) - SOC 2 coverage table: nsauditor.com/ai/docs/soc2/
- Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise
Press & analyst contact
Nsasoft US LLC — press@nsasoft.us · nsasoft.us
