npm - nsauditor-ai-agent-skill - Versions diffs - 0.1.10 - Mend

nsauditor-ai-agent-skill 0.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/LICENSE +21 -0
package/README.md +123 -0
package/SKILL.md +401 -0
package/examples/agent-interactions.md +248 -0
package/package.json +57 -0
package/references/plugins.md +205 -0
package/references/schemas.md +366 -0
package/references/workflows.md +301 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2024-present Nsasoft US LLC
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,123 @@
+# NSAuditor AI Agent Skill
+**Give any AI coding agent instant fluency with NSAuditor AI.**
+[![npm](https://img.shields.io/npm/v/nsauditor-ai-agent-skill.svg)](https://www.npmjs.com/package/nsauditor-ai-agent-skill)
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+An installable knowledge package that teaches AI coding agents how to use NSAuditor AI's MCP tools, understand its data schemas, and orchestrate multi-step security audit workflows — without requiring manual context every conversation.
+Works with **Claude Code**, **Claude Desktop**, **Cursor**, **Windsurf**, **VS Code Copilot**, and any MCP-aware agent.
+## What's Inside
+```
+nsauditor-ai-agent-skill/
+├── SKILL.md                          # Main entrypoint — triggers, tools, schemas, constraints
+├── references/
+│   ├── workflows.md                  # Multi-step workflow recipes (full audit, CI/CD, CTEM)
+│   ├── schemas.md                    # Complete data structures (scan results, CVEs, findings)
+│   └── plugins.md                    # Full plugin catalog (30+ scanners with ports & protocols)
+├── examples/
+│   └── agent-interactions.md         # Example agent reasoning chains (9 scenarios)
+├── package.json
+├── README.md
+└── LICENSE
+```
+## Quick Start
+### Claude Code
+```bash
+# Option 1: Install globally and copy
+npm install -g nsauditor-ai-agent-skill
+cp -r $(npm root -g)/nsauditor-ai-agent-skill ~/.claude/skills/nsauditor-ai
+# Option 2: Copy into your project
+cp -r nsauditor-ai-agent-skill .claude/skills/nsauditor-ai
+```
+Claude Code auto-discovers skills in `.claude/skills/`.
+### Claude Desktop
+Upload `SKILL.md` as project knowledge in your Claude Desktop project settings.
+### Cursor
+Copy the skill directory into `.cursor/skills/` or add `SKILL.md` content to your project rules.
+### Windsurf
+Copy to your project's context directory, or paste `SKILL.md` into project rules.
+### VS Code Copilot
+Add `SKILL.md` to `.github/copilot-instructions.md` or your workspace's Copilot context.
+### Generic / Custom Agents
+```bash
+npm install nsauditor-ai-agent-skill
+# Copy into wherever your agent loads skills/context from
+cp -r node_modules/nsauditor-ai-agent-skill /path/to/agent/skills/nsauditor-ai
+```
+## What the Agent Learns
+When an AI agent loads this skill, it gains:
+| Capability | Description |
+|------------|-------------|
+| **Tool signatures** | Exact MCP tool names, parameters, return types, and usage guidance |
+| **Workflow patterns** | Multi-step chains: scan → CVE lookup → remediation report |
+| **Schema knowledge** | Complete data structures for parsing and presenting results |
+| **CPE construction** | How to map detected services to NVD vulnerability lookups |
+| **Plugin awareness** | 30+ scanner plugins with protocols, ports, and capabilities |
+| **Security rules** | ZDE, SSRF protection, redaction, scan authorization requirements |
+| **Error handling** | License gates, SSRF blocks, timeout resolution, CPE format errors |
+| **Decision routing** | When to use scan_host vs probe_service vs CLI vs get_vulnerabilities |
+## Prerequisites
+This package provides **knowledge about** NSAuditor AI. To actually **run** scans:
+1. **Install NSAuditor AI:** `npm install -g nsauditor-ai`
+2. **Start MCP server:** `nsauditor-ai-mcp` (or configure in your agent's MCP settings)
