How to Read Risk Reports
NAT produces detailed security reports after every scan. This guide explains how to interpret every part of the report.
Report sections
Executive summary
The executive summary appears at the top of every HTML report and shows:
- Total findings — count by severity (Critical, High, Medium, Low, Info)
- Risk score — an aggregate 0–100 score representing the overall security posture of the scanned API
- Scan metadata — target URL, scan duration, endpoint count, request count
- Coverage — percentage of spec-defined endpoints that were successfully tested
Findings list
Findings are listed in descending severity order. Each row shows:
| Column | Description |
|---|---|
| Severity | Color-coded badge: Critical (red), High (orange), Medium (yellow), Low (blue), Info (grey) |
| Endpoint | HTTP method and path (e.g., GET /api/v1/users/{id}) |
| Finding type | Short name (e.g., "Broken Object Level Authorization") |
| Risk score | 0–100 numeric score |
| OWASP | OWASP API Top 10 category |
| CWE | Common Weakness Enumeration identifier |
Finding detail page
Click any finding to see the full detail view:
Description
Plain-English explanation of what was found, why it's a vulnerability, and the potential impact if exploited.
Evidence
The exact HTTP request NAT sent and the response that confirmed the finding:
Request:
GET /api/v1/users/42/orders HTTP/1.1
Authorization: Bearer <user-b-token>
Response (200 OK):
{
"orders": [
{ "id": "ord_001", "total": 1250.00, "items": [...] }
]
}This is the proof that the vulnerability is real and exploitable — not a theoretical concern.
Risk breakdown
The risk score is broken down into components:
| Component | Weight | Description |
|---|---|---|
| Exploitability | High | How easy is the vulnerability to exploit? |
| Impact | High | What can an attacker do if they exploit it? |
| Data sensitivity | High | Does the vulnerable endpoint handle sensitive data? |
| Auth requirement | Medium | Does exploitation require authentication? |
| Network exposure | Medium | Is the endpoint public-facing? |
Remediation
Specific, actionable fix guidance including:
- Root cause explanation
- Recommended code-level fix (with examples for common frameworks)
- Links to OWASP guidance and relevant CVEs
Severity levels
| Severity | Score range | Recommended action |
|---|---|---|
| Critical | 90–100 | Fix immediately — block deployment |
| High | 70–89 | Fix before next release — priority ticket |
| Medium | 40–69 | Fix within current sprint |
| Low | 10–39 | Schedule in backlog |
| Informational | 0–9 | Review and track; no immediate action required |
Aggregate risk score
The overall API risk score (0–100) is calculated from the weighted sum of all finding scores, adjusted for finding count and distribution.
| Score | Meaning |
|---|---|
| 0–20 | Low risk — minor improvements needed |
| 21–40 | Moderate risk — some issues to address |
| 41–60 | Elevated risk — multiple significant issues |
| 61–80 | High risk — urgent remediation required |
| 81–100 | Critical risk — do not deploy to production |
Comparing scans
Use the dashboard to compare two scan results side-by-side:
- Open the Scans page
- Select two scans and click Compare
- See what's New (introduced since last scan), Fixed (no longer present), and Persisting (still present)
This is especially useful after a remediation sprint to confirm fixes were effective.
Exporting reports
| Format | Use case |
|---|---|
| HTML | Share with stakeholders, archive, review in browser |
| JSON | Programmatic processing, import into ticketing systems |
| SARIF | Upload to GitHub Code Scanning, SonarQube, or other SAST tools |
| Markdown | Embed in pull request comments or wikis |
# Export all formats at once
nat report --format html --output ./report.html
nat report --format json --output ./report.json
nat report --format sarif --output ./report.sarifNext steps
- Customize Security Checks — tune what NAT tests
- Run a Security Audit — full audit walkthrough
- Security Scanning — understand the scoring methodology