FAQ

General

What is NAT?

NAT (Neural Autonomous Tester) is an AI-powered API security testing platform. It automatically discovers vulnerabilities in REST and GraphQL APIs, covering the full OWASP API Security Top 10 plus additional injection, transport, and misconfiguration checks.

How is NAT different from other API security scanners?

Most traditional API scanners use static rule sets and signature-based detection. NAT uses a multi-agent AI approach that adapts its testing strategy based on what it discovers about your specific API. Key differences:

• Higher detection rate for authorization flaws — BOLA, BFLA, and mass assignment are notoriously hard for rule-based scanners; NAT's adaptive approach catches them significantly more often
• Fewer false positives — NAT only reports findings it can actively verify with evidence
• Contextual test generation — tests are generated based on your API's actual data types and schemas, not generic payloads
• Chained discoveries — a finding in one test informs subsequent tests, uncovering deeper vulnerabilities

Is NAT a DAST tool?

Yes — NAT is a Dynamic Application Security Testing (DAST) tool specifically designed for APIs. It tests running APIs by sending real HTTP requests, as opposed to SAST tools that analyze source code.

What types of APIs does NAT support?

• REST APIs — any HTTP-based REST API, with or without an OpenAPI/Swagger spec
• GraphQL APIs — schema-based or specless via introspection
• gRPC — security and functional testing for gRPC services via .proto file parsing (see gRPC Scanning Guide)

Does NAT test for business logic vulnerabilities?

NAT detects many business logic issues — particularly authorization-related ones like BOLA and BFLA. For complex business logic vulnerabilities that require deep domain knowledge, NAT's findings point you in the right direction, but some manual verification may be needed.

Setup and Installation

How do I install NAT?

pip install nat-engine

After installation, run nat setup for an interactive wizard that configures your mode, database, authentication, and exporters in one step. See the Setup Wizard guide.

See the Installation guide for detailed instructions including Docker and virtual environment setup.

What Python version does NAT require?

Python 3.10 or later. Python 3.11+ is recommended for best performance.

What is nat doctor?

nat doctor is a pre-flight validation command that checks your environment for configuration issues before you start scanning. It runs 8 checks:

1. Python version (≥ 3.10)
2. Required pip extras (pyyaml, alembic, httpx, uvicorn)
3. Critical environment variables (DATABASE_URL, NAT_API_KEY)
4. .natrc configuration file
5. Database connectivity
6. Alembic migration state
7. LLM provider keys
8. Exporter connectivity

nat doctor          # Human-readable output
nat doctor --json   # JSON output for CI/automation

See the Environment Doctor guide for full details.

Do I need an account to use NAT?

You need a NAT API key for CLI usage (SaaS plan). You can run nat demo without an account to try the product.

For self-hosted deployments, no external account is required — the engine runs entirely on your own infrastructure.

Can I use NAT without an OpenAPI spec?

Yes — NAT includes a specless crawl mode that discovers endpoints by sending intelligent probe requests. However, providing an OpenAPI or Swagger spec is strongly recommended for complete coverage and faster scans.

Scanning

How long does a scan take?

Scan time depends on the number of endpoints and the API's response time:

Using an OpenAPI spec (vs. crawl mode) reduces scan time by 30–50%.

Is it safe to run NAT against a production API?

We strongly recommend scanning staging or test environments, not production. NAT sends active exploit-style test requests that:

• Generate unusual traffic that may trigger alerts
• Could trigger rate limits or temporarily lock accounts
• May interact with real data in unintended ways

Always scan against a staging environment with isolated test data.

What does NAT need to authenticate against my API?

For REST APIs, NAT supports Bearer tokens, API key headers, Basic auth, and OAuth2 client credentials. Provide credentials for the user role(s) you want to test. For best coverage (especially BOLA testing), provide tokens for at least two different user accounts.

Can I exclude specific endpoints from scanning?

Yes — use --exclude <pattern>:

nat scan --url https://api.example.com \
  --exclude "/api/v1/payments/*" \
  --exclude "POST:/api/v1/emails/send"

What does "BOLA" mean?

