Support
Help with NSAuditor AI Pro & Enterprise
NSAuditor AI is now our entire product line — the open-core scanner plus Pro and Enterprise. (The classic Windows desktop tools are retired.) However you run it, here is how to reach us and help yourself, fast.
✉️
Email support
The fastest way to reach a human. Tell us your tier and what you are seeing — we reply under 24 hours.
support@nsauditor.com →
📘
Documentation
Install guides, the Getting Started walkthrough, framework references, and a real sample scan.
Browse the docs →
❓
FAQ
The questions security teams actually ask before buying — pricing, Zero Data Exfiltration, API keys, air-gapped use.
Read the FAQ →
By plan
What support you get
Support scales with your plan. Existing Pro and Enterprise customers: email support@nsauditor.com from your account email and we will route you to the right channel.
CommunityFree · MIT
Self-serve documentation, the Getting Started guide, and GitHub issues / discussions for the open-source Community Edition.
Pro$39/mo
Email support at support@nsauditor.com — replies under 24 hours — covering CVE matching, verification, and report generation.
Enterprise · Base$2k/yr
Email support plus an onboarding call, across the full Enterprise feature set and cloud scanners.
Enterprise · Growth$5k/yr
Dedicated Slack / email channel with priority response (SLA per contract) and custom compliance-mapping help.
Enterprise · Scale$10k+/yr
A dedicated support engineer and a custom SLA — 4-hour critical, 24-hour standard — plus custom plugin development.
Not a customer yet? See Enterprise plans or compare Pricing.
Command line
Quick command reference
Run nsauditor-ai help any time for the full reference. The commands you will use most:
# scan a network host or CIDR
nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
# full AWS audit, all 7 compliance frameworks
CLOUD_PROVIDER=aws AWS_PROFILE=default nsauditor-ai scan --host aws --plugins all --compliance all
# install / check your Pro or Enterprise license
nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs...
nsauditor-ai license --status
nsauditor-ai license --capabilities
# set up the MCP auth key for Claude Desktop (run once per machine)
nsauditor-ai mcp install-key
Full command reference — nsauditor-ai help
nsauditor-ai — Modular AI-assisted network security audit platform
Usage:
nsauditor-ai [scan] --host <ip|cidr|hostname> [options]
nsauditor-ai [scan] --host-file <path> [options]
nsauditor-ai license <subcommand>
nsauditor-ai security <subcommand>
nsauditor-ai validate
nsauditor-ai version (or --version / -v)
nsauditor-ai help (or --help / -h)
Scan options:
--host, --ip, --target <h> Target host, IP, or CIDR
--host-file <path> File with one host per line
--env <path> Load a dotenv (KEY=value) file for this scan (per-account
credentials). Override-on; missing file = hard error.
--aws-profile <name> Use a named profile from the OS-default ~/.aws/credentials.
Implies CLOUD_PROVIDER=aws; overrides explicit AWS_* keys.
--aws-region <r> AWS region scope: one (us-east-1), CSV (us-east-1,eu-west-1),
or 'all' (every account-enabled region). Default: AWS_REGION
if set, else a single region with an incomplete-coverage notice.
--plugins <list|all> Plugins to run (e.g. 001,003,020 or "all"; default: all)
--ports <range> Override port list (e.g. 22,80,443 or 1-1000)
--out <dir> Output directory for scan artifacts
--parallel <n> Parallel host concurrency (default 1)
--fail-on <severity> Exit non-zero if any finding ≥ severity
--output-format <fmt> Additional report format: sarif | csv | md
--insecure-https Skip TLS validation on probed HTTPS targets
--watch CTEM continuous mode
--interval <minutes> Watch interval (default 60)
--webhook-url <url> Send delta alerts (must be public; private/loopback blocked)
--alert-severity <sev> Min severity to alert on (default: high)
--compliance <framework> Map findings to controls. 'all' = all 7 frameworks, or a CSV
of soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr (aliases
nist/pci/iso/cis). Unknown tokens fail fast. Enterprise only.
