Skip to main content

Intruder

Intruder is a cloud-based vulnerability management platform that helps organizations continuously monitor their attack surface and proactively identify security weaknesses. It performs automated scanning of external and internal infrastructure, web applications, and APIs, checking against more than 140,000 infrastructure checks and 75+ application-layer checks. Intruder prioritizes vulnerabilities by actual risk, provides actionable remediation guidance, and integrates with CI/CD pipelines, Jira, and other tools to streamline the security workflow for development and security teams.

Intruder icon

Power end-to-end data operations for your Intruder API with Nexla. Our bi-directional Intruder connector is purpose-built for Intruder, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Intruder or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Intruder workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

To connect Nexla to Intruder, you need an active Intruder account and a personal access token. Intruder uses OAuth 2.0 bearer token authentication—every API request must include your access token in the Authorization header. Tokens can be given a descriptive name and an optional expiry date, making them straightforward to manage and rotate.

Create an Intruder Access Token

  1. Sign in to your Intruder account at app.intruder.io.

  2. Click your account avatar or name in the top-right corner, then navigate to Account > Settings > My account.

  3. Scroll to the API Access Tokens section of the My account page.

  4. Click the Create Access Token button.

  5. Enter a descriptive name for the token in the Name field. Use a name that identifies the purpose of the token, such as Nexla Integration, so it is easy to identify later.

  6. Optionally, set an Expiry Date for the token. If you set an expiry date, the token will be automatically revoked on that date and Nexla will no longer be able to connect using it. Leave this field blank if you do not want the token to expire automatically.

  7. Enter your account password when prompted and click OK to confirm.

  8. Your new access token will be displayed on screen. Click the Copy button to copy the token to your clipboard.

Important

Copy your access token immediately after it is generated. For security reasons, Intruder will not display the full token value again after you navigate away from this page. Store the token in a secure location such as a password manager.

For complete details on creating and managing API access tokens in Intruder, see the Creating API access tokens article in the Intruder Help Center and the Creating an access token guide in the Intruder Developer Hub.

Authenticate

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

  2. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  3. Enter the Intruder access token you generated in Prerequisites into the Access Token field. Nexla uses this token as a Bearer token to authenticate all API requests to Intruder on your behalf.

    The access token is transmitted securely and stored encrypted within Nexla. Treat your access token like a password—do not share it or include it in source code repositories.

  4. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.

Use as a data source

To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Intruder connector tile, then select the credential that will be used to connect to the Intruder instance, and click Next; or, create a new Intruder credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Intruder endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.

List Targets

Retrieves a complete list of all targets (assets) registered in your Intruder account. Use this endpoint to maintain an up-to-date inventory of your monitored attack surface, including domain names, IP addresses, and cloud assets.

  • This endpoint automatically retrieves all targets accessible to your Intruder account. No additional configuration is required beyond selecting this endpoint template.
  • Each target record includes the target address, tags assigned to it, and metadata such as creation date and last scan time. Tags are useful for grouping targets by environment (e.g., production, staging) or team ownership.
  • The endpoint uses pagination to handle large target inventories efficiently, automatically fetching additional pages as needed.

The Intruder API rate limits requests on a per-access-token basis. If you have a very large number of targets, Nexla will automatically handle pagination and retry logic to ensure all records are retrieved. For additional details on Intruder's data model, see the Intruder Developer Hub Overview.

List Issues

Retrieves all vulnerability issues identified across your monitored targets. Use this endpoint to pull a comprehensive list of security findings into Nexla for risk analysis, reporting, or integration with ticketing systems such as Jira.

  • This endpoint automatically retrieves all issues associated with your Intruder account. No additional configuration parameters are required beyond selecting this template.
  • Each issue record in the Intruder API includes key fields such as:

    • Severity: The risk level of the issue (e.g., critical, high, medium, low)
    • Title: A human-readable description of the vulnerability type
    • Affected targets: The target(s) on which the issue was detected
    • Status: Whether the issue is open, resolved, or accepted risk
    • First seen / Last seen: Timestamps indicating when the issue was first detected and when it was most recently observed
  • Intruder ranks issues by actual exploitability and contextual risk, so severity values reflect real-world impact rather than theoretical CVSS scores alone.

To view detailed scanner output for a specific issue occurrence, use the List Occurrences endpoint. For complete details on the Issues data model, see the Intruder Developer Hub.

List Scans

Retrieves historical scan records from your Intruder account. Use this endpoint to audit scan frequency, review scan coverage over time, or build dashboards tracking your organization's security program activity.

  • This endpoint retrieves all scan records available for your Intruder account. No additional configuration parameters are required beyond selecting this template.
  • Each scan record includes key details such as:

    • Scan ID: A unique identifier for the scan run
    • Status: The current state of the scan (e.g., completed, in progress, queued)
    • Scan type: Whether the scan was a full scan, scheduled scan, or targeted scan
    • Targets scanned: The specific targets or tag groups included in the scan
    • Start and end times: Timestamps for when the scan began and completed
  • Scans can be triggered manually through the Intruder application or automatically via scheduled scanning. This endpoint captures both types.

Intruder also supports initiating new scans via its API. If you need to trigger scans programmatically as part of a CI/CD pipeline, refer to the Starts a Scan reference in the Intruder Developer Hub.

List Occurrences

Retrieves detailed scanner output for individual issue occurrences across your targets. Use this endpoint when you need granular, per-target evidence for a specific vulnerability type — for example, to populate a SIEM, generate compliance reports, or feed detailed findings into a remediation workflow.

  • Each occurrence record represents a specific instance of a vulnerability on a specific target. An issue can have multiple occurrences if the same vulnerability type affects more than one target.
  • Occurrence records provide richer technical detail than issue-level records, including:

    • Scanner output: Raw or structured output from the vulnerability scanner for this specific finding
    • Target address: The specific host, IP, or URL where the vulnerability was detected
    • Port and protocol: Network-level details about where the vulnerability was found
    • Evidence: Supporting data such as HTTP response snippets, certificate details, or version information
  • This endpoint is particularly useful for organizations that need to provide auditors or compliance teams with detailed evidence of vulnerability findings and their current remediation status.

Occurrence data can be voluminous if your account has a large number of findings. Nexla handles pagination automatically to ensure complete data retrieval. For a description of the Occurrences data model, see the Intruder Developer Hub Overview.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.

Manual configuration

Intruder data sources can also be manually configured to ingest data from any valid Intruder API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.

The Intruder REST API primarily uses GET for retrieving data such as targets, issues, scans, and occurrences, and POST for creating resources or triggering actions such as starting a new scan. All Intruder API endpoints use the base URL https://api.intruder.io/v1/ followed by the resource path—for example, https://api.intruder.io/v1/targets, https://api.intruder.io/v1/issues, https://api.intruder.io/v1/scans, and https://api.intruder.io/v1/occurrences. You do not need to include the Authorization header in Request Headers—it is automatically added from your Intruder credential. For a complete list of available Intruder API endpoints, see the Intruder API Reference.

Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Intruder data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.