Config Advisor — nat ai configure
Quick use:
nat ai configureWhat it does
nat ai configure reads your existing .natrc file (or creates one if you don't have it yet) and starts an interactive session where the AI:
- Identifies missing required settings for your use case
- Suggests security hardening options you haven't enabled
- Recommends performance tuning based on your scan history
- Explains what each setting does and why it matters
You answer questions, NAT updates your config in real time, and you end up with a .natrc that's optimized for your environment.
Example interactive session
$ nat ai configure
🧠 NAT Config Advisor — analyzing .natrc...
Found .natrc at ~/.natrc
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ Issues found (3)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. No authentication configured
Your scans run without auth, which means any authenticated endpoints
will not be tested. Do you have an API token? [y/N]: y
→ What type? (bearer/apikey/oauth2): bearer
→ Token or env var name: NAT_API_TOKEN
✅ Added: auth.type = bearer, auth.token = ${NAT_API_TOKEN}
2. Concurrency is set to 1 (very slow)
With concurrency=1, a 200-endpoint scan takes ~40 minutes.
Increase to 10 for standard APIs, 5 for rate-limited APIs.
→ Set concurrency to [10]: 10
✅ Updated: scan.concurrency = 10
3. No export destination configured
Findings are only written to local HTML. Add a GitHub Issues or
Jira exporter to track findings automatically.
→ Add an exporter? [y/N]: N
→ Skipped. Run `nat ai configure --focus exporters` later.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Config updated. 2 issues resolved, 1 skipped.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Run `nat doctor` to validate the updated config.What the advisor checks
| Category | What it looks for |
|---|---|
| Authentication | Missing auth config, insecure credential storage |
| Performance | Low concurrency, excessive timeouts, disabled parallel scanning |
| Coverage | Missing spec, no crawl depth set, no auth bypass tests |
| Security hygiene | API keys in plain text, missing rate limit settings |
| Exporters | No export destination, missing deduplication config |
| AI settings | Provider not configured, missing API key, low quota plan |
Run nat ai configure --focus security to focus the session on security-specific settings only, skipping performance and exporter recommendations.
Want to just scan? Quick Scan guide →
Was this helpful?