NSAuditor AI EE 0.14.0 Brings Azure NSG Perimeter Analysis to AWS-1170 Parity: NEW Plugin 1221 Adds Five Dimensions, Attachment-Aware Severity, and Effective Priority Resolution

Las Vegas, NV — May 26, 2026 — Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.14.0, a minor-version release that brings Azure Network Security Group (NSG) perimeter analysis to parity with the long-standing AWS Security Group auditor. The cycle ships a single new plugin — 1221 azure-nsg-perimeter-auditor — taking total Enterprise Edition plugin count from 26 to 27 (cloud-audit subset 25 → 26).

It is the 36th consecutive trio-publish in the institutionalized release cadence — restricted Enterprise Edition 0.14.0 alongside public Community Edition 0.1.79 and public agent-skill 0.1.46.

All six supported compliance coverage matrices remain unchanged — SOC 2 (AICPA TSC 2017) at 10/4/33, HIPAA Security Rule §164.312 at 7/3/45, NIST CSF 2.0 at 13/10/83, PCI DSS v4.0.1 at 20/8/39, ISO/IEC 27001:2022 at 17/14/62, and CIS Critical Security Controls v8 at 17/22/114. The 0.14.0 release is positioned as substrate-depth uplift on already-covered perimeter controls.

The Azure perimeter evidence gap this cycle closes

Before EE 0.14.0, Azure NSG evidence was generated by the multi-purpose 1022 scanner. Its NSG dimension is a flat per-rule lint: for any inbound Allow rule whose source is *, 0.0.0.0/0, or Internet, it emits one CRITICAL — with no port tiering, no IPv6 coverage, no priority/deny-override resolution, and no attachment-awareness.

That left a real false-negative surface. An NSG exposing SSH over ::/0 (the IPv6 internet wildcard), or via the 0.0.0.0/1 + 128.0.0.0/1 split-range trick (which covers the entire IPv4 internet without literally being 0.0.0.0/0), or where a higher-priority Deny rule actually neutralizes a permissive Allow — all of these slipped through or were mis-reported under the flat lint. EE 0.14.0 ships a dedicated, deeper auditor for exactly this surface.

NEW plugin 1221 — five dimensions in Azure priority order

Plugin 1221 evaluates each NSG’s inbound rules in Azure priority order (first-match-wins, with the DenyAllInbound default at priority 65500) across five dimensions per restricted management/data-tier port:

1. All-protocol (*) public Allow — every TCP/UDP port reachable from the public internet, the worst-possible perimeter posture.
2. Public-source to a RESTRICTED_PORT — public source (* / 0.0.0.0/0 / Internet) reaching SSH, RDP, MSSQL, MySQL, Postgres, Redis, Memcached, MongoDB, Elasticsearch, CouchDB, SMB, WinRM, Oracle, Docker, or Kubelet.
3. ::/0 IPv6-wildcard to a restricted port — the dimension 1022’s flat lint misses. Operators lock IPv4 and forget IPv6 routinely; this dimension catches it.
4. Public-to-non-restricted port — INFO substrate (likely an intentional public web tier; recorded for the auditor evidence pack, not raised as a finding).
5. PASS substrate — no public restricted exposure after effective resolution.

Attachment-aware severity — the EFFECTIVE vs LATENT distinction

The defining design choice of this cycle is attachment-aware severity. Plugin 1221 reads the back-references Azure populates on the NSG list call — nsg.subnets[] and networkInterfaces[] — and uses them to tier severity:

• An attached permissive NSG is an EFFECTIVE exposure → CRITICAL. The exposure is reachable from the public internet right now.
• An orphaned permissive NSG is LATENT → MEDIUM. The misconfiguration exists and will become effective the instant the NSG is attached to a subnet or NIC — but it is not reachable today. This is the NSG analog of plugin 1220’s storage latent-toggle pattern (where allowBlobPublicAccess=false + public container = MEDIUM latent).

Auditors evaluating Type-II evidence packs get a clear signal-versus-noise separation: EFFECTIVE findings are the work-list, LATENT findings are the cleanup list.

