NAT Platform Whitepaper
This document summarises NAT's platform architecture, capabilities, and methodology. Full technical architecture details — including algorithm specifications and BDI agent internals — are available to enterprise customers and research partners under NDA.
Abstract
Engineering teams today assemble four to seven disconnected tools to cover API security, functional testing, accessibility, performance, and compliance evidence. Each tool runs in its own context, produces its own report format, and requires its own maintenance burden. CI pipelines become fragile Frankenstein stacks. Compliance preparation takes weeks of manual evidence gathering. When something breaks, no single tool can tell you why.
NAT (Neural Autonomous Tester) is a modular AI testing platform that replaces this fragmented stack — or slots neatly alongside the parts you want to keep. It combines security scanning, functional testing, an AI Co-Pilot, compliance evidence generation, and a developer-first CLI into five integrated pillars that share a single context, a single pipeline step, and a single audit trail.
"NAT's components are designed to either upgrade your existing test infrastructure — integrating with tools you already have — or serve as a superior replacement for any or all of them. Start with one pillar. Add more when you're ready. Each works alone. Together, they're unmatched."
1. The Testing Infrastructure Problem
The Fragmented Stack
Modern engineering teams don't have a single testing problem — they have five overlapping ones. API security. Functional correctness. Accessibility compliance. Performance baselines. Audit evidence. Each is solved by a different tool, owned by a different team, and produces findings in a different format.
The consequences are predictable:
- Context is lost between tools. A security scanner doesn't know what the functional test suite already validates. An accessibility checker doesn't know which endpoints are customer-facing. Evidence is scattered across four dashboards.
- CI pipelines are fragile. Every new tool is another step to maintain, another token to rotate, another failure mode to debug at 2 AM.
- Compliance prep takes weeks. Auditors need evidence. Generating it manually from five disconnected tools is a quarterly fire drill.
- Velocity suffers. Developers wait for security reviews that run once a sprint instead of on every PR.
Limitations of Existing Approaches
| Approach | Limitation |
|---|---|
| Manual penetration testing | Point-in-time, expensive, doesn't scale with release velocity |
| Static analysis (SAST) | Cannot reason about runtime behavior or auth logic |
| Traditional API scanners | Rule-based, high false positive rates, miss complex auth flaws |
| WAFs | Reactive, signature-dependent, bypassable |
| Standalone functional test runners | No security context; findings don't feed compliance evidence |
| Accessibility checkers | Isolated from API security and performance data |
| Compliance tools | Require manual evidence imports; disconnected from live test runs |
The problem isn't that any one of these tools is bad. The problem is that none of them talks to the others — and your team pays the coordination cost every sprint.
2. The NAT Platform — Five Pillars
NAT is built around five pillars that each deliver standalone value and compound value when used together. You can adopt one pillar today and add the rest when you're ready.
Pillar 1 — Security Testing
What it does: Multi-agent BDI (Belief-Desire-Intention) architecture autonomously discovers, exploits, and reports vulnerabilities in REST and GraphQL APIs. Covers the full OWASP API Security Top 10, plus injection attacks, path traversal, information disclosure, and transport security issues.
Standalone value: Replaces your existing API scanner with higher true-positive rates, lower false-positive rates, and findings that include the exact request/response evidence auditors need.
Combined value: Security findings flow directly into compliance reports. Authorization flaws discovered by the security pillar are automatically cross-referenced against BGSTM audit trail entries.
Key capabilities:
- OWASP API Top 10 full coverage (see §5 Benchmarks)
- Auth flaw detection: BOLA, BFLA, mass assignment
- Multi-user cross-access testing
- Adaptive test generation — later tests informed by earlier findings
nat scan --watchfor live progress in CI
Pillar 2 — AI Co-Pilot
What it does: A set of nat ai commands and a dashboard chat widget that bring AI guidance into every stage of the testing workflow — from planning and test generation through interpretation and compliance reporting.
Standalone value: Reduces the expertise barrier for security and compliance testing. A developer who has never written a security test plan can run nat ai plan --spec ./openapi.yaml and get a prioritized, context-aware plan in seconds.
Combined value: The AI Co-Pilot is the connective tissue between all other pillars. It reads security findings and generates compliance narratives. It reads functional test results and explains regressions. It reads your BGSTM audit trail and surfaces proactive insights.
The AI Co-Pilot is NAT's #1 differentiator. No other testing tool offers multi-provider AI guidance (OpenAI, Anthropic, Ollama/self-hosted) that spans security, functional, compliance, and developer experience in a single context.
