NSAuditor AI EE 0.3.7 + 0.3.8 — Paired Release Closes the v0.4.0 Runtime Assurance Stack: New 040 AWS CloudTrail Operational Integrity Auditor Moves SOC 2 CC7.2 + CC7.3 Partial→Covered

LAS VEGAS, NV — May 12, 2026 — Nsasoft US LLC, a network-security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.8, an institutional-grade hardening release for the v0.4.0 Runtime Assurance stack that 0.3.7 shipped 24 hours prior. The paired releases close the AWS CloudTrail / CloudWatch / Config Operational Integrity work end-to-end: CC7.2 (System Monitoring) and CC7.3 (Security Event Detection) transitioned from partial to covered, the AICPA Trust Services Criteria coverage matrix shifted 8/5/34 → 10/3/34, and the v2 metric-filter audit now reads the auditor-canonical logs:DescribeMetricFilters evidence stream against the CIS AWS Foundations Benchmark v1.5 §3.1–3.14 baseline.

The new EE plugin — 040 AWS CloudTrail Operational Integrity Auditor

This release introduces a sixth EE plugin alongside the existing five. The full EE plugin list as of 0.3.8:

• 020 AWS S3 Security Auditor — S3 misconfiguration, public access blocks, Object Lock COMPLIANCE-mode validation, MFA Delete (C1.1, C1.2, CC7.1)
• 021 GCP Security Audit — Firewall rules, IAM bindings, GCS bucket exposure (CC6.1, CC6.6, C1.1)
• 022 Azure Security Audit — NSG rules, RBAC, Storage (CC6.1, CC6.6, C1.1)
• 023 Zero Trust Assessment — Segmentation, encryption-in-transit, identity posture
• 030 AWS IAM Deep Auditor — Shadow-admin paths (AssumeRole + PassRole), restrictive-Condition allowlist, OIDC heuristic, per-hop evidence trail (CC6.1)
• 040 AWS CloudTrail Operational Integrity Auditor — NEW in 0.3.7 / hardened in 0.3.8. Trail health (multi-region default-ON, log-file validation, KMS-CMK, IsLogging), CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 via the v2 metric-filter audit, AWS Config recorder + Organizations ConfigurationAggregator detection with deterministic STS account-coverage cross-reference, and cross-account S3 trail-destination WORM verification (Object Lock + Versioning + MFADelete per trail bucket) for SEC Rule 17a-4 / FINRA 4511 retention evidence. Defensive caps + exponential-backoff throttle retry + 5-minute wall-clock budget for large-fleet (>1000 trails) enterprise customers. Closes CC7.2 + CC7.3.

Why this paired release matters

The 0.3.x line had, through 0.3.6, delivered SOC 2 evidence-quality improvements within existing covered controls. EE 0.3.7 was the first matrix-shift release of the year: the new plugins/040_aws_cloudtrail_auditor.mjs audits CloudTrail trail health, CloudWatch alarm coverage against the CIS Foundations Benchmark §3.1–3.14 baseline, and AWS Config recorder state — closing CC7.2 and CC7.3 to covered. But 0.3.7 shipped with five explicitly-deferred institutional follow-ups plus residual IAM-telemetry polish — every gap disclosed in the release notes, but every gap still real.

EE 0.3.8 closes every one of those gaps in a single 12-commit institutional-hardening session. No coverage matrix shift; the evidence under each covered control is now substantially more thorough, more honest about partial-coverage cases, and better defended against adversarial input. For SOC 2 Type-II audit walkthroughs, this is the difference between “we audit CC7.2” and “we audit CC7.2 with the auditor-canonical evidence stream, across every AWS region in the partition, with honest disclosure when permission boundaries leave gaps, and with WORM verification on the trail-destination bucket itself.”

0.3.7 — The matrix shift (EE-RT.1)

The first v0.4.0 Runtime Assurance plugin 040_aws_cloudtrail_auditor.mjs emits eight detection classes in the canonical {resource, severity, issues[]} finding shape:

1. Zero CloudTrail trails (CRITICAL, account-level) — issue text includes the AWS Organizations sub-account OrgTrail caveat with details.possibleOrgTrailMember: true
2. Trail not multi-region (HIGH) — IsMultiRegionTrail=false misses out-of-region API calls
3. Data events not enabled (MEDIUM) — handles both classic EventSelectors.DataResources and modern AdvancedEventSelectors.FieldSelectors[eventCategory=Data]
4. Log file integrity not validated (HIGH) — LogFileValidationEnabled=false means CloudTrail cannot detect post-hoc log file tampering
5. Trail logging stopped (HIGH) — IsLogging=false means trail configured but inactive
6. Trail not KMS-CMK encrypted (MEDIUM) — customer-controlled key custody for institutional audit-trail confidentiality
7. CloudWatch alarm coverage against CIS §3.1–3.14 — one finding per missing class. Severity per institutional audit-firm practice: cis-3.3 (Root account usage) = CRITICAL; cis-3.2 / 3.5 / 3.7 / 3.8 / 3.9 = HIGH; remaining 9 classes = MEDIUM
8. AWS Config recorders — HIGH for zero/stopped recorders, MEDIUM for partial coverage

Threads CT.1 + CT.2 (plugin 030) added the restrictive-Condition allowlist (20 canonical scoping operators across AWS-native, SAML, and OIDC primitives) and the vacuous-Condition telemetry counter — closing the largest remaining false-positive class in the IAM shadow-admin trust evaluators. 27 reviewer folds across 3 same-session two-reviewer cycles; ~170 new tests.