+3. **Add MCP to your agent:**
+   ```bash
+   # Claude Code
+   claude mcp add nsauditor-ai -- npx nsauditor-ai-mcp
+   # Claude Desktop (claude_desktop_config.json)
+   {
+     "mcpServers": {
+       "nsauditor-ai": {
+         "command": "npx",
+         "args": ["-y", "nsauditor-ai-mcp"],
+         "env": { "NSA_ALLOW_ALL_HOSTS": "1" }
+       }
+     }
+   }
+   ```
+## Editions
+| Edition | Price | Highlights |
+|---------|-------|-----------|
+| **Community** | Free / MIT | 27 plugins, basic AI, SARIF, CTEM, scan history |
+| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, Pro plugins |
+| **Enterprise** | $2k+/yr | + Cloud scanners, Zero Trust, compliance, air-gapped |
+→ [Pricing](https://www.nsauditor.com/ai/pricing) · [Free trial](https://www.nsauditor.com/ai/trial)
+## Related
+- **[nsauditor-ai](https://github.com/nsasoft/nsauditor-ai)** — The scanner (Community Edition, MIT)
+- **[@nsasoft/nsauditor-ai-ee](https://www.nsauditor.com/ai/pricing)** — Pro/Enterprise features
+- **[NSAuditor AI Docs](https://www.nsauditor.com/ai/)** — Full documentation
+## License
+MIT — © 2024-present Nsasoft US LLC

package/SKILL.md ADDED Viewed

@@ -0,0 +1,401 @@
+---
+name: nsauditor-ai
+description: >
+  Use this skill whenever the user wants to perform network security scanning, auditing,
+  vulnerability assessment, or host reconnaissance using NSAuditor AI. Triggers include:
+  any mention of 'scan', 'audit', 'vulnerability', 'CVE', 'network security', 'port scan',
+  'service detection', 'OS fingerprinting', 'security assessment', 'penetration test',
+  'probe', 'MITRE ATT&CK', 'CPE', 'NVD', 'TLS audit', 'cipher check', 'banner grab',
+  'SNMP', 'NetBIOS', 'SMB', 'DNS security', 'DKIM', 'SPF', 'DMARC', 'DNSSEC',
+  'certificate audit', 'SARIF', 'CTEM', 'continuous monitoring', 'host discovery',
+  'mDNS', 'UPnP', 'SSDP', 'ARP scan', 'subnet scan', or references to NSAuditor,
+  nsauditor-ai, or the nsauditor MCP server. Also triggers when the user asks to check
+  if a host is up, enumerate services, detect TLS versions, find open ports, look up
+  CVEs for a software version, audit DNS records, check certificate expiry, or perform
+  continuous security monitoring. Use this skill even if the user doesn't explicitly say
+  "NSAuditor" — if they want network security scanning and the nsauditor-ai MCP tools
+  are available, this is the skill to use. Do NOT use for general coding tasks, web
+  development, or non-security topics.
+---
+# NSAuditor AI — Agent Skill
+> **Version:** 0.1.10 · **Source:** [github.com/nsasoft/nsauditor-ai](https://github.com/nsasoft/nsauditor-ai) · **npm:** `nsauditor-ai` · **License:** MIT (CE)
+NSAuditor AI is a modular, AI-assisted network security audit platform with 27+ scanner
+plugins, CVE matching, MITRE ATT&CK mapping, and Zero Data Exfiltration by design. This
+skill teaches you how to operate it via MCP tools and CLI.
+---
+## MCP Tools Reference
+NSAuditor AI exposes tools via Model Context Protocol (stdio transport). Available tools
+depend on the license tier (Community / Pro / Enterprise).
+### Community Edition Tools (always available)
+#### `scan_host`
+Run a full plugin scan against a target host. Executes ALL enabled plugins in priority
+order (discovery → service probes → OS detection → result fusion).
+| Parameter | Type | Required | Default | Description |
+|-----------|------|----------|---------|-------------|
+| `host` | string | ✅ | — | Target hostname or IP address |
+| `timeout` | number | ❌ | 30000 | Per-plugin timeout in ms |
+**Returns:** `{ summary, host, services[], findings[] }` — see `references/schemas.md`
+**Example:**
+```json
+{ "host": "192.168.1.1", "timeout": 10000 }
+```
+**Important:**
+- For RFC 1918 / private IPs, the MCP server must have `NSA_ALLOW_ALL_HOSTS=1` set.