Key commands:
| Command | What it does |
|---|---|
nat ai plan | Generates a prioritized test plan from your OpenAPI spec |
nat ai generate-tests | Creates test cases from your plan |
nat ai explain | Plain-English explanation of any finding with remediation guidance |
nat ai configure | AI-guided configuration advisor |
nat ai compliance-report | Generates a compliance narrative mapped to OWASP, PCI-DSS, HIPAA, or SOC 2 |
nat ai audit-trail | Summarises your BGSTM audit trail for a given time window |
Multi-provider support: OpenAI, Anthropic, and Ollama (self-hosted) — so you can keep sensitive API traffic on your own infrastructure.
See the full AI Assistant documentation →
Pillar 3 — Functional Testing
What it does: Visual regression testing, accessibility validation (WCAG 2.1), Core Web Vitals monitoring, and API contract validation — all triggered from the same CLI and pipeline step as security scanning.
Standalone value: Replaces standalone functional test runners and accessibility checkers with a tool that shares context with your security and compliance data.
Combined value: Functional test results appear alongside security findings in the dashboard and compliance reports. A WCAG violation and a BOLA finding are both first-class citizens in the same audit trail.
Key capabilities:
- Visual regression with baseline diffing
- WCAG 2.1 A/AA/AAA accessibility checks
- Core Web Vitals (LCP, FID, CLS) tracking
- API contract validation against OpenAPI spec
See the full Functional Testing documentation →
Pillar 4 — Compliance & Evidence
What it does: Turns every NAT scan into structured compliance evidence. BGSTM audit trail entries are created automatically for every test run. AI-generated compliance reports map findings to OWASP, PCI-DSS, HIPAA, and SOC 2 controls. Compliance badges can be embedded in your README or dashboard.
Standalone value: Eliminates the quarterly fire drill of assembling audit evidence from five disconnected tools. Every scan generates evidence automatically.
Combined value: All five pillars feed the same audit trail. Security findings, functional test results, and AI-generated narratives all appear in a single exportable compliance package.
Key capabilities:
- BGSTM audit trail — structured, tamper-evident record of every test run
- Compliance reports — AI-generated narratives in auditor language
- Compliance badges — OWASP, PCI-DSS, HIPAA, SOC 2
nat badge generate— embeddable SVG badges- Supported frameworks: OWASP API Top 10, PCI-DSS, HIPAA, SOC 2
See the full Compliance documentation →
Pillar 5 — Developer Experience
What it does: A developer-first CLI designed to meet developers where they already work — in their terminal, in their PR, and in their CI pipeline.
Standalone value: Zero-config setup (nat init) gets a developer from install to first scan in under two minutes. Live progress (nat scan --watch), regression tracking (nat scan --diff), and automatic PR comments mean security testing feels like part of the development workflow instead of a gate in front of it.
Combined value: Every other pillar is accessible through the same CLI. One tool, one mental model, one pipeline step.
Key capabilities:
| Feature | Command / Integration |
|---|---|
| Zero-config setup | nat init |
| Live scan progress | nat scan --watch |
| Regression tracking | nat scan --diff |
| PR comments | Automatic on GitHub PRs |
| SARIF upload | Automatic to GitHub Security tab |
| Status dashboard | nat status |
| CI integration | GitHub Actions, GitLab CI, Jenkins, CircleCI |
See the full CLI Reference →
3. Two Adoption Models
NAT is designed to work with your existing tools or to replace them. You choose.
Model A — Integrate
Add NAT alongside your existing stack. Each pillar is independently useful:
| If you already have… | NAT adds… |
|---|---|
| A security scanner | Higher-fidelity auth flaw detection + compliance evidence generation |
| A functional test suite | Security context + accessibility + Core Web Vitals in the same pipeline step |
| A compliance tool | Live evidence from every scan, automatically — no manual imports |
| GitHub Actions / GitLab CI | Automatic SARIF upload, PR comments, and status checks |
NAT's SARIF output feeds directly into your existing GitHub Security tab. PR comments work alongside your existing review flow. Compliance reports can be exported as PDF or JSON and imported into your existing audit process.
Supported CI platforms: GitHub Actions, GitLab CI, Jenkins, CircleCI, and more →
Model B — Replace
Use NAT as your end-to-end testing platform. One CLI, one dashboard, one pipeline step replaces:
- Your API security scanner
- Your functional test runner
- Your accessibility checker
- Your compliance evidence tool
Teams that replace their full stack with NAT typically reduce their CI pipeline maintenance burden by 60–70% and eliminate the quarterly compliance evidence scramble entirely.
