Your First Scan
This guide walks you through running a complete scan with NAT — from pointing it at your API to reading the results.
If you haven't installed NAT yet, start with the Installation guide.
Before you begin
You'll need:
- NAT installed (
pip install nat-engine) - The base URL of the API you want to test
- (Optional) An OpenAPI/Swagger spec for faster endpoint discovery
Only scan APIs you own or have explicit written permission to test. Unauthorized scanning may violate computer misuse laws.
Step-by-step walkthrough
Confirm NAT is installed
nat --versionRun a basic scan
The simplest scan just needs a target URL:
nat scan --url https://api.example.comNAT will:
- Send probe requests to map the API surface
- Detect authentication mechanisms
- Prioritize endpoints by risk
- Execute tests and report findings in real time
Improve coverage with an OpenAPI spec
If you have an OpenAPI 3.x or Swagger 2.x specification, provide it to get immediate full endpoint coverage:
nat scan --url https://api.example.com --spec ./openapi.yamlScan with authentication
Most APIs require authentication. NAT supports several auth modes:
nat scan --url https://api.example.com \
--auth-type bearer \
--token "eyJhbGciOiJSUzI1NiJ9..."See Authentication Configuration for all supported auth methods.
Read live output
While scanning, NAT streams findings to your terminal:
[NAT] Discovered 42 endpoints across 8 resource groups
[NAT] Starting security analysis...
[HIGH] POST /api/v1/users — SQL Injection in 'email' parameter
[MED] GET /api/v1/orders/{id} — Broken Object Level Authorization
[LOW] GET /api/v1/products — Missing rate limiting
[NAT] Scan complete. 3 findings in 00:02:14View the full report
Open the HTML report in your browser:
nat report --openOr export to JSON for programmatic processing:
nat report --format json --output ./scan-results.jsonUnderstanding scan results
Severity levels
| Level | Description | Example |
|---|---|---|
| Critical | Immediate exploitable risk | Remote code execution, full auth bypass |
| High | Significant security flaw requiring urgent fix | SQL injection, BOLA, broken auth |
| Medium | Exploitable under specific conditions | Rate limit bypass, IDOR |
| Low | Best practice or minor exposure | Verbose error messages, missing headers |
| Info | Informational finding | Endpoint enumeration result, tech stack detection |
Finding details
Each finding includes:
- Endpoint — exact path and HTTP method
- Finding type — OWASP category and CWE identifier
- Evidence — the exact request and response that triggered the finding
- Risk score — 0–100 numeric score
- Remediation — actionable fix guidance
Scan options reference
| Flag | Description | Default |
|---|---|---|
--url | Target API base URL | Required |
--spec | Path or URL to OpenAPI/Swagger spec | Auto-discover |
--auth-type | Auth method (bearer, header, oauth2, none) | none |
--depth | Crawl depth for endpoint discovery | 3 |
--timeout | Per-request timeout in seconds | 30 |
--concurrency | Parallel request count | 5 |
--output | Report output path | ./nat-report.html |
--format | Report format (html, json, sarif) | html |
See the CLI Reference for the full flag list.
Next steps
- CLI Reference — every command and flag
- Authentication Configuration — configure complex auth flows
- Reading Risk Reports — understand report output in depth
- CI/CD Integration — run scans automatically on every PR