NSAuditor AI Pro v0.2 — What’s New
NSAuditor AI Pro v0.2 ships five parallel AI agents, a three-state verification engine, MITRE ATT&CK-mapped risk scoring, and full backport detection. Here’s everything that changed.
NSAuditor AI Pro v0.2 is out. This release moves the product from a single-threaded scanner to a fully parallel multi-agent architecture — a fundamental change in how findings are generated, verified, and scored. Here’s a full breakdown of what’s new.
Five Parallel AI Agents
The biggest change in v0.2 is the agent layer. Where previous versions ran analysis sequentially, Pro v0.2 deploys five specialized agents simultaneously using Promise.allSettled — meaning all five run in parallel and failures in one agent never block the others.
Each agent owns a distinct attack surface:
- Auth Agent — tests authentication weaknesses: default credentials on SSH and Telnet, anonymous FTP access, SNMP community string probes. Maps to MITRE ATT&CK T1021.004, T1190, T1078.001.
- Crypto Agent — performs live TLS handshakes to detect TLS 1.0/1.1 still negotiable, CBC-mode cipher suites, weak Diffie-Hellman parameters, and export-grade crypto. Maps to T1557.
- Config Agent — scans for exposed admin interfaces (phpMyAdmin, Adminer, Grafana), sensitive files (/.env, /config.json, /debug/), and directory listing enabled on web roots. Maps to T1046, T1592.
- Service Agent — performs service fingerprinting and version analysis with full backport awareness. Maps to T1190.
- Exposure Agent — identifies lateral movement paths by correlating co-exposed services. SMB + RDP open on the same host = a lateral movement chain, not two separate findings. Maps to T1021.001, T1021.002.
Verification Engine
Every finding generated by the five agents is routed through the verification engine before it reaches the report. The engine assigns one of three verdicts:
- VERIFIED — the probe confirmed the vulnerability is real and exploitable
- POTENTIAL — the finding is plausible but could not be confirmed with a safe probe
- FALSE_POSITIVE — the finding was ruled out by additional context (e.g. backport detection)
Only VERIFIED findings contribute to the final risk score. POTENTIAL findings are surfaced separately for human review. FALSE_POSITIVEs are excluded from the report entirely, along with an explanation of why they were dismissed.
This is the mechanism that eliminates false alarm fatigue — the core problem with traditional scanners that report every CVE matching a version string regardless of whether the vulnerability is actually present.
Backport Detection
One of the most impactful additions in v0.2. Linux distributions — Ubuntu, Debian, RHEL, CentOS, and others — routinely backport security patches without bumping the version number. A server running OpenSSH 8.2p1 on Ubuntu may have had the patch for CVE-2023-38408 applied months ago, but the version string still reads 8.2p1.
Every scanner that matches on version strings will flag this as a critical finding. NSAuditor AI Pro v0.2 reads the actual distro-level patch metadata — dpkg changelogs on Debian/Ubuntu, RPM annotations on RHEL/CentOS — to determine whether the patch is present. If it is, the finding is marked FALSE_POSITIVE before it ever appears in the report.
MITRE ATT&CK-Mapped Risk Scoring
v0.2 introduces a new risk scoring formula that goes beyond raw CVSS:
Risk Score = (CVSS ÷ 10) × verification weight + MITRE ATT&CK uplift
Verification weight reflects confidence: VERIFIED findings carry full weight, POTENTIAL findings are discounted. MITRE ATT&CK uplift adds additional risk score for findings mapped to active adversary techniques — a VERIFIED finding mapped to T1190 (Exploit Public-Facing Application) scores higher than the same CVSS finding without ATT&CK context.
The result is a prioritized, actionable report — not a flat list of CVEs sorted by severity.
CVE Correlation and Offline NVD Feed
Pro v0.2 ships with an offline NVD (National Vulnerability Database) feed for CVE matching. Scans do not require internet access for CVE lookup — the feed is bundled and updated on release. CPE identifiers are generated automatically from service fingerprints, and matched CVEs are enriched with CVSS v3 scores and ATT&CK mappings where available.
Zero Data Exfiltration
No change here — but worth restating. All scans in Pro v0.2 run entirely on your infrastructure. No scan data, discovered services, CVE matches, credentials tested, or network topology information leaves your machine. The ZDE (Zero Data Exfiltration) architecture is enforced at the design level, not the policy level.
Installation
npm install -g @nsasoft/nsauditor-ai-ee
export NSAUDITOR_LICENSE_KEY=pro_eyJ...
nsauditor-ai scan --target 192.168.1.0/24Pro and Enterprise licenses are available at nsauditor.com/ai/pricing. Free trial (follow-based) at nsauditor.com/ai/trial. The Community Edition remains MIT-licensed on npm: npm install -g nsauditor-ai.