BOLA stands for Broken Object Level Authorization — it's the #1 vulnerability in the OWASP API Security Top 10 (also called IDOR, Insecure Direct Object Reference, in older terminology). It occurs when a user can access another user's resources simply by changing an ID in a request (e.g., GET /api/users/123 → GET /api/users/124).

Results and Reports

What severity levels does NAT use?

What formats can I export reports in?

HTML, JSON, SARIF (for GitHub Code Scanning and other SAST platforms), and Markdown.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is a standardized JSON format for security tool output. NAT can export findings as SARIF 2.1.0, which can be uploaded to GitHub Security Code Scanning, SonarQube, and other platforms.

How do I suppress a false positive?

nat findings dismiss --id FINDING_ID \
  --reason false_positive \
  --note "CORS is intentional for this public endpoint"

Dismissed findings are retained with your justification for audit trail purposes.

Security and Privacy

Does NAT send my API traffic or findings to the cloud?

• SaaS plan: Scan configurations and findings are stored in NAT's cloud infrastructure
• Self-hosted plan: All scan traffic and findings stay on your own infrastructure — nothing leaves your network

Can NAT damage my API or data?

NAT's tests are designed to be safe for staging environments:

• Tests don't permanently delete data (DELETE requests are sent to verify authorization, but you can exclude DELETE endpoints)
• Tests don't exfiltrate data (findings include the minimum data needed to demonstrate the vulnerability)
• Tests use generated/synthetic data for injection payloads, not live data

That said, always test against a staging environment with isolated data — not production.

Is the scan traffic encrypted?

All communication between NAT and your API uses HTTPS. NAT respects your API's TLS configuration and reports TLS weaknesses as findings.

Self-Hosting

How do I self-host NAT?

pip install nat-engine
nat server start --port 8080

See the Self-Hosted Setup guide for a complete production deployment walkthrough.

What are the server requirements for self-hosting?

Can I run NAT in a Docker container?

Yes — docker pull natengine/nat:latest. See Docker Deployment for details.

Pricing and Licensing

What plans are available?

See nat-testing.io (opens in a new tab) for current pricing.

What scan quotas does each plan include?

Quotas reset on the first day of each billing period. See Billing & Plans for the full feature comparison.

What is NAT's license?

NAT is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0) for open source use. Commercial licenses are available for organizations that need to use NAT in proprietary software or prefer not to be bound by the AGPL's copyleft requirements.

See the Licensing page for details.

Billing & Pricing

How do I get my API key?

When you sign up at nat-testing.io (opens in a new tab) and complete the Stripe checkout, your API key (nat_pk_...) is emailed to you and is also available in the dashboard (opens in a new tab) under Settings → API Keys.

What happens when I hit my quota?

New scan requests return 402 Payment Required with error code QUOTA_EXCEEDED. In-flight scans are not interrupted. Your quota resets automatically at the start of the next billing period (quota_reset_date in the /api/v1/usage response). You can also upgrade your plan to get a higher quota immediately.

How do I upgrade my plan?

Log in to app.nat-testing.io (opens in a new tab), go to Settings → Billing, and click Upgrade Plan. Alternatively, use the Billing API to create a checkout session programmatically. Your quota and features are updated as soon as payment is confirmed.

How do I downgrade or cancel my plan?

Open the Stripe billing portal via the dashboard (opens in a new tab) (Settings → Billing → Manage Subscription) or via POST /api/v1/billing/portal. From there you can change your plan, update payment details, or cancel your subscription.

Can I use NAT in CI/CD pipelines?

Yes — NAT is designed to run in CI/CD pipelines. The recommended approach is the official NAT GitHub Action, which requires zero configuration beyond your API key:

- uses: nat-testing/nat-action@v1
  with:
    api-key: ${{ secrets.NAT_API_KEY }}
    url: https://staging.api.example.com

For other CI systems (GitLab CI, Jenkins, CircleCI, etc.), use the NAT CLI or the REST API directly. See the CI/CD Integration guide for complete pipeline examples.

