Nuclei
Nuclei is a fast, template-based vulnerability scanner designed to automate the detection of security vulnerabilities and misconfigurations across modern applications and infrastructure. It utilizes a vast library of community-driven YAML templates to perform targeted scans, allowing security researchers and DevOps teams to identify exposures and known CVEs with high precision and speed.
Navigation
- Installation
- Updating Templates
- Basic Usage
- Target Input Options
- Template Selection
- Severity Filtering
- Template Tags
- Technology Detection
- Running Specific Templates
- Workflow Scans
- Performance Tuning
- Stealth & Evasion
- Custom Headers
- Authentication Scans
- Output Options
- Debugging & Verbose Mode
- Chaining With Other Tools
- Bug Bounty Recon Pipelines
Installation
Go
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Brew
brew install nuclei
Docker
docker pull projectdiscovery/nuclei:latest
From Source
git clone https://github.com/projectdiscovery/nuclei.git cd nuclei/cmd/nuclei go build mv nuclei /usr/local/bin/ nuclei -version
Helm
git clone https://github.com/projectdiscovery/nuclei.git cd nuclei/helm helm upgrade --install nuclei . -f values.yaml
Updating Templates
nuclei -update-templates #Update nuclei templates to latest version nuclei -ut #Shortcut to update templates nuclei -update #Update nuclei binary nuclei -tl #List installed templates
Basic Usage
nuclei -u https://example.com #Scan a single target nuclei -u https://target.com -v #Scan target with verbose output nuclei -u https://target.com -fr #Scan target and follow redirects nuclei -l targets.txt #Scan multiple targets from file nuclei -u https://example.com -t vulnerabilities/ #Run vulnerability templates nuclei -u https://example.com -severity critical,high #Scan for critical/high vulnerabilities nuclei -u https://target.com -timeout 15 -retries 3 #Scan with timeout and retries nuclei -u https://target.com -stream #Stream scan (faster large input processing) nuclei -u https://target.com -p http://127.0.0.1:8080 #Route traffic through Burp
Target Input Options
nuclei -u https://example.com #Scan a single URL nuclei -l targets.txt #Scan targets from list cat urls.txt | nuclei #Pipe targets into nuclei subfinder -d example.com | nuclei #Scan discovered subdomains echo https://example.com | nuclei #Scan piped input nuclei -resume resume.cfg #Resume a previous scan nuclei -u example.com -iv 4 #Scan IPv4 only nuclei -u example.com -iv 4,6 #Scan both IPv4 and IPv6
Template Selection
nuclei -u https://example.com -t cves/ #Run CVE templates nuclei -u https://example.com -t exposures/ #Run exposure templates nuclei -u https://example.com -t misconfiguration/ #Run misconfiguration templates nuclei -u https://example.com -t vulnerabilities/ #Run vulnerability templates nuclei -u https://example.com -t technologies/ #Run technology detection templates
Severity Filtering
nuclei -u https://example.com -severity critical #Scan only critical vulnerabilities nuclei -u https://example.com -severity high,critical #Scan high and critical findings nuclei -u https://example.com -severity medium,high #Scan medium and high severity templates nuclei -u https://example.com -s critical #Short option for severity filter
Template Tags
nuclei -u https://example.com -tags cve #Run templates tagged with CVE nuclei -u https://example.com -tags rce #Scan for remote code execution vulnerabilities nuclei -u https://example.com -tags lfi #Scan for Local File Inclusion vulnerabilities nuclei -u https://example.com -tags sqli #Scan for SQL injection vulnerabilities nuclei -u https://example.com -tags xss #Scan for Cross-Site Scripting vulnerabilities
Technology Detection
nuclei -u https://example.com -t technologies/ #Detect technologies used by target nuclei -u https://example.com -as #Automatic scan using tech detection nuclei -u https://example.com -tags tech #Run technology detection templates
Running Specific Templates
nuclei -u https://example.com -t cves/2021/ #Run CVE templates from 2021 nuclei -u https://example.com -t cves/CVE-2021-44228.yaml #Run specific template nuclei -u https://example.com -t http/exposures/ #Run HTTP exposure templates nuclei -u https://example.com -t dns/ #Run DNS templates
Workflow Scans
nuclei -u https://example.com -w workflows/ #Run nuclei workflows nuclei -l targets.txt -w workflows/ #Run workflow scan on multiple targets nuclei -u https://example.com -w workflows/wordpress-workflow.yaml #Run WordPress workflow
Performance Tuning
nuclei -l targets.txt -c 50 #Set concurrency to 50 nuclei -l targets.txt -rate-limit 200 #Limit requests per second nuclei -l targets.txt -rlm 1000 #Limit requests per minute nuclei -l targets.txt -bs 100 #Increase bulk host processing nuclei -l targets.txt -timeout 10 #Set request timeout nuclei -l targets.txt -retries 2 #Retry failed requests nuclei -l targets.txt -rl 20 -c 10 #Slow safe scanning nuclei -l targets.txt -rl 500 -c 200 #High speed scanning
Stealth & Evasion
nuclei -u https://example.com -random-agent #Use random user agent nuclei -u https://example.com -proxy http://127.0.0.1:8080 #Use HTTP proxy nuclei -u https://example.com -proxy socks5://127.0.0.1:9050 #Use SOCKS proxy nuclei -u https://example.com -H "X-Forwarded-For: 127.0.0.1" #Add custom header
Custom Headers
nuclei -u https://example.com -H "Authorization: Bearer TOKEN" #Add authorization header nuclei -u https://example.com -H "Cookie: session=abc123" #Send session cookie nuclei -u https://example.com -H "User-Agent: Mozilla/5.0" #Custom user agent
Authentication Scans
nuclei -u https://example.com -H "Cookie: sessionid=12345" #Scan authenticated session nuclei -u https://example.com -H "Authorization: Basic dXNlcjpwYXNz" #Basic authentication nuclei -u https://example.com -header "Authorization: Bearer TOKEN" #Bearer token authentication
Output Options
nuclei -u https://example.com -o results.txt #Save output to file nuclei -l targets.txt -json -o results.json #Export results as JSON nuclei -u https://example.com -silent #Show only results nuclei -u https://example.com -nc #No color output
Debugging & Verbose Mode
nuclei -u https://example.com -v #Verbose output nuclei -u https://example.com -debug #Debug output nuclei -u https://example.com -stats #Show scan statistics nuclei -u https://example.com -trace #Trace requests
Chaining With Other Tools
Subdomain Enumeration
subfinder -d example.com | nuclei #Scan discovered subdomains assetfinder example.com | nuclei #Scan assetfinder results amass enum -d example.com | nuclei #Scan amass results
URL Discovery
gau example.com | nuclei #Scan historical URLs waybackurls example.com | nuclei #Scan Wayback Machine URLs katana -u https://example.com | nuclei #Scan crawler results echo 10.1.1.0/24 | httpx -silent | nuclei #Scan httpx results
Bug Bounty Recon Pipelines
subfinder -d target.com | httpx | nuclei #Subdomain discovery → HTTP probe → Nuclei scan subfinder -d target.com | httpx -silent | nuclei -silent #Scan only alive HTTPS services subfinder -d target.com | httpx -silent | nuclei -s high,critical #Subdomains → httpx → high/critical vulnerabilities subfinder -d target.com | httpx -silent | nuclei -as #Subdomains → tech detection → vulnerability scan subfinder -d target.com | httpx -silent | nuclei -rl 100 -c 50 #Scan discovered services with rate limiting subfinder -d target.com | httpx -silent | nuclei -json -o nuclei_results.json #Full recon pipeline with output storage