Test Planning — nat ai plan
Quick use:
nat ai plan --spec openapi.yaml --output plan.jsonWhat it does
nat ai plan sends your OpenAPI spec (or a crawled endpoint list) to the AI and gets back a prioritized test plan — a ranked list of endpoints and test scenarios ordered by the risk they pose to your application.
You can use this plan to:
- Focus your scan on the highest-risk endpoints first
- Share a structured testing roadmap with your team
- Feed the plan directly into
nat scan --planfor targeted execution
How priority ranking works
Each endpoint is scored using three factors:
| Factor | What it measures |
|---|---|
| Severity | Known vulnerability classes for this endpoint type (e.g. BOLA risk on GET /{id}) |
| Business impact | Data sensitivity based on schema (PII, financial data, admin operations) |
| Attack surface | Path parameters, query parameters, auth requirements, write operations |
The final priority score is severity × business_impact × attack_surface, normalized to a 0–100 scale.
Command options
| Flag | Description | Default |
|---|---|---|
--spec | Path or URL to OpenAPI/Swagger spec | — |
--target | API base URL (used if no spec is provided) | — |
--output | Output file path | stdout |
--format | Output format: json, markdown, yaml | markdown |
--focus | Limit scope: security, functional, both | both |
Example output
{
"plan_id": "plan_20240115_001",
"generated_at": "2024-01-15T10:30:00Z",
"endpoints": [
{
"priority": 95,
"method": "GET",
"path": "/api/v1/users/{id}",
"scenarios": ["BOLA", "IDOR", "Auth bypass"],
"rationale": "Parameterized user endpoint — high BOLA risk due to sequential IDs and broad data exposure"
},
{
"priority": 88,
"method": "POST",
"path": "/api/v1/payments",
"scenarios": ["Input validation", "Injection", "Business logic"],
"rationale": "Financial operation with complex input schema — injection and business logic bypass risk"
},
{
"priority": 62,
"method": "GET",
"path": "/api/v1/products",
"scenarios": ["Rate limiting", "Data exposure"],
"rationale": "Public listing endpoint — low auth risk but potential for scraping and PII leakage"
}
]
}Integrating with CI/CD
Generate a plan in your pipeline, then run a targeted scan against it:
# .github/workflows/nat.yaml
- name: Generate AI test plan
run: nat ai plan --spec openapi.yaml --output plan.json --format json
- name: Run targeted scan
run: nat scan --plan plan.json --base-url ${{ secrets.API_BASE_URL }}Cache the plan file between runs and use --diff last on nat ai explain to focus attention on newly introduced risk rather than re-reading the same findings every sprint.
Want to just scan? Quick Scan guide →
Was this helpful?