Nuclei Logo
Nuclei is a fast, template-based vulnerability scanner designed to automate the detection of security vulnerabilities and misconfigurations across modern applications and infrastructure. It utilizes a vast library of community-driven YAML templates to perform targeted scans, allowing security researchers and DevOps teams to identify exposures and known CVEs with high precision and speed.

Installation

Go

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Brew

brew install nuclei

Docker

docker pull projectdiscovery/nuclei:latest

From Source

git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/cmd/nuclei
go build
mv nuclei /usr/local/bin/
nuclei -version

Helm

git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/helm
helm upgrade --install nuclei . -f values.yaml

Updating Templates

nuclei -update-templates  #Update nuclei templates to latest version
nuclei -ut                #Shortcut to update templates
nuclei -update            #Update nuclei binary
nuclei -tl                #List installed templates

Basic Usage

nuclei -u https://example.com                           #Scan a single target
nuclei -u https://target.com -v                         #Scan target with verbose output
nuclei -u https://target.com -fr                        #Scan target and follow redirects
nuclei -l targets.txt                                   #Scan multiple targets from file
nuclei -u https://example.com -t vulnerabilities/       #Run vulnerability templates
nuclei -u https://example.com -severity critical,high   #Scan for critical/high vulnerabilities
nuclei -u https://target.com -timeout 15 -retries 3     #Scan with timeout and retries
nuclei -u https://target.com -stream                    #Stream scan (faster large input processing)
nuclei -u https://target.com -p http://127.0.0.1:8080   #Route traffic through Burp

Target Input Options

nuclei -u https://example.com        #Scan a single URL
nuclei -l targets.txt                #Scan targets from list
cat urls.txt | nuclei                #Pipe targets into nuclei
subfinder -d example.com | nuclei    #Scan discovered subdomains
echo https://example.com | nuclei    #Scan piped input
nuclei -resume resume.cfg            #Resume a previous scan
nuclei -u example.com -iv 4          #Scan IPv4 only
nuclei -u example.com -iv 4,6        #Scan both IPv4 and IPv6

Template Selection

nuclei -u https://example.com -t cves/                #Run CVE templates
nuclei -u https://example.com -t exposures/           #Run exposure templates
nuclei -u https://example.com -t misconfiguration/    #Run misconfiguration templates
nuclei -u https://example.com -t vulnerabilities/     #Run vulnerability templates
nuclei -u https://example.com -t technologies/        #Run technology detection templates

Severity Filtering

nuclei -u https://example.com -severity critical          #Scan only critical vulnerabilities
nuclei -u https://example.com -severity high,critical     #Scan high and critical findings
nuclei -u https://example.com -severity medium,high       #Scan medium and high severity templates
nuclei -u https://example.com -s critical                 #Short option for severity filter

Template Tags

nuclei -u https://example.com -tags cve    #Run templates tagged with CVE
nuclei -u https://example.com -tags rce    #Scan for remote code execution vulnerabilities
nuclei -u https://example.com -tags lfi    #Scan for Local File Inclusion vulnerabilities
nuclei -u https://example.com -tags sqli   #Scan for SQL injection vulnerabilities
nuclei -u https://example.com -tags xss    #Scan for Cross-Site Scripting vulnerabilities

Technology Detection

nuclei -u https://example.com -t technologies/     #Detect technologies used by target
nuclei -u https://example.com -as                  #Automatic scan using tech detection
nuclei -u https://example.com -tags tech           #Run technology detection templates

Running Specific Templates

nuclei -u https://example.com -t cves/2021/                  #Run CVE templates from 2021
nuclei -u https://example.com -t cves/CVE-2021-44228.yaml    #Run specific template
nuclei -u https://example.com -t http/exposures/             #Run HTTP exposure templates
nuclei -u https://example.com -t dns/                        #Run DNS templates

Workflow Scans

nuclei -u https://example.com -w workflows/                            #Run nuclei workflows
nuclei -l targets.txt -w workflows/                                    #Run workflow scan on multiple targets
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml     #Run WordPress workflow

Performance Tuning

nuclei -l targets.txt -c 50                 #Set concurrency to 50
nuclei -l targets.txt -rate-limit 200       #Limit requests per second
nuclei -l targets.txt -rlm 1000             #Limit requests per minute
nuclei -l targets.txt -bs 100               #Increase bulk host processing
nuclei -l targets.txt -timeout 10           #Set request timeout
nuclei -l targets.txt -retries 2            #Retry failed requests
nuclei -l targets.txt -rl 20 -c 10          #Slow safe scanning
nuclei -l targets.txt -rl 500 -c 200        #High speed scanning

Stealth & Evasion

nuclei -u https://example.com -random-agent                      #Use random user agent
nuclei -u https://example.com -proxy http://127.0.0.1:8080       #Use HTTP proxy
nuclei -u https://example.com -proxy socks5://127.0.0.1:9050     #Use SOCKS proxy
nuclei -u https://example.com -H "X-Forwarded-For: 127.0.0.1"    #Add custom header

Custom Headers

nuclei -u https://example.com -H "Authorization: Bearer TOKEN"    #Add authorization header
nuclei -u https://example.com -H "Cookie: session=abc123"         #Send session cookie
nuclei -u https://example.com -H "User-Agent: Mozilla/5.0"        #Custom user agent

Authentication Scans

nuclei -u https://example.com -H "Cookie: sessionid=12345"              #Scan authenticated session
nuclei -u https://example.com -H "Authorization: Basic dXNlcjpwYXNz"    #Basic authentication
nuclei -u https://example.com -header "Authorization: Bearer TOKEN"     #Bearer token authentication

Output Options

nuclei -u https://example.com -o results.txt   #Save output to file
nuclei -l targets.txt -json -o results.json    #Export results as JSON
nuclei -u https://example.com -silent          #Show only results
nuclei -u https://example.com -nc              #No color output

Debugging & Verbose Mode

nuclei -u https://example.com -v       #Verbose output
nuclei -u https://example.com -debug   #Debug output
nuclei -u https://example.com -stats   #Show scan statistics
nuclei -u https://example.com -trace   #Trace requests

Chaining With Other Tools

Subdomain Enumeration

subfinder -d example.com | nuclei     #Scan discovered subdomains
assetfinder example.com | nuclei      #Scan assetfinder results
amass enum -d example.com | nuclei    #Scan amass results

URL Discovery

gau example.com | nuclei                       #Scan historical URLs
waybackurls example.com | nuclei               #Scan Wayback Machine URLs
katana -u https://example.com | nuclei         #Scan crawler results
echo 10.1.1.0/24 | httpx -silent | nuclei      #Scan httpx results

Bug Bounty Recon Pipelines

subfinder -d target.com | httpx | nuclei                                         #Subdomain discovery → HTTP probe → Nuclei scan
subfinder -d target.com | httpx -silent | nuclei -silent                         #Scan only alive HTTPS services
subfinder -d target.com | httpx -silent | nuclei -s high,critical                #Subdomains → httpx → high/critical vulnerabilities
subfinder -d target.com | httpx -silent | nuclei -as                             #Subdomains → tech detection → vulnerability scan
subfinder -d target.com | httpx -silent | nuclei -rl 100 -c 50                   #Scan discovered services with rate limiting
subfinder -d target.com | httpx -silent | nuclei -json -o nuclei_results.json    #Full recon pipeline with output storage