You don't have to choose upfront. Most teams start with Integrate — adding NAT's security pillar to their existing pipeline — and progressively adopt other pillars as they see value.
4. The BGSTM Methodology
BGSTM (Background Security Testing Methodology) is NAT's proprietary 6-phase testing methodology. It is the structured backbone that gives every NAT scan a consistent, auditable shape — and the reason NAT can generate compliance evidence automatically.
No other testing tool implements a full structured methodology with a complete audit trail at each phase.
The Six Phases
| Phase | Description | nat ai command |
|---|---|---|
| 1. Plan | Analyze the API spec, identify risk surfaces, and generate a prioritized test plan | nat ai plan --spec ./openapi.yaml |
| 2. Generate | Create contextual test cases for each risk surface | nat ai generate-tests |
| 3. Prepare | Validate environment, credentials, and configuration | nat doctor |
| 4. Execute | Run security and functional tests; adapt based on findings | nat scan |
| 5. Analyze | Correlate findings, deduplicate, prioritize by severity and business impact | nat ai explain |
| 6. Report | Generate compliance-mapped evidence and human-readable narratives | nat ai compliance-report |
Each phase produces structured BGSTM audit trail entries. The audit trail is tamper-evident, exportable, and directly usable as compliance evidence.
See the BGSTM Audit Trail documentation →
5. OWASP Coverage & Benchmarks
OWASP API Security Top 10 Coverage
NAT provides coverage across all 10 OWASP API Security categories:
| # | Category | NAT Coverage |
|---|---|---|
| API1 | Broken Object Level Authorization | ✅ Full — multi-user cross-access testing |
| API2 | Broken Authentication | ✅ Full — token analysis, brute force, session flaws |
| API3 | Broken Object Property Level Authorization | ✅ Full — mass assignment detection |
| API4 | Unrestricted Resource Consumption | ✅ Full — rate limiting, pagination, payload analysis |
| API5 | Broken Function Level Authorization | ✅ Full — role boundary testing |
| API6 | Unrestricted Access to Sensitive Business Flows | ✅ Partial — requires business context input |
| API7 | Server Side Request Forgery | ✅ Full — URL parameter and webhook testing |
| API8 | Security Misconfiguration | ✅ Full — CORS, headers, debug endpoints, TLS |
| API9 | Improper Inventory Management | ✅ Full — undocumented endpoint detection |
| API10 | Unsafe Consumption of APIs | ✅ Partial — third-party injection testing |
In addition, NAT tests for injection attacks (SQL, NoSQL, command, SSTI), path traversal, information disclosure, and transport security issues not covered by the OWASP API Top 10.
Finding Rate Comparison
NAT has been evaluated against a set of intentionally vulnerable API applications (including DVWS, crAPI, and VAmPI) and compared against representative conventional API scanners.
| Tool type | Critical/High findings (avg) | False positive rate | Time to complete |
|---|---|---|---|
| NAT | 94% | 4% | ~8 minutes |
| Conventional scanner (avg) | 71% | 23% | ~12 minutes |
| Manual pentest (avg) | 89% | 8% | ~4 hours |
Benchmark conducted on a standardized 50-endpoint test API. Results vary by API complexity and configuration.
Authorization Flaw Detection
Authorization flaws (BOLA, BFLA, mass assignment) are notoriously difficult to detect automatically. NAT detected authorization flaws at significantly higher rates than conventional scanners in our benchmark:
| Finding type | NAT | Conventional scanner |
|---|---|---|
| BOLA (IDOR) | 91% | 38% |
| BFLA | 87% | 31% |
| Mass assignment | 84% | 52% |
6. Use Cases
Use Case 1 — Solo Developer: AI-Guided Scans in CI
Profile: Individual developer or small team, no dedicated security or QA resources.
Problem: No security or functional testing in the development workflow. Vulnerabilities and regressions reaching production.
Solution: nat init sets up zero-config scanning in under two minutes. nat scan --watch runs in CI on every PR. Automatic PR comments surface findings inline. SARIF output feeds the GitHub Security tab with no additional configuration.
Tier: Free ($0/mo) — 3 scans/month, 50 endpoints, community support.
Result: Security testing becomes a first-class part of the development workflow without requiring security expertise.
Use Case 2 — QA Team at a Startup: Replacing Three Disconnected Tools
Profile: 15-person startup with a 2-person QA team using separate tools for security scanning, functional testing, and accessibility checks.
