availability

Package: Invicti AppSec Core (on-demand)

NTA with Tap Plugin

This document explains how to install the Invicti Network Traffic Analyzer (NTA) with the Tap Plugin to detect HTTP API traffic in your Kubernetes cluster and reconstruct OpenAPI3 specification files.

Why this matters

If your services communicate over HTTP within Kubernetes, the NTA Tap Plugin gives you automatic API discovery without additional infrastructure. It's the fastest way to populate your API catalog with specs reconstructed from real traffic - no service mesh required.

Prerequisites

• A Kubernetes cluster
• Helm command-line tool installed (version 3+)
• kubectl configured for your cluster (for example, using Get-AksHciCredential)
• A Kubernetes namespace created for Invicti NTA

Minimum system requirements

• 1 GB RAM
• 2-core 64-bit CPU
• 2 GB available HDD

Overview

There are two ways to capture Kubernetes traffic with the Invicti NTA:

1. Integrating with a Kubernetes namespace interface natively (captures HTTP traffic only): This is the method described in this document. It captures HTTP traffic via the Tap Plugin using the Kubernetes namespace interface and doesn't handle HTTPS traffic unless combined with Istio.

2. Integrating with Istio Service Mesh (captures both HTTP and HTTPS traffic): Covered in the NTA with Istio Service Mesh document, where you configure the Istio Envoy proxy to handle encrypted traffic using WASM filters.

Installation steps

The Invicti NTA Helm chart includes:

• Reconstructor - Processes captured traffic and generates OpenAPI3 specification files.
• Tap Plugin (traffic sensor) - Captures API traffic within your Kubernetes cluster for analysis.

Step 1: Generate a new registration token

1. Select Discovery > API sources from the left-side menu.
2. Click Add source.
3. Leave the import type as External platform.
4. Enter a name for the source configuration. This helps you identify it later in your list of API sources.
5. Select Invicti Network Traffic Analyzer as the source type.
6. Click Generate token.
7. Click the copy icon next to the newly generated registration token.
8. Click Save at the bottom of the page. Don't skip this step.

Step 2: Authenticate with the Invicti Registry

Launch the Helm command-line tool and run the following command:

helm registry login registry.invicti.com

Authentication credentials

Username: your Invicti AppSec Core email Password: your valid Invicti AppSec Core license key

Step 3: Prepare and deploy the Invicti Helm chart

Run the following command to install Invicti NTA into your Kubernetes cluster:

helm install invicti-api-discovery \
  oci://registry.invicti.com/invicti-api-discovery \
  --version 25.11 \  # Optional: omit to pull the latest version
  -n default \
  --set trafficSource.tap.enabled=true \
  --set imageRegistryUsername=email-address \
  --set imageRegistryPassword=password \
  --set reconstructor.JWT_TOKEN="registration-token"

Version parameter

You can omit the --version parameter to automatically pull the latest chart version. To install a specific version, use --version X.X.X (for example, --version 25.11). Helm doesn't support --version latest syntax.

Replace placeholders

Replace the following placeholders with your actual credentials:

• default: the Kubernetes namespace where you want to install Invicti NTA. Replace with the namespace you created.
• email-address: your Invicti AppSec Core email address.
• password: your valid Invicti AppSec Core license key.
• registration-token: the registration token from step 1. Keep it enclosed in double quotes.

Step 4: Verify the installation (optional)

After deployment, confirm that the Invicti NTA components are running correctly:

1. Run the following command to check pod status:

kubectl get pods -n <your-namespace>

2. Confirm that all pods (for example, tap, reconstructor) aren't in CrashLoopBackOff or Error states.
3. If any pods aren't running properly, check their logs:

kubectl logs <pod-name> -n <your-namespace>

4. To check the Tap Plugin pod specifically:

kubectl logs invicti-api-discovery-tap-5slmn -n <your-namespace>

Pod name reference

The suffix (for example, 5slmn) is randomized. Copy the pod name from the kubectl get pods -n <your-namespace> output.