+- The server blocks loopback (127.x, ::1), link-local (169.254.x, fe80:), and cloud
+  metadata endpoints (169.254.169.254) — this is SSRF protection, not a bug.
+- Plugins with unmet requirements auto-skip (e.g., SSH scanner skips if port 22 is closed).
+---
+#### `list_plugins`
+List all available scanner plugins with metadata.
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| *(none)* | — | — | — |
+**Returns:** Array of `{ id, name, description, priority, protocols[], ports[], requirements }`
+**When to use:** Before a scan to understand available plugins, or to help the user select
+specific plugins for a targeted probe.
+---
+#### `probe_service` *(Pro license required)*
+Run a single plugin against a specific host:port for deep-dive investigation.
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `host` | string | ✅ | Target hostname or IP |
+| `pluginName` | string | ✅ | Plugin name or numeric ID (e.g. `"ssh_scanner"` or `"002"`) |
+| `port` | number | ✅ | Target port number |
+**Returns:** Raw plugin output with full evidence for that specific service.
+**Common plugin IDs:**
+| ID | Name | Best For |
+|----|------|----------|
+| 002 | SSH Scanner | Banner, version, weak algorithms/ciphers |
+| 004 | FTP Banner | FTP daemon identification, anonymous login |
+| 006 | HTTP Probe | Server headers, tokens, vendor hints |
+| 007 | SNMP Scanner | Device info via sysDescr, hardware/firmware |
+| 009 | DNS Scanner | DNS server version (CHAOS query) |
+| 010 | Webapp Detector | Technology stack fingerprinting (Wappalyzer) |
+| 011 | TLS Scanner | TLS versions, cipher suites, deprecation |
+| 014 | NetBIOS Scanner | SMB/NetBIOS enumeration, null sessions |
+| 040 | TLS Cert & Cipher Auditor | Certificate chain, expiry, weak ciphers *(Pro)* |
+| 050 | TRIBE v2 Probe | Debug leaks, stack traces, CORS misconfig *(Pro)* |
+| 060 | DNS Security Auditor | SPF/DKIM/DMARC, DNSSEC, zone transfer *(Pro)* |
+---
+#### `get_vulnerabilities` *(Pro license required)*
+Look up known CVEs for a CPE string via the NVD 2.0 API.
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `cpe` | string | ✅ | CPE 2.3 format (see CPE guide below) |
+| `maxResults` | number | ❌ | Max CVE results to return |
+**Returns:** `{ cpe, totalResults, vulnerabilities[] }` — each CVE includes ID, description,
+CVSS v3.1 score, severity, vector string, publication date.
+**CPE Construction Guide:**
+Format: `cpe:2.3:a:<vendor>:<product>:<version>:*:*:*:*:*:*:*`
+| Detected Program | Detected Version | CPE String |
+|------------------|------------------|------------|
+| OpenSSH | 8.9p1 | `cpe:2.3:a:openbsd:openssh:8.9p1:*:*:*:*:*:*:*` |
+| Apache httpd | 2.4.54 | `cpe:2.3:a:apache:http_server:2.4.54:*:*:*:*:*:*:*` |
+| nginx | 1.24.0 | `cpe:2.3:a:f5:nginx:1.24.0:*:*:*:*:*:*:*` |
+| OpenSSL | 3.0.8 | `cpe:2.3:a:openssl:openssl:3.0.8:*:*:*:*:*:*:*` |
+| ISC BIND | 9.18.12 | `cpe:2.3:a:isc:bind:9.18.12:*:*:*:*:*:*:*` |
+| vsftpd | 3.0.5 | `cpe:2.3:a:beasts:vsftpd:3.0.5:*:*:*:*:*:*:*` |
+| Samba | 4.17.5 | `cpe:2.3:a:samba:samba:4.17.5:*:*:*:*:*:*:*` |
+| Log4j | 2.14.1 | `cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*` |
+| MySQL | 8.0.32 | `cpe:2.3:a:oracle:mysql:8.0.32:*:*:*:*:*:*:*` |
+| PostgreSQL | 15.2 | `cpe:2.3:a:postgresql:postgresql:15.2:*:*:*:*:*:*:*` |
+**Tip:** If vendor is ambiguous, search NVD with just the product name first.