--compliance-scope <path> JSON file describing the assessment scope
License subcommands:
nsauditor-ai license install <KEY> Verify and persist a license key (Keychain
on macOS, ~/.nsauditor/.env on Linux/Windows
with mode 0600). Rejects invalid/expired keys.
nsauditor-ai license --status Show active tier, org, seats, expiry
nsauditor-ai license --capabilities List active capabilities for current tier
nsauditor-ai license --plugins List discovered plugins grouped by source
(CE / EE / custom) with active-or-required-tier
MCP server-auth subcommands (EE-SEC.1):
nsauditor-ai mcp install-key Generate a new MCP auth key, persist (Keychain
on macOS, ~/.nsauditor/.env elsewhere), print
Claude Desktop config snippet. Run ONCE per
machine; without this the MCP server refuses
to start (anti-spoofing for Pro/Enterprise tools).
nsauditor-ai mcp install-key <KEY> Persist a caller-supplied key (e.g., enterprise-
managed secret). Validates shape before storing.
nsauditor-ai mcp print-key --confirm Reveal the stored key (use with care)
nsauditor-ai mcp rotate-key Replace the stored key with a fresh one
nsauditor-ai mcp status Show storage source without revealing the key
nsauditor-ai mcp tier Print actual MCP server tier (ground truth — bypasses
Claude AI synthesis when "list_plugins" reports
unexpected CE despite verified Pro/Enterprise license)
Security subcommands (macOS Keychain):
nsauditor-ai security set <KEY> Store a secret (read from stdin)
nsauditor-ai security delete <KEY> Remove a secret
nsauditor-ai security list List stored secrets (masked)
nsauditor-ai security get <KEY> Echo a secret (avoid in shared shells)
Environment:
NSAUDITOR_LICENSE_KEY Pro/Enterprise license JWT (env var; takes precedence)
NSA_MCP_AUTH_KEY MCP server auth key — read by mcp_server at startup;
client supplies via Claude Desktop config env block
NSA_MCP_AUTH_DISABLE=1 Skip MCP auth check (CI/dev escape hatch — emits warn)
NSA_ALLOW_ALL_HOSTS=1 Permit RFC1918 / loopback (local-network auditing)
CLOUD_PROVIDER=aws|gcp|azure Required for cloud scanner plugins (020/021/022/023/030)
AI_PROVIDER=openai|claude|ollama AI provider for report generation
COMPLIANCE_TSA_URL RFC 3161 timestamp authority for SOC 2 attestation
Cloud-scan hosts:
--host aws[,gcp,azure] One or more cloud sentinel literals, comma-separated
(case-insensitive): use 'aws' for one cloud, or
'aws,gcp,azure' to audit all three in one run (each cloud
is scanned in turn). Do NOT write aws|gcp|azure with pipe
characters — your shell treats | as a pipe. Sentinels are
not DNS-resolved; they route the scan to the matching
cloud-scanner plugins via the provider's control-plane
API, and imply CLOUD_PROVIDER=<host> when unset. With
--plugins all the scan AUTO-SCOPES to only that cloud's
plugins (plugins not applicable to this host are skipped +
logged — other-cloud plugins run on their OWN --host pass,
non-cloud plugins need a network host) — so --plugins all
is safe here.
Note: the composite zero-trust checker (1023) has no
single cloud and is therefore skipped under this
auto-scope; to run it, select it explicitly
(--plugins 023,...) or scan a network host/CIDR.
Examples:
nsauditor-ai scan --host 10.0.0.1 --plugins all
CLOUD_PROVIDER=aws AWS_PROFILE=default \
nsauditor-ai scan --host aws --plugins all --compliance all # full AWS audit, all 7 frameworks
nsauditor-ai scan --host aws,gcp,azure --plugins all --compliance all # all 3 clouds in one run
nsauditor-ai scan --host 10.0.0.0/24 --plugins all --compliance soc2
nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs...
nsauditor-ai license --status
New here? Start with the Getting Started guide, then walk through a real sample scan.
Still stuck?
Email support@nsauditor.com — include your tier, OS, and the command or finding involved. Enterprise customers, mention your org so we can take it to your dedicated channel.
Email support →