NTA integration overview
This feature is available with Invicti API Security Standalone or Bundle.
The Invicti Network Traffic Analyzer (NTA) enables organizations to discover unknown or undocumented APIs by passively analyzing network traffic inside Kubernetes environments. By reconstructing OpenAPI3 specifications from live traffic, the NTA helps build a comprehensive and accurate API inventory—crucial for API security and vulnerability scanning.
This document provides a high-level overview of how Invicti NTA works, its integration methods, and how to choose the right setup for your environment.
What is the Invicti NTA?
The Invicti NTA is a lightweight, Kubernetes-native solution that captures and inspects API traffic to automatically generate OpenAPI3 specifications. These specs are then imported into your API Inventory, allowing you to scan and secure all known and previously unknown API endpoints.
The NTA supports two modes of deployment:
- With Istio Service Mesh: Captures both HTTP and HTTPS traffic via Envoy proxy and WASM filters.
- With Tap Plugin only: Captures HTTP traffic only via direct inspection of Kubernetes network interfaces.
Both methods use Helm charts for deployment and include the core NTA components such as the Reconstructor and traffic capture agent.
Choose the right integration
Integration Type | Captures HTTPS | Use Case |
Istio Service Mesh | ✅ | Environments with encrypted traffic and Istio already in use |
Tap Plugin | ❌ | Simpler setups where traffic is unencrypted or Istio is not needed |
If your application traffic is encrypted (HTTPS), the Istio Mesh integration is required to inspect it. Otherwise, the Tap Plugin may be sufficient for discovery in simpler environments.
Ready to Install?
Choose the appropriate guide for your deployment:
- NTA with Istio Mesh Service – For environments using Istio to inspect both HTTP and HTTPS traffic.
- NTA with Tap Plugin – For simpler setups, capturing HTTP-only traffic.
- NTA with Kong API Gateway overview
- NTA with Kong API Gateway in Kubernetes
- NTA with Kong API Gateway in Docker
- NTA with Kong API Gateway in Linux
- NTA in Docker with NGINX in Docker
- NTA in K8s with NGINX in K8s
- NTA with F5 BIG IP iRule
- MuleSoft Anypoint Exchange
Each document includes prerequisites, installation steps, Helm deployment commands, and troubleshooting tips.