Support

Help with NSAuditor AI Pro & Enterprise

NSAuditor AI is now our entire product line — the open-core scanner plus Pro and Enterprise. (The classic Windows desktop tools are retired.) However you run it, here is how to reach us and help yourself, fast.

Email support

The fastest way to reach a human. Tell us your tier and what you are seeing — we reply under 24 hours.

support@nsauditor.com →

Documentation

Install guides, the Getting Started walkthrough, framework references, and a real sample scan.

Browse the docs →

FAQ

The questions security teams actually ask before buying — pricing, Zero Data Exfiltration, API keys, air-gapped use.

Read the FAQ →

Community Edition

Using the free, MIT-licensed Community Edition? Open an issue or discussion on GitHub.

github.com/nsasoft/nsauditor-ai →
By plan

What support you get

Support scales with your plan. Existing Pro and Enterprise customers: email support@nsauditor.com from your account email and we will route you to the right channel.

CommunityFree · MIT
Self-serve documentation, the Getting Started guide, and GitHub issues / discussions for the open-source Community Edition.
Pro$39/mo
Email support at support@nsauditor.com — replies under 24 hours — covering CVE matching, verification, and report generation.
Enterprise · Base$2k/yr
Email support plus an onboarding call, across the full Enterprise feature set and cloud scanners.
Enterprise · Growth$5k/yr
Dedicated Slack / email channel with priority response (SLA per contract) and custom compliance-mapping help.
Enterprise · Scale$10k+/yr
A dedicated support engineer and a custom SLA — 4-hour critical, 24-hour standard — plus custom plugin development.

Not a customer yet? See Enterprise plans or compare Pricing.

Command line

Quick command reference

Run nsauditor-ai help any time for the full reference. The commands you will use most:

# scan a network host or CIDR nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2 # full AWS audit, all 7 compliance frameworks CLOUD_PROVIDER=aws AWS_PROFILE=default nsauditor-ai scan --host aws --plugins all --compliance all # install / check your Pro or Enterprise license nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs... nsauditor-ai license --status nsauditor-ai license --capabilities # set up the MCP auth key for Claude Desktop (run once per machine) nsauditor-ai mcp install-key
Full command reference — nsauditor-ai help
nsauditor-ai — Modular AI-assisted network security audit platform

Usage:
  nsauditor-ai [scan] --host <ip|cidr|hostname> [options]
  nsauditor-ai [scan] --host-file <path> [options]
  nsauditor-ai license <subcommand>
  nsauditor-ai security <subcommand>
  nsauditor-ai validate
  nsauditor-ai version          (or --version / -v)
  nsauditor-ai help             (or --help / -h)

Scan options:
  --host, --ip, --target <h>   Target host, IP, or CIDR
  --host-file <path>           File with one host per line
  --env <path>                 Load a dotenv (KEY=value) file for this scan (per-account
                               credentials). Override-on; missing file = hard error.
  --aws-profile <name>         Use a named profile from the OS-default ~/.aws/credentials.
                               Implies CLOUD_PROVIDER=aws; overrides explicit AWS_* keys.
  --aws-region <r>             AWS region scope: one (us-east-1), CSV (us-east-1,eu-west-1),
                               or 'all' (every account-enabled region). Default: AWS_REGION
                               if set, else a single region with an incomplete-coverage notice.
  --plugins <list|all>         Plugins to run (e.g. 001,003,020 or "all"; default: all)
  --ports <range>              Override port list (e.g. 22,80,443 or 1-1000)
  --out <dir>                  Output directory for scan artifacts
  --parallel <n>               Parallel host concurrency (default 1)
  --fail-on <severity>         Exit non-zero if any finding ≥ severity
  --output-format <fmt>        Additional report format: sarif | csv | md
  --insecure-https             Skip TLS validation on probed HTTPS targets
  --watch                      CTEM continuous mode
  --interval <minutes>         Watch interval (default 60)
  --webhook-url <url>          Send delta alerts (must be public; private/loopback blocked)
  --alert-severity <sev>       Min severity to alert on (default: high)
  --compliance <framework>     Map findings to controls. 'all' = all 7 frameworks, or a CSV
                               of soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr (aliases
                               nist/pci/iso/cis). Unknown tokens fail fast. Enterprise only.
  --compliance-scope <path>    JSON file describing the assessment scope

