Invicti

Overview

The Invicti integration imports vulnerability scan results from the Invicti application security platform into Praetorian Guard Platform (PGP), providing insights into web application security.

This is a read-only, one-way integration. PGP pulls vulnerability data from Invicti but does not push any data back or trigger scans in Invicti. The integration runs on a scheduled basis and does not support manual rescans.

What the Integration Does

When the Invicti integration runs, it performs the following steps:

  1. Validates credentials -- Confirms the provided User ID, API Token, and API Base URL are valid by making a test request to the Invicti /scans/list endpoint.
  2. Fetches all issues -- Paginates through the Invicti /issues/allissues endpoint to retrieve vulnerability data.
  3. Filters issues -- Skips issues that are not in a "Present" or "Revived" state, and skips issues not seen in the last 30 days.
  4. Creates assets -- For each qualifying issue, extracts the hostname to create an Asset and creates a Webpage entity from the full URL.
  5. Creates risks -- Maps Invicti severity to PGP severity levels, prefixes the risk name with the CWE identifier when available, and creates a Risk entity linked to the Webpage.
  6. Attaches risk definitions -- Includes the vulnerability description, impact assessment, remediation recommendation, and classification reference links.
  7. Attaches proof metadata -- Records the Invicti issue ID, URL, certainty percentage, CVSS scores and vectors, CWE, compliance framework mappings, issue state, timestamps, type, and proof of concept.

Severity Mapping

Invicti SeverityPGP Severity
CriticalCritical (TC)
HighHigh (TH)
MediumMedium (TM)
LowLow (TL)
Any other value (e.g., Informational, Best Practice)Info (TI)

Filtering

The integration excludes issues that do not meet both of the following criteria:

  • Active state -- The issue state must contain "Present" or "Revived" (case-insensitive, whitespace ignored). Issues in states like "Fixed", "Ignored", or "Accepted Risk" without also being "Present" or "Revived" are skipped. Note that combined states like "Present (Accepted Risk)" or "Present (False Positive)" are still included because they contain "Present" -- these represent live vulnerabilities that PGP should surface.
  • 30-day recency -- The issue's LastSeenDate must be within the last 30 days. Issues last seen more than 30 days ago are excluded. The date format expected from Invicti is DD/MM/YYYY hh:mm AM/PM.

Additionally, issues are filtered through PGP's standard asset and risk filters (e.g., scope-based exclusions configured in your account).

Prerequisites

Before setting up the Invicti integration, you need:

  1. Invicti User ID -- Found on your Invicti account page.
  2. Invicti API Token -- Found on your Invicti account page.
  3. API Base URL -- Your Invicti instance URL including the API version path. Must match the pattern https://<your-instance>/api/<version> (e.g., https://www.netsparkercloud.com/api/1.0 for cloud, or your self-hosted equivalent).

Generating API Credentials in Invicti

  1. Log in to your Invicti account.
  2. Navigate to your account/profile settings page.
  3. Locate your User ID and API Token on the account page.
  4. These credentials will be used for Basic Authentication. PGP encodes the User ID and API Token as Base64(userId:apiToken) and sends it in the Authorization: Basic header.

Setup

  1. In PGP, navigate to Integrations from the main navigation.
  2. Locate and select the Invicti integration card.
  3. Fill in the required fields (see Field Reference below).
  4. Save the integration. PGP will validate your credentials by making a test API call to Invicti before saving.

Field Reference

FieldRequiredDescription
API Base URLYesYour Invicti API base URL including the API version path. Example: https://www.netsparkercloud.com/api/1.0 or your self-hosted equivalent.
User IDYesYour Invicti User ID, found on your Invicti account page.
API TokenYesYour Invicti API Token, found on your Invicti account page. Used for Basic Authentication.

Note: Only one Invicti integration can be configured per account.