Update or reinstall Invicti NTA with Tap Plugin

1. Follow step 1 to get the latest token.
2. Log in to the Invicti registry as described in step 2.
3. Run the update command:

helm upgrade --install invicti-api-discovery \
  oci://registry.invicti.com/invicti-api-discovery \
  --version 25.11 \  # Optional: omit to pull the latest version
  -n default \
  --set imageRegistryUsername="email-address" \
  --set imageRegistryPassword="password" \
  --set reconstructor.JWT_TOKEN="registration-token" \
  --set trafficSource.tap.enabled=true

Version parameter

You can omit the --version parameter to automatically pull the latest chart version. To install a specific version, use --version X.X.X (for example, --version 25.11). Helm doesn't support --version latest syntax.

Frequently asked questions

What does the Tap Plugin actually do?

The Tap Plugin monitors and analyzes network traffic by listening to all network interfaces and ports in your Kubernetes cluster. It captures unencrypted API communications and extracts a limited set of telemetry (metadata) for API discovery. This telemetry is then used to reconstruct OpenAPI3 specifications, which are sent to your API catalog.

Does the Tap Plugin capture internal and external APIs?

Yes. The Tap Plugin can capture both internal (for example, between pods) and external (for example, incoming edge traffic) APIs, as long as the traffic is unencrypted (HTTP). If port forwarding is used, discovered APIs reflect the internal port, not the externally forwarded one.

Which network interfaces does the Tap Plugin listen to in Kubernetes?

By default, the Tap Plugin listens to all available network interfaces to ensure broad coverage. You can limit this by setting the INVICTI_TAP_INTERFACES environment variable with specific interfaces (comma-separated).

Does the Tap Plugin listen to all ports?

Yes. The Tap Plugin listens on all ports by default. You can restrict it using the INVICTI_TAP_PORTS environment variable. Examples:

• Specific ports: 80,443,8080
• Port range: 5005-6000

Which requests are captured?

By default, only HTTP requests with 2XX status codes are captured. You can customize this using the INVICTI_TAP_HTTP_STATUS_CODES environment variable. Examples:

• 200 - Only HTTP 200 OK
• 20x - Status codes 200 through 209
• 2xx - Status codes 200 through 299

Does the Tap Plugin support encrypted HTTPS traffic?

No. The Tap Plugin only supports unencrypted HTTP 1.x traffic. For encrypted (HTTPS) traffic, use the NTA with Istio Service Mesh integration or the eBPF Sniffer, which captures HTTPS without requiring a service mesh.

What technology does the Tap Plugin use?

It's based on pcap (packet capture), a well-established open source technology for monitoring network packets.

Can you exclude traffic with specific HTTP headers?

Yes. Use the INVICTI_TAP_EXCLUDE_TRAFFIC_WITH_HEADERS environment variable to define a comma-separated list of headers. Traffic containing these headers is ignored.

How is the Tap Plugin deployed?

The Tap Plugin is deployed as part of the Invicti Network Traffic Analyzer Helm chart inside your Kubernetes cluster. Refer to the installation steps section for complete setup instructions.

Troubleshooting

No specs appearing in the API catalog after installation

The Tap Plugin only captures unencrypted HTTP 1.x traffic. If your services communicate over HTTPS, the Tap Plugin can't reconstruct specs from that traffic. Verify that the services you expect to discover are serving HTTP traffic. For HTTPS coverage, use the NTA with Istio Service Mesh instead.

Pods in CrashLoopBackOff or Error state

Run kubectl logs <pod-name> -n <your-namespace> to inspect the pod logs. Common causes are an invalid registration token or incorrect registry credentials. Verify that the token was copied correctly from step 1 and that your license key is valid.

Expected internal service traffic not being captured

By default, the Tap Plugin listens on all network interfaces. If specific interfaces aren't being monitored, set the INVICTI_TAP_INTERFACES environment variable to explicitly include the required interfaces (comma-separated). Check the Tap Plugin pod logs for any interface-related errors.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center