What's the difference between functional and security scans?

Functional scans (POST /api/v1/scan) test whether your API behaves correctly — verifying response codes, schemas, data contracts, and business logic. They are available on all plans including Free.

Security scans (POST /api/v1/security-scan) test for exploitable vulnerabilities — covering the OWASP API Security Top 10, injection attacks, broken authorization, and more. Security scans send active exploit-style requests to probe your API. They are available on Pro and above plans.

You can run both scan types independently or together. See Security Scanning for a full comparison.

How do I export my test results?

Use GET /api/v1/scan/{id}/export with the format query parameter:

# HTML report (human-readable)
curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=html" \
  -H "X-API-Key: $NAT_API_KEY" -o report.html
 
# JSON (machine-readable, all plans)
curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=json" \
  -H "X-API-Key: $NAT_API_KEY" -o results.json
 
# CSV (spreadsheet-friendly)
curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=csv" \
  -H "X-API-Key: $NAT_API_KEY" -o results.csv

Reports are also available for download in the dashboard (opens in a new tab). See Code Examples for multi-language export examples.

Onboarding

How do I get my API key?

Sign up at app.nat-testing.io/signup (opens in a new tab) — no credit card required. After your account is created, your API key (nat_pk_...) is available in the dashboard (opens in a new tab) under Settings → API Keys.

What happens when my free quota runs out?

New scan requests return 402 Payment Required with error code QUOTA_EXCEEDED. In-flight scans are not interrupted. Your quota resets automatically at the start of the next billing period. You can check your reset date via GET /api/v1/usage (quota_reset_date field) or upgrade your plan immediately to get a higher quota.

How do I upgrade my plan?

Log in to app.nat-testing.io/dashboard (opens in a new tab), go to Settings → Billing, and click Upgrade Plan. You can also trigger a checkout session via the API:

curl -X POST https://api.nat-testing.io/api/v1/billing/checkout \
  -H "X-API-Key: $NAT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"plan": "pro", "success_url": "https://app.nat-testing.io/dashboard", "cancel_url": "https://app.nat-testing.io/dashboard"}'

See Pricing & Plans for a full plan comparison.

Can I see my scan results in a dashboard?

Yes — the NAT dashboard (opens in a new tab) shows all your scans, results, and usage history. You can also download reports directly from the dashboard in HTML, JSON, or CSV format.

How do I integrate NAT into my CI/CD pipeline?

Use the official NAT GitHub Action for GitHub workflows:

- uses: nat-testing/nat-action@v1
  with:
    api-key: ${{ secrets.NAT_API_KEY }}
    url: https://staging.api.example.com

For other CI systems (GitLab CI, Jenkins, CircleCI), use the NAT CLI or REST API directly. See the CI/CD Integration guide for complete examples.

What scan types are available?

NAT offers two scan types:

• Functional scans (POST /api/v1/scan) — verify that your API behaves correctly. Available on all plans including Free.
• Security scans (POST /api/v1/security-scan) — test for exploitable vulnerabilities including the OWASP API Security Top 10. Available on Pro and above.

You can run both types independently or together. See the Security Scanning guide for details.

How long does a scan take?

Scan time depends on the number of endpoints and the API's response time:

Providing an OpenAPI spec (rather than using crawl mode) reduces scan time by 30–50%.

Where do I go if something goes wrong during setup?

See the Onboarding Issues troubleshooting page for help with API key errors, first scan failures, quota issues, and Stripe checkout problems.

API & Integration

How do I authenticate with the API?

NAT uses API key authentication via the X-API-Key request header:

curl https://api.nat-testing.io/api/v1/usage \
  -H "X-API-Key: nat_pk_your_api_key_here"

Your key starts with nat_pk_ and is available in the dashboard (opens in a new tab) under Settings → API Keys. See the Authentication guide for details on key rotation and security best practices.

What happens when I exceed my quota?

