LAS VEGAS, NV — May 13, 2026 — Nsasoft US LLC today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.4.0, the largest enterprise-coverage release since the SOC 2 compliance engine itself shipped at EE 0.3.0. Seven new AWS auditor plugins (1070–1130) land in a single staging window, anchored by the 18-session EE-RT.12 AWS Backup Auditor institutional-hardening arc with a 12-dimension air-gapped vault attestation arc that substantially closes the documented A1.2 “Backup/recovery posture itself” ransomware-defense gap. EE 0.4.0 pairs with Community Edition v0.1.40 on npm.

EE plugin footprint grows 8 → 15

• 1070 AWS KMS Auditor — Wildcard-principal classifier across 5 severity tiers; per-key rotation; NotPrincipal/NotAction Allow detection; case-insensitive AWS/action matching; glob-action coverage. Exports _describeKeyManager() consumed by plugin 1060. Maps to CC6.3 + C1.1.
• 1080 AWS Lambda Security Auditor — Runtime EOL detection (institutional-CRITICAL; case-normalized at SDK boundary), public function-URL exposure, resource-policy permissive principals, env-var secret-suggestive name detection (ZDE-safe: names + presence only — VALUES never inspected). Maps to CC6.1/CC6.6/CC7.1/C1.1.
• 1090 AWS Secrets Manager + SSM Parameter Store Auditor — Rotation cadence + KMS-CMK custody; String vs SecureString classification. ZDE-critical: scanner NEVER calls GetSecretValue/GetParameter — verb-prefix denylist regex enforces metadata-only at SDK boundary. Maps to CC6.1/CC6.6/C1.1.
• 1100 AWS CodePipeline + CodeBuild Operational Integrity — Source-stage encryption, privilegedMode detection, buildspec drift, IAM wildcard-Action detection, S3 artifact-store encryption, stale-execution detection (EE-RT.9.1). Maps to CC6.1/CC7.1/CC8.1/C1.1.
• 1110 IAM Effective Decrypt-Path Auditor — Cross-plugin reconciler computes effective decrypt path against destination KMS key policies. Closes NotAction-implicit-decrypt false-PASS class. EE-RT.10.1 case-normalizes Effect+Action discriminators at IAM-graph BFS boundary. Maps to CC6.1/CC6.6/C1.1/C1.2.
• 1120 AWS S3 Lifecycle + Cross-Region Replication Auditor — Lifecycle policy enumeration + cross-region replication topology + destination-bucket reachability (EE-RT.4.1 closes silent-PASS class). Maps to C1.1/C1.2/A1.2.
• 1130 AWS Backup Auditor — headline thread — The largest single-plugin institutional-hardening arc in the EE codebase: ~7800 lines across 18 sessions / 25 commits / 545 plugin tests, with 19 R2-strict recurrence-class same-session closures.

The headline — 12-dimension air-gapped vault attestation

Plugin 1130 audits the AWS Backup substrate end-to-end. The headline capability is the 12-dimension air-gapped vault attestation arc for LogicallyAirGappedBackupVault resources — AWS’s cryptographically-isolated WORM vault primitive, the canonical institutional ransomware-defense control. Six primary cryptographic-isolation mechanisms verified:

1. Vault TYPE air-gapped — VaultType = LogicallyAirGappedBackupVault literal-pin
2. ARN account-segment-separation — vault ARN account segment ≠ source-account caller credentials
3. Destination KMS key-policy clean — no source-account principals; NotPrincipal/NotAction Allow conservatively treated as universal-allow
4. Destination KMS Grants clean — no source-account GranteePrincipal with decrypt-class Operations (Grants bypass key-policy entirely)
5. MRK-replica topology clean — no MRK replica in source account; primary not in source account; primary key region matches vault region
6. Source-account VPC-endpoint policy clean — DescribeVpcEndpoints filtered to KMS service endpoints; no source-account-Principal or wildcard-Principal decrypt grants

Plus 6 additional substrate dimensions (PITR / retention / encryption / RestoreTesting cadence / Legal Holds / vault Access Policy). 74 new soc2.json titlePatterns mapped across CC6.3 + CC6.6 + CC7.1 + CC8.1 + C1.1 + C1.2 (25) + A1.2 (14).

Institutional-hardening process artifact

The EE-RT.12.7–24 arc surfaced 4 new institutional-memory artifacts now applied preemptively across the entire EE codebase: aws_string_case_normalization (19× preemptive applications), emit_literal_set_drift, tsc_pi1_sub_criteria, conservative_classifier_principle (emit INFO+evidenceGap, not vacuous PASS, when ARN-shape disambiguation needs a follow-up API call).

Coverage matrix

No matrix shift since 0.3.9 — stays 10 covered / 4 partial / 33 OOS. Institutional honesty: adding plugins that audit the same substrate dimensions more thoroughly is evidence-quality uplift, not coverage expansion. Matrix-shift opportunity reserved for EE-RT.7 Lambda Runtime Assurance (PI1.1–PI1.4) in EE 0.5 / Q3 Y1.

Validation evidence

545 plugin tests for 1130 + ~400 across 1070–1120 + 74 drift-detector pins. Full regression: 3792/3792 green at ~132s wall. ~200 reviewer folds. 0 CRITICAL ship-blockers after fold.

Availability

npm install -g nsauditor-ai@0.1.40 @nsasoft/nsauditor-ai-ee@0.4.0
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json

# Or the headline AWS Backup Auditor in isolation:
nsauditor-ai scan --host aws --plugins 1130 --compliance soc2 --out evidence.json

Resources

• npm package: @nsasoft/nsauditor-ai-ee@0.4.0 (restricted; requires Pro/Enterprise license)
• CE pairing: nsauditor-ai@0.1.40 (public; MIT)
• SOC 2 coverage: nsauditor.com/ai/docs/soc2/
• Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise

Nsasoft US LLC — press@nsasoft.us · nsasoft.us