Package: Invicti API Security Standalone or Bundle
Access requirements: Access to API Security in Invicti Platform requires either an Administrator, Owner, Security Analyst, Security Manager role, or a custom role with the API Security permission.
Choose the right API discovery method
Invicti Platform offers three API discovery methods that can be used independently or combined to ensure comprehensive coverage of all APIs in your environment. This document helps you understand the key differences between each method to choose the right approach for your organization.
Comparison of API discovery methods
The following table summarizes the key differences between the three API discovery methods:
| Discovery method | Installation required | How it works | Best for |
|---|---|---|---|
| Sensorless API discovery | None (agentless - enabled during scans) | Scans web applications to trigger downstream API calls and reconstruct API specifications. Crawls for APIs and API specs in the target FQDN structure. During DAST scans, automatically detects API specifications in standard locations and reconstructs API specs from observed HTTP/HTTPS traffic | Discovering APIs exposed by web applications during security testing and finding undocumented APIs through active scanning |
| Network-based API discovery (NTA) | Yes (requires deployment to Kubernetes cluster via Helm charts or integration with network infrastructure) | Monitors live network traffic through passive monitoring to identify and reconstruct API calls into OpenAPI3 specifications. Supports integration with F5, Nginx, Cloudflare, Kong Gateway, and other network infrastructure (requires at least 3 endpoints on same host) | Discovering undocumented or shadow APIs through passive traffic analysis without impacting production systems |
| API management integration | None (agentless - configuration only) | Syncs existing Swagger2 and OpenAPI3 specifications from platforms like Amazon API Gateway, Apigee, Azure API Management, Kong Konnect, or MuleSoft | Organizations already using API management platforms with documented APIs |
Key considerations
Sensorless API discovery (agentless)
Sensorless API Discovery works during DAST scans to actively discover APIs through multiple techniques. It scans web applications to trigger downstream API calls and reconstruct their specifications, crawls the target FQDN structure for APIs and API specs, and automatically detects specifications in standard locations. This method requires no installation—simply enable it in your configuration and it will discover APIs as part of your security scanning process.
Learn more:
- Sensorless API discovery overview
- Sensorless API discovery configuration
- Zero configuration API discovery
Network-based API discovery (NTA)
Network-based API Discovery uses the Network Traffic Analyzer (NTA) which can be deployed to your Kubernetes cluster or integrated with existing network infrastructure including F5, Nginx, Cloudflare, Kong Gateway, and KBSF. It passively monitors live network traffic to discover APIs that don't have published specifications by observing actual API traffic in your environment without impacting production systems.
Learn more:
API management integration (agentless)
API Management Integration requires no installation—only API configuration. It's ideal when you already maintain API specifications in an API management platform and want to keep them synchronized with Invicti automatically every 24 hours. This method pulls existing documentation from your API management platform.
Learn more:
- API discovery sources overview
- Integrating with Amazon API Gateway
- Integrating with Apigee API hub
- Integrating with Azure API Management
- Integrating with Kong Konnect
- Integrating MuleSoft Anypoint Exchange
Using multiple methods simultaneously
You can use multiple discovery methods simultaneously to ensure comprehensive coverage of all APIs in your environment. For example:
- Use Sensorless API Discovery to actively discover and reconstruct APIs during your regular security scans, including both documented and undocumented APIs
- Deploy Network-based API Discovery (NTA) to passively discover APIs through traffic analysis in your Kubernetes environment or via network infrastructure integration
- Configure API Management Integration to sync specifications from your existing API gateway
Related documentation
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center