NSAuditor AI EE 0.3.1 Ships Auditor-Grade SOC 2 Pre-Audit Reporter — Bridges the Gap Between GRC Platforms and Vulnerability Scanners

LAS VEGAS, NV — May 7, 2026 — Nsasoft US LLC, a network security and AI-assisted audit software company, today announced the release of NSAuditor AI Enterprise Edition (EE) v0.3.1 alongside the Community Edition (CE) v0.1.29 hotfix line. EE 0.3.x — comprising the 0.3.0 major SOC 2 milestone and the 0.3.1 release-quality hardening update — establishes NSAuditor AI as the first open-core network auditor with a built-in, auditor-grade SOC 2 pre-audit reporter that maps scanner findings directly to AICPA Trust Services Criteria controls and pushes evidence into GRC platforms over native APIs.

The market gap NSAuditor AI EE closes

The SOC 2 readiness market today is split into two camps that don’t talk to each other:

• GRC platforms (Vanta, Drata, Secureframe) automate the workflow of evidence collection, policy management, and auditor handoff — but lack native vulnerability scanning. They depend on operators to import findings from elsewhere.
• Legacy vulnerability scanners (Tenable, Qualys, Rapid7) produce voluminous CVE reports — but don’t map findings to TSC controls, don’t sign evidence, and don’t speak GRC-platform APIs.

NSAuditor AI EE 0.3.x is the bridge. Deep network and cloud scanning + auditor-mapped findings + signed evidence artifacts + native push to GRC platforms — in a single, scriptable CLI workflow.

“This is the pre-audit report you give your auditor so they don’t bill you for finding what you already knew.”

Coverage Matrix — AICPA Trust Services Criteria 2017

The seven covered controls span logical access (CC6.1), authentication (CC6.2), network segmentation (CC6.6), data-in-transit protection (CC6.7), unauthorized-software detection (CC6.8), configuration & vulnerability detection (CC7.1), and confidential-information identification (C1.1). The 34 out-of-scope controls — governance, organizational ethics, processing integrity, privacy — are explicitly flagged in the gap report so auditors immediately see the engine’s known boundaries.

What ships in EE 0.3.0 — the full SOC 2 hardening track

EE 0.3.0 was the largest release in the product’s history. Seven institutional-grade evidence-integrity primitives now ship by default:

• Cover-page Scope Attestation on every artifact — framework version, scan window, scope IDs, scanner version, TSA policy lineage.
• SHA-256 chain-of-custody — each artifact paired with a .sha256 sidecar; chain-of-custody envelope binds the bundle.
• RFC 3161 trusted timestamping — optional COMPLIANCE_TSA_URL enables TSA signing of every evidence artifact, with TSA cert chain validation, policy-OID negotiation per RFC 3161 §2.4.1, and X.660 first-arc constraint enforcement. Real FreeTSA fixtures shipped; openssl ts -verify integration tested.
• Ed25519 cryptographic suppression signing — canonical JSON (RFC 5198 NFC normalization), payload-version-2 framing, 64-KiB DoS cap, NFC-key collision detection, and explicit unsupported-type rejection (BigInt/Symbol/Function/NaN/Map/Set/TypedArray).
• Identity verification engine — suppression approvers verified against a corp identity registry (employee ID, public key, validity window, revocation status) with O(1) lookup, 10k-member perf headroom, and auditor-graded health bands.
• WORM evidence storage — S3 Object Lock COMPLIANCE-mode push with SHA-256 manifest, configurable resource redaction (off / hash / remove), and SEC 17a-4 / FINRA 4511 retention semantics.
• GRC platform connector — native push to Vanta over /v1/integrations/whoami pre-flight + REST API, with retry/backoff, idempotent scan IDs, 1 MiB response cap, 180s total-duration cap, foreign-token format detection across 18 known non-GRC token prefixes (GitHub, Slack, AWS, Stripe, GCP, npm). Drata and Secureframe on roadmap.

Type II readiness — recurring scan attestation + SLA / MTTR tracking

SOC 2 Type II requires evidence across a 6–12 month observation window, not a point-in-time snapshot. EE 0.3.0 ships recurring-scan attestation with cadence gap detection and scope-drift detection (CC8.1 evidence), a SLA & MTTR engine with per-severity SLA targets and finding-lifecycle tracking with transient-closure exclusion, and per-approver renewal cadence with rolling-quarter trend metric and governance bands.

What’s fixed in EE 0.3.1

A customer install-and-test cycle against published 0.3.0 surfaced a small set of integration bugs that prevented Enterprise features from working end-to-end on a clean install. 0.3.1 fixes all of them and is the recommended upgrade. 0.3.0 is deprecated on npm.

• EE package.json exports map now publishes ./package.json, allowing CE’s plugin discovery to succeed. Without this, no EE plugin loaded regardless of license tier.
• AWS S3 (plugin 020) and AWS IAM (plugin 030) auditors now use default-import + module-scope destructure for @aws-sdk/client-s3 and @aws-sdk/client-iam. The static named-import pattern was rejected by Node 20+ as the AWS SDK v3 ships CJS, breaking plugin module load at discovery time.
• AWS plugin preflight() accepts ambient/profile/SSO/instance-role credentials — ~/.aws/credentials, AWS_PROFILE, AWS_SSO_SESSION, AWS_WEB_IDENTITY_TOKEN_FILE, ECS task roles, and EC2 IMDS.
• Published tarball now includes the data/ directory — data/compliance/soc2.json (14.8 KB) and data/compliance/sla.json. Previously the SOC 2 framework definition was excluded from the npm package and the engine fell back to a degraded path.

What’s new in CE 0.1.28 + 0.1.29

The Community Edition received four companion fixes plus a UX improvement:

• CE 0.1.28 wires --compliance <framework> and --compliance-scope <path> end-to-end. The flags were documented in the EE README but the CLI had zero references — making the entire SOC 2 surface unreachable.
• CE 0.1.29 first-class --help support. Bare nsauditor-ai --help prints a complete usage block (subcommands, scan options, env vars, worked examples) and exits 0, with no license key required. Previously fell through to scan defaults and crashed.
• 0.1.27 and 0.1.28 deprecated on npm.

Validation

npm install -g nsauditor-ai@0.1.29 @nsasoft/nsauditor-ai-ee@0.3.1
nsauditor-ai license --status
# ✓ Enterprise license active

# SOC 2 compliance scan
nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
# Artifacts: scan_compliance_soc2.{json,md,html} + .sha256
#            scan_attestation_soc2.json + .sha256
#            scan_chain_of_custody_soc2.json + .sha256
# Schema: nsauditor.compliance-report/v1
# Framework: soc2 2017
# Controls: 46 total — 7 pass, 5 partial, 34 out_of_scope

Resources

• Product home: nsauditor.com/ai
• SOC 2 coverage page: nsauditor.com/ai/docs/soc2/
• CE on npm: npmjs.com/package/nsauditor-ai
• EE on npm: npmjs.com/package/@nsasoft/nsauditor-ai-ee
• CE source: github.com/nsasoft/nsauditor-ai

About Nsasoft US LLC

Nsasoft US LLC is a Las Vegas-based network security software company specializing in privacy-first, AI-assisted security tooling. The company develops open-core security scanners, infrastructure auditing tools, and SOC 2 readiness products for enterprise and developer audiences. Customer credentials and scan data never leave the host — all AI inference and CVE matching happen against customer-controlled API keys or fully offline NVD feeds.

Press contact: info@nsasoft.us · License & enterprise sales: enterprise@nsasoft.us