+---
+### Pro/Enterprise Tools (license gated)
+These tools return a license upgrade prompt on CE installations:
+| Tool | Tier | Purpose |
+|------|------|---------|
+| `risk_summary` | Pro | Prioritized risk overview with severity breakdown |
+| `scan_compare` | Pro | Diff two scan results with risk-weighted delta analysis |
+| `save_finding` | Pro | Persist a validated finding to the finding queue |
+| `start_assessment` | Enterprise | Multi-host orchestrated security assessment |
+| `prioritize_risks` | Enterprise | Cross-host risk prioritization and ranking |
+| `compliance_check` | Enterprise | NIST/HIPAA/GDPR/PCI-DSS gap analysis |
+| `export_report` | Enterprise | Formatted compliance/risk report (PDF, HTML) |
+---
+## Five-Phase Pipeline Architecture
+NSAuditor AI follows an institutional five-phase pipeline:
+```
+Phase 1: DISCOVERY (CE)        License → Plugin loading → PluginManager.run() → Concluder
+                                Output: Fused scan with summary, OS, services[], evidence[]
+                                        ↓
+Phase 2: BASIC ANALYSIS (CE)   Redaction → MITRE mapping → AI analysis (any provider)
+                                Output: Admin raw JSON/HTML + AI reports + scan history
+                                        ↓
+                                   [ License Gate: Pro required ]
+                                        ↓
+Phase 3: INTELLIGENCE (Pro)    CPE generation → NVD CVE lookup → Parallel verification agents:
+                                  • Auth Agent (weak auth, default credentials)
+                                  • Crypto Agent (TLS, ciphers, certificates)
+                                  • Config Agent (misconfigs, debug exposure, CORS)
+                                  • Service Agent (CVE-specific targeted probes)
+                                Output: Structured finding queue
+                                        ↓
+Phase 4: VERIFICATION (Pro)    For each finding: run SAFE non-destructive verification probe
+                                Classify: VERIFIED | POTENTIAL | FALSE_POSITIVE
+                                Output: Verified finding queue with evidence
+                                        ↓
+Phase 5: SCORING (Pro/Ent)     Risk scoring → Pro AI prompts → Compliance mapping
+                                Output: Risk report + compliance report + PDF
+```
+---
+## Plugin Reference (27+ Scanners)
+See `references/plugins.md` for the complete catalog. Summary:
+**Core (17):** Ping, SSH, Port Scanner, FTP, Host Up, HTTP Probe, SNMP, Result Concluder,
+DNS, Webapp Detector, TLS, OpenSearch, OS Detector, NetBIOS/SMB, SUN RPC, WS-Discovery,
+TCP SYN (Nmap wrapper)
+**Discovery (6):** ARP, mDNS/Bonjour, UPnP/SSDP, DNS-SD, LLMNR, DB Scanner
+**Pro (3):** TLS Certificate & Cipher Auditor, TRIBE v2 Probe, DNS Security Auditor
+**Enterprise (4):** AWS Cloud, GCP Cloud, Azure Cloud, Zero Trust Checker
+Execution order: Discovery (100–150) → Service probes (200–400) → OS Detector (99000) →
+Result Concluder (100000). Plugins with unmet requirements auto-skip.
+---
+## Workflow Recipes
+See `references/workflows.md` for detailed multi-step patterns:
+1. **Full Security Audit** — list_plugins → scan_host → get_vulnerabilities per service
+2. **Targeted Service Investigation** — probe_service(pluginId) → get_vulnerabilities
+3. **Subnet Discovery** — CLI: `nsauditor-ai scan --host <CIDR> --parallel 10`
+4. **CI/CD Pipeline** — SARIF output with `--fail-on` severity gating
+5. **Continuous Monitoring (CTEM)** — `--watch --interval <min> --webhook-url <url>`
+6. **AI-Powered Report** — Scan with AI provider (OpenAI/Claude/Ollama) + redaction
+### Decision Tree: Which Tool to Use
+```
+User wants to...