Problem: Three tools, three dashboards, three maintenance burdens, and no unified compliance evidence. Compliance prep takes two weeks every quarter.
Solution: NAT Pro replaces all three tools. Security, functional, and accessibility testing run from a single nat scan command. nat ai plan generates the test plan from the OpenAPI spec. Compliance reports are generated automatically after every scan.
Tier: Pro ($79/mo) — unlimited scans, 500 endpoints, 100 AI queries/month, email support.
Result: CI pipeline maintenance reduced significantly. Compliance evidence always current. QA team focuses on test design instead of tool maintenance.
Use Case 3 — Enterprise Achieving SOC 2: BGSTM Audit Trail
Profile: Enterprise SaaS company with a SOC 2 Type II requirement and quarterly API security review cadence.
Problem: Manual penetration tests are expensive and point-in-time. Scope grows with every release. Auditors need structured evidence that takes weeks to assemble.
Solution: NAT Business provides continuous scanning across all production APIs. The BGSTM audit trail creates structured, tamper-evident evidence for every test run. nat ai compliance-report --framework soc2 generates auditor-ready narratives. nat badge generate produces embeddable SOC 2 compliance badges.
Tier: Business ($199/mo) — unlimited everything, 500 AI queries/month, compliance reports, priority support.
Result: Audit preparation time reduced from ~2 weeks to ~1 day. Compliance evidence always current and auditor-ready.
Use Case 4 — Regulated Industry: Self-Hosted, Zero Data Exposure
Profile: Healthcare API provider under HIPAA, or financial services firm under PCI-DSS. API traffic cannot leave the network perimeter.
Problem: Cloud-based testing tools are not acceptable under data governance policies. Full OWASP coverage is required for compliance, but no external service can see the API traffic.
Solution: NAT Enterprise deployed self-hosted on private infrastructure. All scanning, AI inference (via Ollama), and audit trail storage run within the security perimeter. Zero API traffic leaves the network. Full compliance evidence generated internally.
Tier: Enterprise (Custom) — self-hosted, SSO/SAML, SLA, dedicated support, unlimited AI.
Result: Full OWASP API Top 10 coverage, HIPAA/PCI-DSS compliance evidence, and zero external data exposure.
7. Getting Started
Three paths to get started — pick the one that matches where you are today.
Path 1 — Quick Scan (2 minutes)
Zero-config setup and your first scan:
pip install nat-engine
nat init
nat scan --watchnat init detects your API spec, configures authentication, and sets up your CI pipeline automatically. nat scan --watch shows live progress as the scan runs.
Path 2 — AI Co-Pilot
Generate a test plan and test cases from your OpenAPI spec:
nat ai plan --spec ./openapi.yaml
nat ai generate-tests
nat scan --watch
nat ai explain --finding <finding-id>The AI Co-Pilot reads your spec, identifies risk surfaces, and generates a prioritized plan — no security expertise required.
Path 3 — Full Compliance
Run a scan, generate a compliance report, and produce embeddable badges:
nat scan
nat ai compliance-report --framework soc2
nat badge generateEvery scan feeds the BGSTM audit trail automatically. The compliance report maps findings to SOC 2 controls in language auditors understand.
Not sure where to start? Run nat demo for a complete walkthrough against a built-in example API — no credentials, no external dependencies, complete in about 2 minutes.
8. Pricing
| Plan | Price | Scans | Endpoints | AI Queries | Support |
|---|---|---|---|---|---|
| Free | $0/mo | 3/month | 50 | — | Community |
| Pro | $79/mo | Unlimited | 500 | 100/month | |
| Business | $199/mo | Unlimited | Unlimited | 500/month | Priority |
| Enterprise | Custom | Unlimited | Unlimited | Unlimited | Dedicated SLA |
Enterprise adds: self-hosted deployment, SSO/SAML, dedicated support, and unlimited AI with your own model provider.
Start free → (opens in a new tab) · Full pricing details →
Further Reading
| Topic | Documentation |
|---|---|
| AI Co-Pilot commands and providers | AI Assistant → |
| Compliance reports and audit trail | Compliance → |
| Full CLI command reference | CLI Reference → |
| CI/CD pipeline integration | CI/CD Integration → |
| Functional testing capabilities | Functional Testing → |
| Quickstart guide | Getting Started → |
For full technical architecture details, algorithm specifications, or academic citation, please contact us. Enterprise and research partner access to the full architecture document is available under NDA.