Welcome to NAT
NAT (Neuro Agent Testing) is an AI-powered testing platform for API security and functional testing. It autonomously discovers vulnerabilities in your REST and GraphQL APIs, runs browser-based functional tests, catches visual regressions, scans for accessibility violations, and measures Core Web Vitals — all powered by intelligent agents that adapt to your application's behavior in real time.
New: AI Assistant (nat ai plan, nat ai explain, dashboard chat), compliance badges & reports, nat init zero-config onboarding, live scan progress (--watch), scan comparison (--diff), PR comments, SARIF auto-upload, and more.
Choose your journey
What is NAT?
NAT combines multi-agent AI with deep API and browser understanding to deliver testing that is:
- Autonomous — NAT runs scans end-to-end without manual configuration for each endpoint
- Intelligent — Adaptive agents prioritize high-risk endpoints and re-test based on new findings
- Comprehensive — Covers OWASP API Top 10, auth flaws, injection attacks, business logic issues, and more
- Functional — Visual regression, accessibility scanning, and Core Web Vitals testing with browser-based agents
- Integrable — Works inside CI/CD pipelines and on-demand via the SaaS dashboard or REST API
Two onboarding paths
☁️ Path 1 — SaaS API (recommended for new users)
No installation required. Sign up, get an API key, and make HTTP requests.
Sign up for free
Go to app.nat-testing.io/signup (opens in a new tab) — no credit card required.
Get your API key
Open Dashboard → Settings → API Keys and generate a key (nat_pk_...).
Start your first scan
curl -X POST https://api.nat-testing.io/api/v1/scan \
-H "X-API-Key: $NAT_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://api.example.com"}'→ Full step-by-step guide with Python/JS/curl snippets: API Quickstart
💻 Path 2 — CLI / Self-Hosted
Install the CLI, authenticate, and run scans from your terminal or inside CI/CD.
Install
pip install nat-engineInitialize
nat init # Auto-detects framework, generates .natrcAuthenticate
nat auth --key <your-api-key>Scan
nat scan --url https://api.example.com --watch→ Full step-by-step guide: CLI Quickstart
Want to explore NAT without connecting a real API? Run nat demo after installation for a fully sandboxed walkthrough against a built-in example API.
Quick navigation
What's New
| Version | Highlights |
|---|---|
| v1.6 | 🧠 AI Assistant — nat ai plan, nat ai explain, dashboard chat, proactive insights |
| v1.5.2 | 📋 Compliance badges, BGSTM audit trail, framework compliance reports |
| v1.5.1 | 💻 SARIF auto-upload, PR comments, quality gates, nat init zero-config |
| v1.5 | 🔍 nat scan --watch, nat scan --diff, nat status, nat badge |
Key capabilities
| Capability | Description |
|---|---|
| AI Assistant | Ask NAT anything — test planning, scan interpretation, config advice, compliance reports. CLI (nat ai), dashboard chat, and API. |
| Compliance & Badges | OWASP, PCI-DSS, HIPAA, SOC 2 compliance reports with embeddable status badges. BGSTM audit trail export. |
| Zero-Config Onboarding | nat init detects your framework and OpenAPI spec, generates .natrc automatically. --ci flag for CI-optimized config. |
| Live Scan Progress | nat scan --watch shows real-time progress with inline findings. nat scan --diff compares against previous scans. |
| PR Comments & SARIF | Automatic PR comments with scan summaries and SARIF upload to GitHub Code Scanning via nat-action. |
| Dashboard | Cloud-hosted UI for launching scans, viewing results, and managing API keys |
| REST API Testing | Full OWASP API Top 10 coverage with intelligent fuzzing |
| GraphQL Testing | Schema introspection, query injection, auth bypass detection |
| Functional Testing | Browser-based test execution with DOM snapshots, screenshots, and interaction traces |
| Visual Regression | Pixel-diff analysis against stored baselines with configurable thresholds |
| Accessibility Scanning | WCAG 2.1 compliance checks — missing alt text, form labels, heading order, and more |
| Performance Testing | Core Web Vitals measurement — LCP, FCP, TTI, CLS, TBT with Google threshold grading |
| Worker Pools | Parallel distributed test execution — launch N workers, dispatch jobs via queue, scale horizontally with nat worker launch |
| Multi-Protocol | gRPC, WebSocket, and Kafka support in addition to REST and GraphQL — see gRPC Scanning Guide |
| Confidence Calibration | Per-finding confidence scores with calibration tuning to reduce false positives |
| RBAC & Multi-Tenant | Role-based access control, SSO (OIDC/SAML), and multi-tenant isolation for enterprise deployments |
| Integrations | Import from 7 source formats (OpenAPI, Postman, GraphQL, HAR, Gherkin, cURL, BGSTM) and export findings to 11 trackers (Jira, Linear, GitHub, GitLab, Azure DevOps, Shortcut, PagerDuty, ServiceNow, Webhook, Sentry, Bugzilla) |
| CI/CD Integration | Native GitHub Actions support, zero-config pipeline mode, Allure/CTRF export, PR annotations, and quality gates |
| Demo Mode | Safe, risk-free exploration of all features against a built-in target API |
| Self-Hosted | Deploy on your own infrastructure — no data leaves your network |
How it works
NAT follows the BGSTM 6-phase framework — from AI-driven planning through compliance reporting:
- Plan — AI analyzes your OpenAPI spec and prioritizes endpoints by risk (
nat ai plan) - Generate — Autonomous agents create intelligent test cases covering OWASP, auth, injection, and business logic (
nat ai generate-tests) - Prepare — Configure authentication, environment variables, and execution parameters
- Execute — Run tests with live progress, parallel workers, and adaptive retry (
nat scan --watch) - Analyze — AI interprets findings with severity ratings, confidence scores, and fix guidance (
nat ai explain) - Report — Generate compliance reports, SARIF output, PR comments, and embeddable badges
Need help? See Troubleshooting, the FAQ, or learn about Functional Testing.