+├── Scan a host comprehensively         → scan_host
+├── Check a specific service/port       → probe_service (Pro)
+├── Look up CVEs for software version   → get_vulnerabilities (Pro)
+├── See available plugins               → list_plugins
+├── Audit TLS certificates              → probe_service with plugin 040 (Pro)
+├── Check DNS security (SPF/DKIM/DMARC) → probe_service with plugin 060 (Pro)
+├── Detect debug leaks / CORS issues    → probe_service with plugin 050 (Pro)
+├── Scan a subnet                       → CLI with --parallel (not MCP)
+├── Set up continuous monitoring         → CLI with --watch (not MCP)
+├── Compare two scans                   → scan_compare (Pro)
+└── Generate compliance report          → compliance_check + export_report (Enterprise)
+```
+---
+## Data Schemas
+See `references/schemas.md` for complete structures:
+- **Scan Result** — `{ summary, host{os,mac,vendor,names}, services[], findings[] }`
+- **ServiceRecord** — `{ port, protocol, service, program, version, status, banner, evidence[] }`
+- **Finding** — `{ id, category, severity, title, evidence, remediation, cwe, mitre_attack[] }`
+- **CVE Response** — `{ cpe, totalResults, vulnerabilities[]{cve_id, cvss, severity} }`
+- **Plugin Interface** — `{ id, name, priority, run(), conclude(), requirements }`
+- **SARIF Output** — 2.1.0 format for CI/CD consumers
+---
+## Security Constraints
+**CRITICAL — Always observe these constraints:**
+1. **Zero Data Exfiltration (ZDE):** NSAuditor AI NEVER sends scan data externally unless
+   the user explicitly opts in to AI analysis with their own API keys. Nsasoft infrastructure
+   never sees scan data. Never suggest workflows that violate this boundary.
+2. **SSRF Protection:** The MCP server blocks loopback (127.x, ::1), link-local (169.254.x,
+   fe80:), and cloud metadata endpoints. Set `NSA_ALLOW_ALL_HOSTS=1` **only** for legitimate
+   local network auditing. DNS rebinding is also blocked via pre-resolution.
+3. **AI Redaction:** When AI analysis is enabled, the redaction pipeline scrubs:
+   - Private IPv4 addresses → `[REDACTED]`
+   - MAC addresses → `[MAC]`
+   - Serial numbers → `[REDACTED_HIDDEN]`
+   - Email addresses → `[REDACTED_EMAIL]`
+   - Bearer tokens → `[REDACTED_BEARER]`
+   - AWS keys → `[REDACTED_AWS_KEY]`
+   - Configurable via `CONFIDENTIAL_KEYWORDS` env var
+4. **Scan Authorization:** ALWAYS confirm the user has authorization to scan the target.
+   Never scan hosts without explicit user instruction. Unauthorized scanning is illegal.
+5. **Non-Destructive:** All verification probes are safe read-only queries. NSAuditor AI
+   never exploits vulnerabilities or modifies target systems.
+---
+## Configuration
+### Environment Variables
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `NSA_ALLOW_ALL_HOSTS` | unset | Set to `1` to scan RFC 1918 private ranges |
+| `PLUGIN_TIMEOUT_MS` | 30000 | Global per-plugin timeout |
+| `AI_ENABLED` | false | Enable AI analysis |
+| `AI_PROVIDER` | openai | `openai` · `claude` · `ollama` |
+| `OPENAI_API_KEY` | — | OpenAI API key (or `keychain:OPENAI_API_KEY`) |
+| `ANTHROPIC_API_KEY` | — | Claude/Anthropic API key |
+| `OPENAI_MODEL` | gpt-4o-mini | OpenAI model name |
+| `ANTHROPIC_MODEL` | claude-sonnet-4-20250514 | Anthropic model name |
+| `OPENAI_REDACT` | true | Redact PII before AI submission |
+| `CONFIDENTIAL_KEYWORDS` | serial,password,token,secret | Comma-separated keys to scrub |
+| `NSAUDITOR_LICENSE_KEY` | — | Pro/Enterprise JWT license key |
+| `SCAN_OUT_PATH` | out/ | Output directory for scan results |
+| `SMB_NULL_SESSION` | false | Allow SMB null session probe |
+| `ENABLE_SYN_SCAN` | false | Enable Nmap TCP SYN scanning (requires root) |
+### Plugin-Specific Timeouts
+| Variable | Default | Plugin |
+|----------|---------|--------|
+| `TLS_SCANNER_TIMEOUT_MS` | 8000 | TLS Scanner |
+| `HTTP_PROBE_TIMEOUT_MS` | 6000 | HTTP Probe |
+| `WEBAPP_DETECTOR_TIMEOUT_MS` | 6000 | Webapp Detector |
+| `DNS_TIMEOUT_MS` | 800 | DNS Scanner |
+| `OPENSEARCH_SCANNER_TIMEOUT_MS` | 6000 | OpenSearch Scanner |
+---
+## Installation & Setup
+```bash
+# Install globally
+npm install -g nsauditor-ai
+# Start MCP server (stdio transport)
+nsauditor-ai-mcp
+# Or via npx (no global install)
+npx nsauditor-ai-mcp
+```
+### Agent Integration
+**Claude Code:**
+```bash
+claude mcp add nsauditor-ai -- npx nsauditor-ai-mcp
+```
+**Claude Desktop** (`claude_desktop_config.json`):
+```json
+{
+  "mcpServers": {
+    "nsauditor-ai": {
+      "command": "npx",
+      "args": ["-y", "nsauditor-ai-mcp"],
+      "env": {
+        "NSA_ALLOW_ALL_HOSTS": "1",
+        "PLUGIN_TIMEOUT_MS": "5000"
+      }
+    }
+  }
+}
+```
+**Cursor / Windsurf / VS Code:**
+Add to your MCP configuration with the same command/args pattern.