Troubleshooting

Credential Validation Fails

  • Invalid API Base URL -- Ensure your URL matches the expected format: https://<host>/api/<version>. The URL must start with https://, include a host, and have an API version path segment (e.g., /api/1.0). A trailing slash is acceptable.
  • Authentication error -- PGP validates credentials by calling /scans/list?page=1&pageSize=1. If this fails, verify that your User ID and API Token are correct and that the associated Invicti account has permission to list scans.
  • 401 or 403 errors -- These indicate invalid or expired credentials, or insufficient permissions. Regenerate your API token in Invicti and update the integration in PGP.

No Vulnerabilities Imported

  • No active issues -- Only issues in a "Present" or "Revived" state are imported. If all your Invicti issues are in "Fixed", "Ignored", or other inactive states, nothing will be imported.
  • Stale issues -- Issues not seen in the last 30 days are excluded. Run a fresh scan in Invicti to update LastSeenDate values.

Rate Limiting and Retries

  • PGP retries failed requests up to 5 times with exponential backoff.
  • The initial delay is 2 seconds, doubling with each attempt, up to a maximum of 2 minutes.
  • A 20% jitter factor is applied to avoid thundering herd effects.
  • HTTP 429 (Too Many Requests) responses trigger automatic backoff and retry.
  • Server errors (HTTP 500+) are also retried automatically.

The integration has a total execution timeout of 240 seconds (4 minutes).

Data Mapping

The following table describes how Invicti data maps to PGP entities.

Asset Creation

PGP EntitySourceDetails
AssetHostname from issue URLCreated with Frozen status. The hostname is extracted from the issue's URL field.
WebpageFull issue URLA Webpage entity is created from the full URL of the Invicti issue.
RiskIssue title + CWERisk name is formatted as CWE-{number}-{normalized-title} when a CWE is available, otherwise just the normalized title. Linked to the Webpage entity.

Risk Definition

PGP FieldInvicti Field
DescriptionVulnerabilityDetail (HTML converted to Markdown)
ImpactImpact (HTML converted to Markdown)
RecommendationRemedy (HTML converted to Markdown)
ReferencesClassificationLinks (URL-decoded, formatted as a list)

Proof Metadata

Proof FieldInvicti SourceNotes
invicti_idIdUnique Invicti issue identifier
urlUrlAffected URL
certaintyCertaintyConfidence percentage (only if > 0)
cvss_scoreCvss31Vector.Base.ValueCVSS 3.1 base score (only if > 0)
cvss_vectorCvss31VectorStringFull CVSS 3.1 vector string
cvss4_vectorCvss40VectorStringFull CVSS 4.0 vector string
cweClassification.CweFormatted as CWE-{number}
owasp_2021Classification.OwaspTopTen2021OWASP Top Ten 2021 category
owasp_apiClassification.OwaspApiTop10OWASP API Security Top 10 category
pci_dss_4Classification.PciDss40PCI DSS 4.0 requirement
nist_800_53Classification.Nistsp80053NIST SP 800-53 control
hipaaClassification.HipaaHIPAA requirement
disa_stigClassification.DisaStigDISA STIG identifier
stateStateInvicti issue state
first_seenFirstSeenDateWhen the issue was first detected
last_seenLastSeenDateWhen the issue was last observed
typeTypeInvicti issue type
proof_of_conceptProofOfConceptProof of concept details from Invicti

Compliance Frameworks

The integration maps the following compliance and classification frameworks from Invicti into PGP risk proof metadata:

  1. CWE -- Common Weakness Enumeration
  2. OWASP Top Ten 2021
  3. OWASP API Security Top 10
  4. PCI DSS 4.0
  5. NIST SP 800-53
  6. HIPAA
  7. DISA STIG

Note: Invicti also provides CAPEC, OWASP 2017, ISO 27001, and WASC classifications in its API responses, but these are not currently mapped into PGP proof metadata.

API Details

DetailValue
API Endpoints Used/scans/list (validation), /issues/allissues (data fetch)
AuthenticationHTTP Basic Authentication (Authorization: Basic base64(userId:apiToken))
PaginationPage-based, 200 issues per page, up to 100 pages (20,000 issues maximum)
Retry Limit5 retries with exponential backoff
Timeout240 seconds (4 minutes)
Credential TypeToken (User ID + API Token pair)
Static IPEnabled -- requests originate from static IP addresses for firewall allowlisting