Nuclei is a fast, template-based vulnerability scanner by ProjectDiscovery. It uses YAML templates to define scanning logic, making it highly customizable and community-driven.
Basic Usage
- nuclei -u <url> - Scan single URL
- nuclei -l urls.txt - Scan from file
- nuclei -u <url> -t <template> - Use specific template
Target Options
- -u, -target - Target URL
- -l, -list - File with list of targets
- -resume - Resume scan using resume.cfg
Template Options
- -t, -templates - Template files/directories
- -tl - List available templates
- -nt, -new-templates - Run newly added templates
- -ntv, -new-templates-version - Run templates from specific version
- -as, -automatic-scan - Automatic web scan with wappalyzer
Filtering Templates
- -tags <tags> - Filter by tags (comma separated)
- -etags <tags> - Exclude tags
- -itags <tags> - Include only specific tags
- -s, -severity <level> - Filter by severity
- -es, -exclude-severity - Exclude severity levels
- -author <author> - Filter by author
- -type <type> - Filter by protocol type
Severity Levels
- info - Informational
- low - Low severity
- medium - Medium severity
- high - High severity
- critical - Critical severity
Output Options
- -o, -output - Output file
- -j, -json - JSON output
- -irr - Include request/response in output
- -nc, -no-color - Disable colors
- -silent - Silent mode (only results)
- -v, -verbose - Verbose output
- -debug - Debug output
Rate Limiting
- -rl, -rate-limit - Requests per second (default 150)
- -rlm, -rate-limit-minute - Requests per minute
- -bs, -bulk-size - Parallel hosts (default 25)
- -c, -concurrency - Parallel templates (default 25)
Configuration
- -config - Config file path
- -H, -header - Custom headers
- -V, -var - Custom variables key=value
- -sr, -store-resp - Store responses
- -srd, -store-resp-dir - Response storage directory
Proxy Options
- -proxy - HTTP proxy
- -proxy-socks-url - SOCKS proxy
- -proxy-auth - Proxy authentication
Update Options
- -update - Update nuclei
- -ut, -update-templates - Update templates
- -ud, -update-directory - Update template directory
Common Examples
Basic Scan
nuclei -u https://example.comRun all templates against target.
Specific Template
nuclei -u https://example.com -t cves/2021/Run 2021 CVE templates.
By Severity
nuclei -u https://example.com -s critical,highOnly critical and high severity.
By Tags
nuclei -u https://example.com -tags cve,rceFilter by CVE and RCE tags.
Multiple Targets
nuclei -l urls.txt -o results.txtScan list, save results.
JSON Output
nuclei -u https://example.com -j -o results.jsonOutput in JSON format.
With Custom Headers
nuclei -u https://example.com -H "Authorization: Bearer token"Scan with auth header.
Rate Limited
nuclei -u https://example.com -rl 50Limit to 50 requests per second.
Automatic Scan
nuclei -u https://example.com -asAuto-detect technologies and scan.
New Templates Only
nuclei -u https://example.com -ntRun only recently added templates.
Common Tags
- cve - CVE vulnerabilities
- rce - Remote code execution
- lfi - Local file inclusion
- sqli - SQL injection
- xss - Cross-site scripting
- ssrf - Server-side request forgery
- exposure - Sensitive data exposure
- tech - Technology detection
- misconfig - Misconfigurations
- takeover - Subdomain takeover
Template Locations
- ~/nuclei-templates/ - Default templates directory
- Custom templates can be specified with -t flag
Tips
- Run -update-templates regularly for new checks
- Use -as for smart automatic scanning
- Filter by severity to focus on critical issues
- Combine with subfinder and httpx for full recon
- Write custom templates for specific checks
- Use -silent for clean output in pipelines
- Store responses with -sr for later analysis
- Part of ProjectDiscovery toolkit
- Always get authorization before scanning