+---
+## Editions & Licensing
+| Edition | Price | Key Features |
+|---------|-------|-------------|
+| **Community** | Free / MIT | 27 plugins, basic AI, CTEM, SARIF, scan history |
+| **Pro** | $49/mo | + CVE matching, verification probes, risk scoring, Pro plugins (040/050/060) |
+| **Enterprise** | $2k+/yr | + Cloud scanners, Zero Trust, compliance, air-gapped deployment |
+→ [Pricing](https://www.nsauditor.com/ai/pricing) · [Free trial](https://www.nsauditor.com/ai/trial)
+---
+## Error Handling
+| Error | Cause | Resolution |
+|-------|-------|-----------|
+| SSRF block | Target is loopback/metadata/private | Set `NSA_ALLOW_ALL_HOSTS=1` for local scanning |
+| License gate (`🔒`) | Pro/Enterprise tool on CE | Upgrade license or use CE alternative |
+| Plugin timeout | Network unreachable / slow target | Increase `timeout` param or `PLUGIN_TIMEOUT_MS` |
+| No DNS banner | Provider blocks CHAOS/TXT queries | Expected; not all DNS servers expose version |
+| CPE format error | Malformed CPE string | Use `cpe:2.3:a:vendor:product:version:*:*:*:*:*:*:*` |
+| No services found | Host down or heavily firewalled | Try `NSA_VERBOSE=true` to debug; check connectivity |
+| AI analysis failed | Bad API key or provider down | Check `AI_PROVIDER` and API key env vars |
+---
+## MITRE ATT&CK Mapping
+Findings are auto-tagged with MITRE techniques:
+| Finding Type | Technique | ID |
+|-------------|-----------|-----|
+| SSH vulnerability | Remote Services: SSH | T1021.004 |
+| SMB vulnerability | Remote Services: SMB | T1021.002 |
+| FTP anonymous login | Valid Accounts | T1078 |
+| DNS zone transfer | Gather Victim Network Info | T1590.002 |
+| SNMP default community | Network Sniffing | T1040 |
+| TLS weakness | Adversary-in-the-Middle | T1557 |
+| Debug/stack trace exposure | Gather Victim Host Info | T1592 |
+| Weak authentication | Brute Force | T1110 |
+---
+## Output Formats
+| File | Format | Purpose |
+|------|--------|---------|
+| `scan_conclusion_raw.json` | JSON | Full unredacted scan data (admin) |
+| `scan_conclusion_raw.html` | HTML | Admin dashboard with filters |
+| `scan_response_ai_payload.json` | JSON | Redacted payload sent to AI |
+| `scan_response_ai.html` | HTML | Styled report with CVE links, severity badges |
+| `scan_response_ai.txt` | Markdown | AI vulnerability assessment (text) |
+| SARIF | JSON | CI/CD integration (GitHub Advanced Security, Azure DevOps) |
+| CSV | CSV | Tabular export of findings |
+| JSONL | JSONL | Scan history for CTEM delta analysis |