Jonathans Blog

Nuclei: Fast and Flexible Vulnerability Scanning in 2026

Jonathan Mitchell
·

Nuclei is one of the most significant additions to the open-source security tooling landscape in recent years. Built by ProjectDiscovery, it’s a fast, template-driven vulnerability scanner that can check targets for thousands of known vulnerabilities, misconfigurations, exposed panels, and information disclosure issues — all driven by a community-maintained library of YAML templates. Unlike older scanners that bake their checks into the tool itself, Nuclei separates the engine from the detection logic, meaning the template library can be updated independently and anyone can write new checks. It’s become a staple for bug bounty hunters, penetration testers, and security teams running continuous vulnerability management.

How Nuclei Works

Nuclei’s core concept is simple: you point it at a target (or a list of targets), and it runs a set of templates against them. Each template is a small YAML file that defines what to send, what to look for in the response, and how to classify the finding. Templates can make HTTP requests, perform DNS lookups, check TCP services, test for SSL issues, execute code snippets, and more. The result is an extremely flexible scanner that can be tuned precisely to whatever you’re looking for.

The community template library — maintained at github.com/projectdiscovery/nuclei-templates — contains thousands of templates covering CVEs, default credentials, exposed admin panels, misconfigurations, takeover vulnerabilities, and technology fingerprinting. New templates are added regularly, often within hours of a CVE being published.

Installation

Nuclei is written in Go and ships as a single binary, which makes installation straightforward. The easiest method if you have Go installed:

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

On Kali Linux you can install it via apt:

sudo apt update && sudo apt install nuclei

Or download a pre-built binary directly from the GitHub releases page for your platform and drop it somewhere on your PATH. Once installed, update Nuclei and pull the latest template library:

nuclei -update
nuclei -update-templates

Make a habit of running these before any assessment — the template library moves quickly and you want the latest CVE coverage.

Basic Usage

The simplest scan against a single target, running all templates:

nuclei -u https://example.com

To scan a list of targets from a file:

nuclei -l targets.txt

Nuclei is designed to be fast and handles large target lists well. You can control the concurrency with -c (number of templates run in parallel) and -rl (rate limit, requests per second):

nuclei -l targets.txt -c 50 -rl 100

Be mindful of rate limits on production targets — Nuclei can send a lot of requests very quickly, and aggressive settings will trigger WAFs and potentially cause disruption.

Filtering by Severity

Running every template against every target is thorough but slow. In most cases you’ll want to filter by severity to focus on what matters. To run only critical and high severity templates:

nuclei -u https://example.com -severity critical,high

Severity levels are info, low, medium, high, and critical. For a quick initial triage of a target, starting with critical and high is a sensible approach before broadening the scope.

Using Specific Templates and Tags

Nuclei’s template library is organised by tags, making it easy to run only relevant checks. To run only CVE templates:

nuclei -u https://example.com -tags cve

To run templates tagged for a specific technology:

nuclei -u https://example.com -tags wordpress
nuclei -u https://example.com -tags apache
nuclei -u https://example.com -tags jenkins

To run a specific template file directly:

nuclei -u https://example.com -t cves/2024/CVE-2024-1234.yaml

Or a whole directory of templates:

nuclei -u https://example.com -t cves/2024/

Saving Output

Nuclei can output results in several formats. Plain text to a file:

nuclei -u https://example.com -o results.txt

JSON output is more useful for scripting or feeding into other tools:

nuclei -u https://example.com -jsonl -o results.jsonl

For a clean Markdown report suitable for sharing:

nuclei -u https://example.com -markdown-export ./report/

Writing Your Own Templates

One of Nuclei’s biggest strengths is how straightforward it is to write custom templates. Each template is a YAML file with a defined structure. Here’s a simple example that checks for an exposed environment file:

id: exposed-env-file

info:
  name: Exposed .env File
  author: example
  severity: high
  tags: exposure,config

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"
    matchers:
      - type: word
        words:
          - "APP_KEY"
          - "DB_PASSWORD"
        condition: or

This tells Nuclei to make a GET request to /.env on the target and flag it as a finding if the response contains either APP_KEY or DB_PASSWORD. Templates can be far more sophisticated — supporting multiple requests, extractors that pull data from responses, conditional logic, authenticated flows, and fuzzing — but even simple templates like this are genuinely useful and quick to write.

Run your custom template with:

nuclei -u https://example.com -t my-template.yaml

CI/CD Integration

Nuclei’s speed and scriptability make it well suited to running in automated pipelines. A common pattern is to trigger a Nuclei scan as part of a deployment pipeline, checking for regressions or newly introduced vulnerabilities. The exit code behaviour (-silent for no output, non-zero exit on findings) makes it straightforward to integrate with GitHub Actions, GitLab CI, or Jenkins.

A minimal GitHub Actions step might look like:

- name: Run Nuclei scan
  run: |
    nuclei -u ${{ env.TARGET_URL }} -severity critical,high -jsonl -o nuclei-results.jsonl
  continue-on-error: true

- name: Upload results
  uses: actions/upload-artifact@v3
  with:
    name: nuclei-results
    path: nuclei-results.jsonl

ProjectDiscovery also offer a cloud platform — cloud.projectdiscovery.io — which provides a managed interface for running Nuclei at scale with team collaboration, scheduled scans, and centralised findings management, if you want to go beyond running it locally.

Nuclei in Context

Nuclei occupies a different niche from tools like Nikto or WPScan. Nikto is a broad web server scanner with a fixed check set; WPScan is deep but WordPress-specific. Nuclei is faster than both, far more extensible, and keeps pace with newly disclosed CVEs in a way that older tools struggle to match. For cloud infrastructure auditing, pair it with Prowler or ScoutSuite — Nuclei handles application-layer and service-level checks, while those tools cover cloud configuration and compliance posture.

It has become a core tool for bug bounty hunters in particular, since the template model lets researchers quickly codify and share proof-of-concept checks for newly disclosed vulnerabilities. If you’re working towards OSCP or doing CTF work, getting comfortable with Nuclei alongside your manual testing workflow is time well spent.

, , , , , , , ,

Leave a Reply

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by