Effective resolution — what the 1022 flat lint missed

Plugin 1221 implements effective priority and deny-override resolution. If a permissive Allow at priority 200 is preceded by a more-specific Deny at priority 100, the Deny wins — and 1221 does not raise a false-positive finding on the unreachable Allow. Conversely, if no Deny intervenes, the Allow stands. The plugin walks the rules in priority order until a first-match wins, matching how Azure actually evaluates traffic.

Additional resolution dimensions: port-range expansion (the catalog supports start-end, comma-separated, and wildcards), 0.0.0.0/1 + 128.0.0.0/1 split-range coverage (mask ≤ 1 = public), and service-tag/Application Security Group source normalization (VirtualNetwork, AzureLoadBalancer, and any named ASG are not public sources; the catalog stops short of treating them as ground-truth allowlists, which would be operator-policy-dependent).

Deliberately non-overlapping with plugin 1022

Plugin 1221 is deliberately non-overlapping-by-depth with 1022’s coarse NSG dim — no double-emission of a verdict on the same NSG. This mirrors the AWS 1023-observed / 1170-declared two-plugin precedent (where 1023 reports the observed flow rules and 1170 issues the declared CC6.6 finding).

Six-framework routing — all matrices unchanged

Plugin 1221’s findings route across every supported framework at AWS-1170 parity: SOC 2 CC6.6, HIPAA §164.312(a)(1), NIST CSF 2.0 PR.IR-01 + ID.AM-03, PCI DSS v4.0.1 1.2.1 / 1.3.1 / 1.4.1 / 6.4.1 / 11.4.1, ISO/IEC 27001:2022 A.8.20 / A.8.22 / A.8.9, and CIS Controls v8 4.4 / 12.2 / 4.2. 185 insertions across the six framework JSONs, zero deletions; all 160 anchor-drift, inheritance, and citation-discipline tests green.

Adversarial review and regression

Plugin 1221 was built and reviewed through the audit-cloud-plugin-false-negatives lens (skill #14): SHIP-WITH-FOLDS (0 CRITICAL / 0 HIGH / 0 MEDIUM / 2 LOW folded same-session). The catalog’s NSG blind-spots are all covered — three internet-spellings, priority/deny-override, Application-Security-Group as source, ::/0, wide-range-includes-restricted-port. Both LOWs folded in the same session: 0.0.0.0/1 split-range source-publicness, and per-NSG error isolation (one malformed NSG → per-resource evidence-gap, never aborting the enumeration).

The Enterprise Edition test suite runs 6,481 tests and passes all of them — a +27 net increase against the EE 0.13.3 baseline of 6,454.

Live cloud validation

The published 0.14.0 CLI was smoke-tested against a live Azure hexa-framework resource group and the AWS regression account on the same day:

• Plugin 1221 fixture oracle 3/3: a deliberately-exposed NSG fixture emitted MEDIUM latent findings on ports 22, 5432, and 6379; two secure NSG fixtures passed CC6.6.
• Findings route to CC6.6 (9× in the SOC 2 evidence pack).
• Coexists with plugin 1022 (which routes to CC6.1 for the multi-purpose Azure dims) — no double-emission of a verdict on the same NSG.
• All six coverage matrices unchanged on both clouds.
• Azure finding count 299 → 302 (+3 = the new 1221 findings on the exposed fixture). AWS held at 243 — the new plugin is Azure-only, confirming the addition is additive-only and does not affect AWS evidence.

Customer impact and availability

NSAuditor AI EE 0.14.0 is recommended for every existing customer auditing Azure workloads. The hexa-framework one-scan workflow — --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — produces six separate auditor-ready evidence packs from a single scan. The release is available immediately through npm under restricted-access distribution; no license re-installation is required for existing customers. EE 0.13.3, Community Edition 0.1.78, and agent-skill 0.1.45 are deprecated on this publish with paired-pointer messages.

Install (Enterprise Edition; restricted npm token required):

npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latest

The full Enterprise feature reference is at nsauditor.com/ai/enterprise; framework matrices live at nsauditor.com/ai/docs; a synthetic-fixture sample scan demonstrating the plugin-1221 finding shape is published at nsauditor.com/ai/docs/sample-scan. Trial requests and enterprise inquiries: enterprise@nsasoft.us.

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. Customer credentials and scan data never leave the host — all AI inference and CVE matching run against customer-controlled keys or fully offline NVD feeds. Press: info@nsasoft.us.

]]>