New scan requests return 402 Payment Required with error code QUOTA_EXCEEDED:

{
  "error": "QUOTA_EXCEEDED",
  "message": "Monthly scan quota exhausted. Quota resets on 2025-02-01.",
  "quota_reset_date": "2025-02-01T00:00:00Z"
}

In-flight scans are not interrupted. Your options are:

1. Wait — quota resets automatically on quota_reset_date
2. Upgrade — immediately get a higher quota via the dashboard (opens in a new tab) or POST /api/v1/billing/checkout

How do I debug webhook failures?

If Stripe events are not being processed (e.g., your API key was not issued after checkout):

1. Check the Stripe dashboard — go to Developers → Webhooks, click your endpoint, and review the delivery log for failed attempts and response codes
2. Verify STRIPE_WEBHOOK_SECRET — copy the signing secret (whsec_...) from the Stripe webhook endpoint page and ensure it matches your server's STRIPE_WEBHOOK_SECRET environment variable exactly
3. Check server logs — look for 400 Bad Request responses on POST /api/v1/billing/webhook, which indicate signature validation failures

See Billing Issues for a complete webhook debugging checklist.

Can I use the API without the CLI?

Yes — NAT provides a full REST API that works independently of the CLI. Every feature available in the CLI is also accessible via HTTP requests. See the REST API Reference and Scan API for complete documentation.

How do I check my current usage programmatically?

Call GET /api/v1/usage with your API key:

curl https://api.nat-testing.io/api/v1/usage \
  -H "X-API-Key: $NAT_API_KEY"

The response includes scans_used, scans_limit, scans_remaining, approaching_limit, and quota_reset_date. See the Usage & Quotas API for the full response schema.

What formats can I export scan reports in?

Use GET /api/v1/scan/{id}/export with the format query parameter:

curl "https://api.nat-testing.io/api/v1/scan/$SCAN_ID/export?format=html" \
  -H "X-API-Key: $NAT_API_KEY" -o report.html

Functional Testing

What types of functional tests does NAT run?

NAT's functional testing covers three categories:

• Visual regression — captures full-page screenshots and compares them pixel-by-pixel against a baseline, highlighting any unintended visual changes
• Accessibility — audits every page against WCAG 2.1 AA rules (critical, serious, moderate, and minor impact levels), powered by axe-core
• Performance — measures Core Web Vitals (LCP, FID, CLS, TTFB, FCP, TBT) using real Chromium browser instrumentation

All three run in a single scan when you use "mode": "functional" (or "mode": "full" to combine with security scanning).

How does visual regression testing work?

NAT captures a baseline screenshot of each page on the first functional scan. Every subsequent scan compares the current state against the baseline using pixel-diff analysis.

• If the difference exceeds the configured threshold (default: 0.5% of pixels), NAT flags the page as a visual regression
• Each comparison includes a before screenshot, an after screenshot, and a highlighted diff image
• To update the baseline after an intentional UI change, re-run with --reset-baseline (CLI) or "reset_baseline": true (API)

See the Functional Testing API for full response schemas and screenshot URLs.

What accessibility standards does NAT check?

NAT audits against WCAG 2.1 Level AA by default, powered by the axe-core (opens in a new tab) engine. This covers:

• Perceivable — color contrast, image alt text, captions, adaptable content
• Operable — keyboard navigation, focus management, timing adjustments
• Understandable — language attributes, form labels, error identification
• Robust — valid HTML, ARIA roles, name/role/value requirements

Each violation includes the affected element, WCAG success criterion, impact level (critical, serious, moderate, minor), and a direct link to remediation guidance.

WCAG 2.2 and Section 508 compliance profiles are available on the Team plan.

Can I run security and functional tests together?

Yes — use "mode": "full" in the API or --mode full in the CLI to run both security scanning and functional testing in a single scan run:

# CLI
nat scan --url https://app.example.com --mode full --spec ./openapi.json
 
# API
curl -X POST https://api.nat-testing.io/api/v1/scan \
  -H "X-API-Key: $NAT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://app.example.com", "mode": "full"}'

The combined results object contains both security tasks and the visual_regression, accessibility, and performance sub-reports. This is the recommended approach for pre-release validation pipelines.

Have a question not answered here? Contact us