NSAuditor AI EE 0.6.1 Adds NEW Plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor — Foundation-Layer SOC 2 Evidence for CC7.1 + CC7.2 (Plugin Count 21 → 22)

What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.6.1 — adding NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor. Plugin count grows 21 → 22. The release is a paired trio across EE + CE 0.1.55 + agent-skill 0.1.22. The catalog across CE and EE is now 49 plugins (27 CE + 22 EE).

Why this matters for SOC 2 readiness

AWS GuardDuty and AWS Inspector2 are the AWS-native managed services for threat detection and vulnerability detection respectively. A SOC 2 evidence pack without GuardDuty signal has no AWS-native anomaly-detection stream — credential-exfiltration attempts, cryptocurrency-mining indicators, malicious-IP communication, and reconnaissance patterns all go unobserved. A pack without Inspector2 signal has no managed CVE-detection coverage on the compute surface (EC2 AMIs, ECR images, Lambda functions), making patching-cadence assertions difficult to evidence.

What plugin 1200 audits

Unambiguous remediation

For each dimension, plugin 1200 distinguishes auditor-side IAM gaps (the auditor role lacks the GuardDuty or Inspector2 read permission) from genuine service-side absence — so remediation paths are unambiguous. Either grant the read permission, or enable the service.

Compliance mapping

Seven new entries in data/compliance/soc2.json route plugin 1200 findings to CC7.1 (four entries) and CC7.2 (three entries). Title-pattern regexes are anchored to the actual emission strings emitted by the plugin so the compliance mapping is end-to-end deterministic.

Design discipline

• Conservative classification — Ambiguous AWS-SDK responses emit LOW + evidenceGap with a walkthrough prompt, never silent-PASS.
• Case-insensitive enum handling — Status fields normalized at the SDK boundary so case variation across SDK versions cannot mask a finding.
• Zero data exfiltration — Findings carry only AWS-public-namespace identifiers (Detector IDs, region, status enums). Operator-supplied tags, descriptions, and other free-text surfaces are never read.
• Soft-degrade — GuardDuty and Inspector2 SDKs load independently; failure of one does not block the other.

Coverage matrix unchanged at 10/4/33

Plugin 1200 deepens evidence-acquisition on controls already classified as covered (via the CloudTrail, AWS Backup, and SQS/SNS plugins). NSAuditor publishes coverage-matrix shifts only when net-new controls become covered, not when evidence depth grows on existing ones — an institutional honesty discipline auditors can rely on across releases.

Also in this release: standalone Pro trial program retired

The 14-day Pro trial program (/ai/trial/) has been retired. The Community Edition (free, MIT) already provides enough hands-on functionality for evaluation: install CE, run scans, see the platform in action, then upgrade to Pro when CVE matching / verification probes / risk scoring become a fit. The /ai/trial/ URL now redirects to /ai/pricing/.

How to run plugin 1200

# Just plugin 1200
nsauditor-ai scan --host aws --plugins 1200 --compliance soc2 --out evidence.json

# Bundled with the rest of the EE AWS catalog
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json

Who’s affected

AWS architects building SOC 2 evidence packs that must include detection-procedure coverage; SOC 2 readiness teams covering CC7.1 + CC7.2; SRE / DevSecOps teams running multi-account AWS organizations; auditors validating that GuardDuty and Inspector2 are actually enabled (not just licensed); AI-coding-agent users.

Customer install (live now)

npm install -g nsauditor-ai@0.1.55 @nsasoft/nsauditor-ai-ee@0.6.1
npm install nsauditor-ai-agent-skill@0.1.22   # AI-coding-agent users

Sources

• NSAuditor AI Enterprise — official documentation
• @nsasoft/nsauditor-ai-ee on npm
• nsauditor-ai (Community Edition) on npm