FAQ
General
What is NAT?
NAT (Neural Autonomous Tester) is an AI-powered API security testing platform. It automatically discovers vulnerabilities in REST and GraphQL APIs, covering the full OWASP API Security Top 10 plus additional injection, transport, and misconfiguration checks.
How is NAT different from other API security scanners?
Most traditional API scanners use static rule sets and signature-based detection. NAT uses a multi-agent AI approach that adapts its testing strategy based on what it discovers about your specific API. Key differences:
- Higher detection rate for authorization flaws — BOLA, BFLA, and mass assignment are notoriously hard for rule-based scanners; NAT's adaptive approach catches them significantly more often
- Fewer false positives — NAT only reports findings it can actively verify with evidence
- Contextual test generation — tests are generated based on your API's actual data types and schemas, not generic payloads
- Chained discoveries — a finding in one test informs subsequent tests, uncovering deeper vulnerabilities
Is NAT a DAST tool?
Yes — NAT is a Dynamic Application Security Testing (DAST) tool specifically designed for APIs. It tests running APIs by sending real HTTP requests, as opposed to SAST tools that analyze source code.
What types of APIs does NAT support?
- REST APIs — any HTTP-based REST API, with or without an OpenAPI/Swagger spec
- GraphQL APIs — schema-based or specless via introspection
- gRPC — coming soon (see Changelog)
Does NAT test for business logic vulnerabilities?
NAT detects many business logic issues — particularly authorization-related ones like BOLA and BFLA. For complex business logic vulnerabilities that require deep domain knowledge, NAT's findings point you in the right direction, but some manual verification may be needed.
Setup and Installation
How do I install NAT?
pip install nat-engineSee the Installation guide for detailed instructions including Docker and virtual environment setup.
What Python version does NAT require?
Python 3.9 or later. Python 3.11+ is recommended for best performance.
Do I need an account to use NAT?
You need a NAT API key for CLI usage (SaaS plan). You can run nat demo without an account to try the product.
For self-hosted deployments, no external account is required — the engine runs entirely on your own infrastructure.
Can I use NAT without an OpenAPI spec?
Yes — NAT includes a specless crawl mode that discovers endpoints by sending intelligent probe requests. However, providing an OpenAPI or Swagger spec is strongly recommended for complete coverage and faster scans.
Scanning
How long does a scan take?
Scan time depends on the number of endpoints and the API's response time:
| API size | Typical scan time |
|---|---|
| Small (< 20 endpoints) | 2–5 minutes |
| Medium (20–100 endpoints) | 5–20 minutes |
| Large (100–500 endpoints) | 20–90 minutes |
| Very large (500+ endpoints) | 1.5–4+ hours |
Using an OpenAPI spec (vs. crawl mode) reduces scan time by 30–50%.
Is it safe to run NAT against a production API?
We strongly recommend scanning staging or test environments, not production. NAT sends active exploit-style test requests that:
- Generate unusual traffic that may trigger alerts
- Could trigger rate limits or temporarily lock accounts
- May interact with real data in unintended ways
Always scan against a staging environment with isolated test data.
What does NAT need to authenticate against my API?
For REST APIs, NAT supports Bearer tokens, API key headers, Basic auth, and OAuth2 client credentials. Provide credentials for the user role(s) you want to test. For best coverage (especially BOLA testing), provide tokens for at least two different user accounts.
Can I exclude specific endpoints from scanning?
Yes — use --exclude <pattern>:
nat scan --url https://api.example.com \
--exclude "/api/v1/payments/*" \
--exclude "POST:/api/v1/emails/send"What does "BOLA" mean?
BOLA stands for Broken Object Level Authorization — it's the #1 vulnerability in the OWASP API Security Top 10 (also called IDOR, Insecure Direct Object Reference, in older terminology). It occurs when a user can access another user's resources simply by changing an ID in a request (e.g., GET /api/users/123 → GET /api/users/124).
Results and Reports
What severity levels does NAT use?
| Severity | Score | Meaning |
|---|---|---|
| Critical | 90–100 | Immediately exploitable, severe impact |
| High | 70–89 | Significant vulnerability, prioritize fixing |
| Medium | 40–69 | Exploitable under specific conditions |
| Low | 10–39 | Minor exposure or best practice issue |
| Info | 0–9 | Informational, no immediate action required |
What formats can I export reports in?
HTML, JSON, SARIF (for GitHub Code Scanning and other SAST platforms), and Markdown.
What is SARIF?
SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for security tool output. NAT can export findings as SARIF 2.1.0, which can be uploaded to GitHub Security Code Scanning, SonarQube, and other platforms.
How do I suppress a false positive?
nat findings dismiss --id FINDING_ID \
--reason false_positive \
--note "CORS is intentional for this public endpoint"Dismissed findings are retained with your justification for audit trail purposes.
Security and Privacy
Does NAT send my API traffic or findings to the cloud?
- SaaS plan: Scan configurations and findings are stored in NAT's cloud infrastructure
- Self-hosted plan: All scan traffic and findings stay on your own infrastructure — nothing leaves your network
Can NAT damage my API or data?
NAT's tests are designed to be safe for staging environments:
- Tests don't permanently delete data (DELETE requests are sent to verify authorization, but you can exclude DELETE endpoints)
- Tests don't exfiltrate data (findings include the minimum data needed to demonstrate the vulnerability)
- Tests use generated/synthetic data for injection payloads, not live data
That said, always test against a staging environment with isolated data — not production.
Is the scan traffic encrypted?
All communication between NAT and your API uses HTTPS. NAT respects your API's TLS configuration and reports TLS weaknesses as findings.
Self-Hosting
How do I self-host NAT?
pip install nat-engine
nat server start --port 8080See the Self-Hosted Setup guide for a complete production deployment walkthrough.
What are the server requirements for self-hosting?
| Requirement | Minimum | Recommended |
|---|---|---|
| Python | 3.9 | 3.11 |
| RAM | 2 GB | 4 GB |
| Disk | 5 GB | 20 GB |
| OS | Linux, macOS | Linux (Ubuntu 20.04+) |
Can I run NAT in a Docker container?
Yes — docker pull natengine/nat:latest. See Docker Deployment for details.
Pricing and Licensing
What plans are available?
| Plan | Use case |
|---|---|
| Free | Individual developers, open source |
| Pro | Startups and growing teams |
| Enterprise | Large organizations, compliance, SSO |
| Self-Hosted | Air-gapped, regulated, privacy-sensitive |
See nat-testing.io (opens in a new tab) for current pricing.
What is NAT's license?
NAT is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0) for open source use. Commercial licenses are available for organizations that need to use NAT in proprietary software or prefer not to be bound by the AGPL's copyleft requirements.
See the Licensing page for details.
Have a question not answered here? Contact us