0.3.8 — Institutional hardening (every deferred EE-RT.1.x follow-up)

• EE-RT.1.1 — v2 metric-filter audit. Replaces the v1 alarm-name substring heuristic with the auditor-canonical logs:DescribeMetricFilters evidence stream. v2-covered semantics: “filter pattern matches CIS hint AND alarm correlates” — pure filter-pattern matches without alarm correlation surface as filterPresent: true, covered: false. v1 heuristic preserved as soft-degrade fallback with explicit v2FallbackReason transparency. Cross-account LogGroup AccessDenied emits a synthetic HIGH evidence-gap finding — closes the institutional false-negative class where a trail in App-Account ships to a Security-Account LogGroup. 10 reviewer folds + 30 new tests.
• EE-RT.1.2 — Multi-region trail enumeration DEFAULT-ON. 36 canonical AWS regions (32 commercial-aws + 2 aws-cn + 2 aws-us-gov; region-list version stamp 2026-05). BOTH-reviewers-converged fold: credential errors split from opt-in errors and routed to a distinct bucket, so singleRegionTrailsInOtherRegionsUnaudited: true is kept when a multi-region scan was attempted-but-incomplete. BEHAVIOR CHANGE with explicit single-region opt-out preserved. 2 HIGH folds + 31 new tests.
• EE-RT.1.3 + EE-RT.1.3.x — Config Aggregator detection + STS deterministic account-coverage check. AWS Organizations ConfigurationAggregator audit classifies by source type. The sts:GetCallerIdentity cross-reference converts the walkthrough-dependent MEDIUM into a deterministic PASS (current account IS in aggregator source list) or HIGH (NOT in list — real CC7.2 evidence gap). 3 reviewer folds for EE-RT.1.3 + 10 new tests for EE-RT.1.3.x.
• EE-RT.1.4 — Cross-account S3 trail-destination audit (SEC 17a-4 / FINRA 4511 WORM evidence). The LAST major EE-RT.1.x deferred thread. Per-trail Object Lock + Versioning + MFADelete audit; configurable retention baseline (default 7y SEC 17a-4; HIPAA 6y / PCI 1y). Object Lock GOVERNANCE mode emits CRITICAL (bypass-able via s3:BypassGovernanceRetention); no Object Lock emits CRITICAL; retention below baseline emits MEDIUM. soc2.json mapping: trail-bucket patterns added to BOTH C1.2 (Disposal of Confidential Information) AND CC7.2 (Monitoring substrate integrity). 5 reviewer folds + 16 new tests.
• EE-RT.1.5 — Defensive caps + rate-limit-aware throttle handling. Exponential-backoff retry on Throttling/ThrottlingException/RequestLimitExceeded/TooManyRequestsException. Per-region trail cap (default 100, deterministic sort by TrailARN lex BEFORE slice). Total-trail-audit cap (default 500). Wall-clock budget (THROTTLE_WALL_BUDGET_MS_DEFAULT = 5 min). 5 reviewer folds + 21 new tests.
• Threads CT.3 + CT.4 + CT.5 — Plugin 030 IAM-telemetry polish. Configurable MAX_TELEMETRY_ENTRIES; distinct-dropped-key sentinel; OIDC :sub/:aud heuristic for Auth0 / Okta / Cognito User Pool / Keycloak / CircleCI. 28 new tests total.
• EE-INFRA.1 — utils/file_lock.mjs busy-loop fix. Three previously-bare continue paths in acquireLock bypassed the timeout-check + retry-delay. npm test works again at 2577/2577 in ~130s (was effectively ∞).

Combined 0.3.7 + 0.3.8 stats

57 reviewer folds across 12 same-session two-reviewer cycles (general code review + network-security-audit lens, run in parallel). ~325 new tests. 2577/2577 full npm test green. Matrix shifted 8/5/34 → 10/3/34 in 0.3.7; held in 0.3.8 (entirely evidence-INTEGRITY uplift). New optionalDependencies across the pair: @aws-sdk/client-cloudtrail, @aws-sdk/client-cloudwatch, @aws-sdk/client-config-service, @aws-sdk/client-cloudwatch-logs, @aws-sdk/client-sts.

peerDependencies floor bump

nsauditor-ai ^0.1.31 → ^0.1.38. Pre-0.1.37 CE versions silently bypassed MCP authentication + license verification when invoked via the published nsauditor-ai-mcp bin shim. EE 0.3.8 now formally refuses to install against vulnerable CE versions. Auditors evaluating SOC 2 evidence must verify the CE version recorded in evidence artifacts is ≥ 0.1.37.

Architecture & availability

EE 0.3.8 ships through npm as @nsasoft/nsauditor-ai-ee@0.3.8 (restricted access — Pro/Enterprise license required). The package layers on top of the open-source nsauditor-ai CE engine. EE 0.3.7 is explicitly deprecated on npm with a pointer to 0.3.8.

npm install -g nsauditor-ai@0.1.38 @nsasoft/nsauditor-ai-ee@0.3.8
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins 030,040 --compliance soc2 --out evidence.json

Resources

• npm package: @nsasoft/nsauditor-ai-ee@0.3.8 (restricted; requires Pro/Enterprise license)
• CE pairing: nsauditor-ai@0.1.38 (public; MIT; security-fix floor: ≥ 0.1.37)
• SOC 2 coverage table: nsauditor.com/ai/docs/soc2/
• Auditor-canonical references: CIS AWS Foundations Benchmark v1.5, SEC Rule 17a-4 (broker-dealer WORM retention), FINRA 4511 (books and records)
• Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise

Press & analyst contact

Nsasoft US LLC
press@nsasoft.us · nsasoft.us

For SOC 2 audit-team trials with custom AWS scenarios, CIS Foundations Benchmark walkthroughs, or pre-Type-II readiness assessments, contact enterprise@nsasoft.us.