Package: Invicti API Security Standalone or Bundle
NTA integrations overview
The Invicti Network Traffic Analyzer (NTA) enables organizations to discover unknown or undocumented APIs by passively analyzing network traffic inside Kubernetes environments. By reconstructing OpenAPI3 specifications from live traffic, the NTA helps build a comprehensive and accurate API inventory - crucial for API security and vulnerability scanning.
This document provides a high-level overview of how Invicti NTA works, its integration methods, and how to choose the right setup for your environment.
What's the Invicti NTA?
The Invicti NTA is a lightweight, Kubernetes-native solution that captures and inspects API traffic to automatically generate OpenAPI3 specifications. These specs are then imported into your API Inventory, allowing you to scan and secure all known and previously unknown API endpoints.
The NTA supports two modes of deployment:
- With Istio Service Mesh: Captures both HTTP and HTTPS traffic via Envoy proxy and WASM filters.
- With Tap Plugin only: Captures HTTP traffic only via direct inspection of Kubernetes network interfaces.
Both methods use Helm charts for deployment and include the core NTA components such as the Reconstructor and traffic capture agent.
Choose the right integration
| Integration Method | HTTPS Support | Best For |
|---|---|---|
| Istio Service Mesh | ✅ | Environments with encrypted traffic and Istio already in use |
| Tap Plugin | ❌ | Simpler setups where traffic is unencrypted or Istio is not needed |
If your app traffic is encrypted (HTTPS), the Istio Mesh integration is required to inspect it. Otherwise, the Tap Plugin may be sufficient for discovery in simpler environments.
Installation options
Choose the appropriate guide for your deployment:
- NTA with Istio Mesh Service - For environments using Istio to inspect both HTTP and HTTPS traffic.
- NTA with Tap Plugin - For simpler setups, capturing HTTP-only traffic.
- NTA with Kong API Gateway overview
- NTA with Kong API Gateway in Kubernetes
- NTA with Kong API Gateway in Docker
- NTA with Kong API Gateway in Linux
- NTA in Docker with NGINX in Docker
- NTA in K8s with NGINX in K8s
- NTA with F5 BIG IP iRule
Each document includes prerequisites, installation steps, Helm deployment commands, and troubleshooting tips.
Troubleshooting
For common issues including authorization failures, retry behavior, and resolution steps, refer to NTA troubleshooting.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center