NTA with Tap Plugin

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle.

This document explains how to install the Invicti Network Traffic Analyzer (NTA) via CLI using the Tap Plugin to detect API traffic in your Kubernetes cluster and reconstruct OpenAPI3 specification files.

Prerequisites

A Kubernetes cluster
Helm CLI installed (version 3+)
kubectl configured for your cluster (e.g., using Get-AksHciCredential)
A Kubernetes namespace created for Invicti NTA

Minimum System Requirements

1 GB RAM
2-core 64-bit CPU
2 GB available HDD

Overview

There are two ways to capture Kubernetes traffic with the Invicti NTA:

Integrating with a Kubernetes namespace interface natively (captures HTTP traffic only):

This is the method described in this Tap Plugin document. It focuses on capturing HTTP traffic via the Tap Plugin using the Kubernetes namespace interface, which does not handle HTTPS traffic unless combined with Istio.

Integrating with Istio Service Mesh (captures both HTTP & HTTPS traffic):

This is not described in this Tap Plugin document. Instead, this integration is covered in the Istio Service Mesh document, where you configure the Istio Envoy proxy to handle encrypted traffic (HTTPS) using WASM filters.

Installation steps

The Invicti NTA Helm chart includes:

Reconstructor – Processes captured traffic and generates OpenAPI3 specification files.

Tap Plugin (traffic sensor) – Captures API traffic within your Kubernetes cluster for analysis.

Step 1: Retrieve Registration token and password

Log in to Invicti Enterprise.
Select APIs > Sources from the left side menu and click Add new source.

Enter a name and select Invicti Network Traffic Analyzer.

In the NTA server url field, enter the URL of the server where the Invicti Enterprise web app is running. The default entry is the current host URL from the browser. It must be externally accessible.

IMPORTANT:

The Invicti NTA must be able to reach the URL you enter into this field. You cannot use 'localhost'. The NTA Server URL you provide will be embedded in the token you will generate in the next step.

Click Generate token and copy it. Paste the copied registration token in a place where you will be able to retrieve it easily when you prepare the installation command in step 2.

Select Save at the bottom of the page. Do not skip this step!

Select Agents > Manage Agents from the left-side menu.

Click + Configure New Agent.

In the Docker CLI & Openshift section, click the copy icon next to 2- When prompted, enter the password below. This is the password you will use to access Invicti's public registry.

Paste the copied password in a place where you will be able to retrieve it easily in step 2 when you prepare the installation command.

Step 2: Authenticate with the Invicti Registry

Launch the Helm CLI that was set up during the prerequisites.
Then run the following command:

helm registry login registry.invicti.com

Username: Your Invicti Enterprise email
Password: Copied from Step 1 point 9 above

Step 3: Prepare and deploy the Invicti Helm chart

In your Helm CLI or terminal, run the following command to install Invicti NTA into your Kubernetes cluster:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 -n default --set trafficSource.tap.enabled=true --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token"

🔧 Replace the following placeholders with your actual credentials:

default: This sets the namespace where the Invicti NTA will be installed. Replace with the namespace you created.
email-address: Replace with your Invicti Enterprise email address.
password: Replace with the password you copied in Step 1.9.
registration-token: Replace with the registration token from Step 1.5, ensuring it stays inside double quotes.

Step 4: Verify the installation (optional)

After deployment, confirm that the Invicti NTA components are running correctly:

kubectl get pods -n <your-namespace>

Ensure all pods (e.g, tap, reconstructor) are not in CrashLoopBackOff or Error states, investigate their logs with

kubectl logs <pod-name> -n <your-namespace>

Now that the pods are running, you can check their logs to ensure everything is working as expected. To ensure that the installation was successful and the components are running properly:

Run the following command to check the pod status:

kubectl get pods -n <your-namespace>

If any pods are not running properly, investigate their logs with:

kubectl logs <pod-name> -n <your-namespace>

For the Tap Plugin pod:

kubectl logs invicti-api-discovery-tap-5slmn -n <your-namespace>

🔧 <5slmn> - these are randomized. Copy and paste the pod-name from the `kubectl get pods -n <your-namespace>` output.

If everything looks good, your Invicti NTA with the Tap Plugin is now successfully capturing and analyzing traffic in your Kubernetes cluster.

Update or reinstall Invicti NTA with Tap Plugin

Follow Step 1 to get the latest token and password.

Log in to the Invicti registry as described in Step 3.
Run the prepared command in your Helm CLI or command line.
Prepare the update command:

helm upgrade --install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 24.9.0 --set imageRegistryUsername="email-address" --set imageRegistryPassword="password" --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.tap.enabled=true -n "default"

Frequently asked questions

What does the Tap Plugin actually do?

The Tap Plugin monitors and analyzes network traffic by listening to all network interfaces and ports in your Kubernetes cluster. It captures unencrypted API communications and extracts a limited set of telemetry (metadata) for API discovery. This telemetry is then used to reconstruct OpenAPI3 specifications, which are sent to your API Inventory in Invicti Enterprise.

Does the Tap Plugin capture internal and external APIs?

Yes. The Tap Plugin can capture both internal (e.g., between pods) and external (e.g., incoming edge traffic) APIs, as long as the traffic is unencrypted (HTTP). If port forwarding is used, discovered APIs will reflect the internal port, not the externally forwarded one.

Which network interfaces does the Tap Plugin listen to in Kubernetes?

By default, the Tap Plugin listens to all available network interfaces to ensure broad coverage. You can limit this by setting the INVICTI_TAP_INTERFACES environment variable with specific interfaces (comma-separated).

Does the Tap Plugin listen to all ports?

Yes. The Tap Plugin listens on all ports by default. You can restrict it using the INVICTI_TAP_PORTS environment variable.
Examples:

Specific Ports: 80,443,8080
Port Range: 5005-6000

Which requests are being captured?

By default, only HTTP requests with 2XX status codes are captured. You can customize this behavior using the INVICTI_TAP_HTTP_STATUS_CODES environment variable.
Examples:

200 – Only HTTP 200 OK
20x – Status codes 200 through 209
2xx – Status codes 200 through 299

Does the Tap Plugin support encrypted HTTPS traffic?

No. The Tap Plugin only supports unencrypted HTTP 1.x traffic. For encrypted (HTTPS) traffic, use the Istio Service Mesh integration.

What technology does the Tap Plugin use?

It is based on pcap (packet capture), a well-established open-source technology for monitoring network packets.

Can I exclude traffic with specific HTTP headers?

Yes. Use the INVICTI_TAP_EXCLUDE_TRAFFIC_WITH_HEADERS environment variable to define a comma-separated list of headers. Traffic containing these headers will be ignored.

How is the Tap Plugin deployed?

The Tap Plugin is deployed as part of the Invicti Network Traffic Analyzer Helm chart inside your Kubernetes cluster.
Refer to the Installation Steps section above for complete setup instructions.