License subcommands:
  nsauditor-ai license install <KEY>    Verify and persist a license key (Keychain
                                        on macOS, ~/.nsauditor/.env on Linux/Windows
                                        with mode 0600). Rejects invalid/expired keys.
  nsauditor-ai license --status         Show active tier, org, seats, expiry
  nsauditor-ai license --capabilities   List active capabilities for current tier
  nsauditor-ai license --plugins        List discovered plugins grouped by source
                                        (CE / EE / custom) with active-or-required-tier

MCP server-auth subcommands (EE-SEC.1):
  nsauditor-ai mcp install-key          Generate a new MCP auth key, persist (Keychain
                                        on macOS, ~/.nsauditor/.env elsewhere), print
                                        Claude Desktop config snippet. Run ONCE per
                                        machine; without this the MCP server refuses
                                        to start (anti-spoofing for Pro/Enterprise tools).
  nsauditor-ai mcp install-key <KEY>    Persist a caller-supplied key (e.g., enterprise-
                                        managed secret). Validates shape before storing.
  nsauditor-ai mcp print-key --confirm  Reveal the stored key (use with care)
  nsauditor-ai mcp rotate-key           Replace the stored key with a fresh one
  nsauditor-ai mcp status               Show storage source without revealing the key
  nsauditor-ai mcp tier                 Print actual MCP server tier (ground truth — bypasses
                                        Claude AI synthesis when "list_plugins" reports
                                        unexpected CE despite verified Pro/Enterprise license)

Security subcommands (macOS Keychain):
  nsauditor-ai security set <KEY>       Store a secret (read from stdin)
  nsauditor-ai security delete <KEY>    Remove a secret
  nsauditor-ai security list            List stored secrets (masked)
  nsauditor-ai security get <KEY>       Echo a secret (avoid in shared shells)

Environment:
  NSAUDITOR_LICENSE_KEY          Pro/Enterprise license JWT (env var; takes precedence)
  NSA_MCP_AUTH_KEY               MCP server auth key — read by mcp_server at startup;
                                 client supplies via Claude Desktop config env block
  NSA_MCP_AUTH_DISABLE=1         Skip MCP auth check (CI/dev escape hatch — emits warn)
  NSA_ALLOW_ALL_HOSTS=1          Permit RFC1918 / loopback (local-network auditing)
  CLOUD_PROVIDER=aws|gcp|azure   Required for cloud scanner plugins (020/021/022/023/030)
  AI_PROVIDER=openai|claude|ollama   AI provider for report generation
  COMPLIANCE_TSA_URL             RFC 3161 timestamp authority for SOC 2 attestation

Cloud-scan hosts:
  --host aws[,gcp,azure]         One or more cloud sentinel literals, comma-separated
                                 (case-insensitive): use 'aws' for one cloud, or
                                 'aws,gcp,azure' to audit all three in one run (each cloud
                                 is scanned in turn). Do NOT write aws|gcp|azure with pipe
                                 characters — your shell treats | as a pipe. Sentinels are
                                 not DNS-resolved; they route the scan to the matching
                                 cloud-scanner plugins via the provider's control-plane
                                 API, and imply CLOUD_PROVIDER=<host> when unset. With
                                 --plugins all the scan AUTO-SCOPES to only that cloud's
                                 plugins (plugins not applicable to this host are skipped +
                                 logged — other-cloud plugins run on their OWN --host pass,
                                 non-cloud plugins need a network host) — so --plugins all
                                 is safe here.
                                 Note: the composite zero-trust checker (1023) has no
                                 single cloud and is therefore skipped under this
                                 auto-scope; to run it, select it explicitly
                                 (--plugins 023,...) or scan a network host/CIDR.

Examples:
  nsauditor-ai scan --host 10.0.0.1 --plugins all
  CLOUD_PROVIDER=aws AWS_PROFILE=default \
    nsauditor-ai scan --host aws --plugins all --compliance all   # full AWS audit, all 7 frameworks
  nsauditor-ai scan --host aws,gcp,azure --plugins all --compliance all   # all 3 clouds in one run
  nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
  nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs...
  nsauditor-ai license --status

New here? Start with the Getting Started guide, then walk through a real sample scan.

Still stuck?

Email support@nsauditor.com — include your tier, OS, and the command or finding involved. Enterprise customers, mention your org so we can take it to your dedicated channel.

Email support →