Package: Invicti API Security Standalone or Bundle
NTA integrations overview
The Invicti Network Traffic Analyzer (NTA) enables organizations to discover unknown or undocumented APIs by passively analyzing network traffic. By reconstructing OpenAPI3 specifications from live traffic, the NTA helps build a comprehensive and accurate API inventory - crucial for API security and vulnerability scanning.
This document provides an overview of how the NTA works, its integration options, and the steps to set it up.
What's the Invicti NTA?
The Invicti NTA consists of two layers:
- The Reconstructor: the NTA core service. It receives traffic telemetry, analyzes it, and reconstructs OpenAPI3 specifications. This is where the API discovery happens.
- Capture integrations: lightweight agents or plugins (Kong plugin, Cloudflare Worker, TAP, NGINX, F5) that collect traffic from your infrastructure and forward it to the Reconstructor.
The Reconstructor is always required. The capture integration you choose depends on your infrastructure.
For Kubernetes environments, the NTA supports two capture modes:
- With Istio Service Mesh: Captures both HTTP and HTTPS traffic via Envoy proxy and WASM filters.
- With Tap Plugin only: Captures HTTP traffic only via direct inspection of Kubernetes network interfaces.
Both methods use Helm charts for deployment.
Implementation
The NTA is written in Go (1.23+). The core of the NTA is the Reconstruction Service. This is where traffic analysis and API specification reconstruction happen. The NTA receives traffic telemetry from capture integrations (Kong plugin, Cloudflare Worker, TAP, and others) and reconstructs API specifications from that traffic. As a compiled Go binary, the NTA benefits from Go's efficient memory model and garbage collector, resulting in predictable, low memory overhead.
Note that the capture integrations are separate components - they collect and forward traffic, but the Reconstructor is the NTA.
Prerequisites
- Invicti API Security package (Standalone or Bundle)
- Admin access to Invicti Platform
- For Helm deployments: a Kubernetes cluster and Helm 3 installed
- For Docker Compose deployments: Docker installed on the host machine
Step 0: Enable the Reconstructor (on-premises only)
For on-premises deployments, the Reconstructor service is disabled by default. Enable it by updating your Helm values:
reconstructor:
enabled: true
Apply the change with:
helm upgrade invicti-platform oci://platform-registry.invicti.com/invicti-platform-helm-charts/onpremises \
--namespace invicti \
--reuse-values \
--set reconstructor.enabled=true
On-demand deployments have the Reconstructor enabled automatically. Skip this step if you are on the cloud platform.
Step 1: Create an NTA source and get your registration token
- Select Discovery from the left-side menu.
- Under API configuration, select API sources.
- Click Add source.
- Leave the Import type as External platform.
- Enter a name for the source configuration. This helps you identify it later in your list of API sources.
- Select Invicti Network Traffic Analyzer as the Source type.
- Click Generate token.
- Click the copy icon next to the newly generated registration token.
- Click Save at the bottom of the page. Don't skip this step.
Always click Save before copying the token. If you navigate away without saving, the source isn't created.
- Registration tokens never expire - the 48-hour window only affects UI visibility, not token functionality.
- Generating a new token does not invalidate previously generated tokens.
- You can reuse one token across multiple NTA deployments. See Reuse NTA importer.
Step 2: Choose the right integration
| Integration Method | HTTPS Support | Best For |
|---|---|---|
| Istio Service Mesh | ✅ | Environments with encrypted traffic and Istio already in use |
| Tap Plugin | ❌ | Simpler setups where traffic is unencrypted or Istio is not needed |
If your app traffic is encrypted (HTTPS), the Istio Mesh integration is required to inspect it. Otherwise, the Tap Plugin may be sufficient for discovery in simpler environments.
Step 3: Deploy the NTA
Choose the appropriate guide for your deployment:
| Infrastructure | Guide |
|---|---|
| Kubernetes with Istio | NTA with Istio Mesh Service |
| Kubernetes with TAP plugin | NTA with Tap Plugin |
| Kong API Gateway - Kubernetes | NTA with Kong API Gateway in Kubernetes |
| Kong API Gateway - Docker | NTA with Kong API Gateway in Docker |
| Kong API Gateway - Linux | NTA with Kong API Gateway in Linux |
| NGINX in Docker | NTA in Docker with NGINX in Docker |
| NGINX in Kubernetes | NTA in K8s with NGINX in K8s |
| F5 BIG-IP | NTA with F5 BIG-IP iRule |
| Cloudflare Worker | NTA with Cloudflare Worker |
For an overview of the Kong integration options, see NTA with Kong API Gateway overview.
Step 4: Verify the integration
Once the NTA is deployed and traffic is flowing:
- In Invicti, go to Discovery > API Sources.
- Confirm the NTA source status shows as connected.
- Go to APIs > API Inventory. Reconstructed API specifications appear here after traffic flows through your monitored services.
It may take a few minutes for the first API specifications to appear, depending on traffic volume.
Troubleshooting
For common issues including authorization failures, retry behavior, and resolution steps, refer to NTA troubleshooting.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center