Supported Compliance Frameworks
NAT maps scan findings to 4 major security frameworks. Each framework section below shows exactly which requirements NAT covers, which checks are automated, and where manual review is still needed.
OWASP API Security Top 10 (2023)
What it covers: The 10 most critical API security risks, published by OWASP and updated in 2023.
| Category | Name | NAT check | Auto-detected |
|---|---|---|---|
| API1:2023 | Broken Object Level Authorization | BOLA detection via sequential/guessable ID enumeration | ✅ Yes |
| API2:2023 | Broken Authentication | Token expiry, refresh rotation, brute-force protection | ✅ Yes |
| API3:2023 | Broken Object Property Level Authorization | Mass assignment and over-exposure of object properties | ✅ Yes |
| API4:2023 | Unrestricted Resource Consumption | Rate limiting and quota enforcement checks | ✅ Yes |
| API5:2023 | Broken Function Level Authorization | Privilege escalation via endpoint enumeration | ✅ Yes |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | Business logic abuse (e.g., coupon stacking, account takeover flows) | ✅ Yes |
| API7:2023 | Server-Side Request Forgery | SSRF payload injection on URL parameters | ✅ Yes |
| API8:2023 | Security Misconfiguration | TLS, CORS, verbose errors, default credentials | ⚠️ Partial |
| API9:2023 | Improper Inventory Management | Shadow endpoint discovery via fuzzing and spec diffing | ✅ Yes |
| API10:2023 | Unsafe Consumption of APIs | Third-party API trust and input validation | ✅ Yes |
Coverage: 9/10 categories fully automated. API8 (Security Misconfiguration) is partial — NAT checks TLS and CORS automatically but server-level configuration (e.g., firewall rules, OS hardening) requires manual review.
PCI-DSS v4.0
What it covers: The Payment Card Industry Data Security Standard — security requirements for any system that stores, processes, or transmits cardholder data.
NAT covers API-layer security requirements. Network and physical security requirements are out of scope.
| Requirement | Description | NAT check |
|---|---|---|
| 6.2 | Bespoke and custom software are developed securely | Injection, auth, and data exposure checks on all endpoints |
| 6.3 | Security vulnerabilities are identified and addressed | Automated vulnerability scanning with severity classification |
| 6.5 | Changes to all system components are managed securely | Spec diffing to detect unintended API surface changes |
| 11.3 | External and internal vulnerabilities are regularly identified and addressed | Scheduled scan support with CI/CD integration |
| 11.4 | External and internal penetration testing is regularly performed | BGSTM methodology provides structured penetration test evidence |
HIPAA Security Rule
What it covers: The Health Insurance Portability and Accountability Act — technical safeguards for protecting electronic protected health information (ePHI).
NAT validates API-level controls. Administrative and physical safeguards require separate assessment.
| Safeguard | Section | NAT check |
|---|---|---|
| Access Controls | §164.312(a) | Authentication bypass detection, BOLA/BFLA checks, privilege escalation testing |
| Audit Controls | §164.312(b) | Validates that audit log endpoints exist and return appropriate data |
| Integrity Controls | §164.312(c) | Input validation, injection prevention, data tampering checks |
| Transmission Security | §164.312(e) | TLS enforcement, unencrypted data transmission detection |
SOC 2 Type II
What it covers: Service Organization Control 2 — a trust services framework requiring ongoing evidence of security controls over a defined period.
NAT provides evidence for Security and Availability trust principles. Processing Integrity, Confidentiality, and Privacy require additional assessment.
| Criteria | Name | NAT check |
|---|---|---|
| CC6 | Logical and Physical Access Controls | Authentication, authorization, and access control testing |
| CC7 | System Operations | Monitoring coverage, anomaly detection, incident evidence via scan logs |
| CC8 | Change Management | API surface change detection via spec diffing between scans |
In a hurry? See Quick Scans