Nuclei — Fast and Customizable Vulnerability Scanner
Nuclei is a fast, template-based vulnerability scanner. Its community-driven template library covers CVEs, misconfigurations, exposed panels, and security checks — letting you scan applications, APIs, networks, and cloud configurations with simple YAML templates.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(290%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFCCB6%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FED7AA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22M530%20219a446%20446%200%200%201%20133%2039c20%2011%2040%2023%2057%2039%2010%209%2019%2018%2027%2029%209%2012%2015%2026%2017%2041%202%2018%202%2037-4%2055-2%207-5%2014-10%2020l-2-5c0-21-4-41-12-60l-1%2019v23c0%2015%202%2031%205%2046l13%2070%2012%2075c3%2024%205%2046-1%2069-3%2012-7%2023-14%2033-3%206-7%2010-11%2015l-6%202%201-12c2-16%201-31%200-46l-7%2012c-7%2011-15%2020-24%2028-11%209-22%2017-35%2022l-17%204c-19%205-39%204-59%200-36-7-71-17-107-24l-32-4h-39l-42%203c-7%208-16%2011-26%2014-12%202-25%201-36-4-17-6-30-17-41-31l7%2016c2%202%205%206%204%209-1%202-3%202-5%203-7%203-15%201-21-2-16-7-29-19-39-32a214%20214%200%200%201-40-115l-1%2027c0%2016%203%2032%208%2047%204%2011%209%2020%2012%2031l-4-2-7-12c-12-21-17-48-17-72%200-33%2010-65%2021-96l19-61%2011-44c4-15%209-29%2015-43a196%20196%200%200%201%2098-103c11-5%2021-10%2033-13%2014-4%2028-6%2043-6%205-1%209%200%2013%201%205%201%2010-2%2014-2%2032-7%2065-7%2097-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M495%20231a231%20231%200%200%201%20219%20204c1%2010%202%2021%200%2030-1%204-1%207-4%208-3-10-3-19-4-29a220%20220%200%200%200-239-205c-42%204-83%2019-117%2044l-17%2013a221%20221%200%200%200-78%20164c0%2023%207%2043%2015%2064h17c3%201%204%204%202%206l-6%202c-15%201-31%207-42%2017-8%209-14%2019-16%2031-3%2015%200%2032%208%2045%209%2015%2024%2027%2040%2033%2014%205%2029%207%2043%205%204-1%208-2%2011%200v3c-5%205-11%206-18%207-16%203-33-1-47-8a86%2086%200%200%201-47-58c-4-18-1-37%209-53%208-12%2020-21%2034-26-7-14-10-28-12-43-2-18-2-35%200-53%201-13%204-25%208-38a227%20227%200%200%201%2099-122c41-28%2092-43%20142-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M535%20244a220%20220%200%200%201%20171%20200c1%2010%201%2019%204%2029l-2%2018v22c-3%204-4%209-4%2014-2%208-2%2015-2%2023v65c0%2021-3%2042-11%2061-4%2013-10%2024-18%2035-10%2012-21%2022-34%2031-11%209-24%2017-37%2024l-22%2014-12%208%209-2c-3%2011-3%2024-4%2036%200%208%201%2016%207%2022a235%20235%200%200%200%2081%2045c6%207%2011%2016%2013%2025%201%209%200%2018-4%2027-6%2010-14%2018-23%2024-13%2010-28%2017-43%2022a417%20417%200%200%201-217%2011c-16-3-33-9-48-17-10-5-21-12-28-21-6-6-10-14-11-22-2-10%200-21%205-30%2021-13%2039-32%2049-54%205-11%207-22%208-34%201-16%200-32-1-47-2-20-3-41-8-61%2011%2012%2023%2024%2037%2032%2017%2011%2036%2020%2055%2026%2020%207%2041%2013%2063%2018l25%203c3%200%206%200%208-2%202-1%201-2%202-3l-17-2c-29-7-58-16-87-27-18-7-36-15-53-27-18-13-33-30-47-47l-11-16-1-1v-3c-3-2-7-1-11%200-14%202-29%200-43-5-16-6-31-18-40-33-8-13-11-30-8-45%202-12%208-22%2016-31%2011-10%2027-16%2042-17l6-2c2-2%201-5-2-6h-17c-8-21-15-41-15-64-1-14%202-27%205-41a221%20221%200%200%201%2073-123l17-13a230%20230%200%200%201%20185-39Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M708%20513c3%203%202%207%203%2012v29c0%2026%202%2054%200%2080-3%2031-14%2063-36%2086-25%2028-57%2051-93%2064l2%207v35c1%206%204%2010%208%2014l26%2019%2032%2020%2024%2012c2%200%203%201%205%203l-19-5c-19-6-37-14-54-25-9-5-19-12-26-20-6-6-7-14-7-22%201-12%201-25%204-36l-9%202%2012-8%2022-14c13-7%2026-15%2037-24%2013-9%2024-19%2034-31a178%20178%200%200%200%2029-96v-65c0-8%200-15%202-23%200-5%201-10%204-14ZM278%20574c5%205%204%2014%200%2019l-3%207c1%203%205%205%207%206%206%203%2012%207%2019%209%200%204-3%205-7%205-6-1-13-3-18-6-7-3-13-8-13-16%200-6%205-9%206-14%202-4%200-7-1-11%204-1%207-2%2010%201ZM328%20667l11%2016c14%2017%2029%2034%2047%2047%2017%2012%2035%2020%2053%2027a714%20714%200%200%200%20104%2029c-1%201%200%202-2%203-2%202-5%202-8%202l-25-3a478%20478%200%200%201-118-44c-14-8-26-20-37-32%205%2020%206%2041%208%2061%201%2015%202%2031%201%2047-1%2012-3%2023-8%2034-10%2022-28%2041-49%2054l-14%208c2-4%206-6%209-9%2013-11%2024-25%2034-39%206-10%2012-21%2014-33%204-19%203-39%203-58l-3-59%202-10c-10-11-19-26-22-41Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M686%20474c5%202%2010%207%2012%2012%203%208%203%2017%201%2025-1%204-4%208-9%208s-9-5-8-10c0-8%203-15%201-23l-5-4c-6%200-12%203-17%205%202%203%204%205%204%208%202%207%201%2014%200%2021-1%208-4%2014-9%2020-3%202-7%206-11%207-5%201-10-1-12-5-4-5-4-11-3-16l-6%208c-1%202-2%203-4%203-1-2%200-6%201-8a95%2095%200%200%201%2044-49c6-3%2014-4%2021-2ZM470%20481c18%206%2035%2017%2046%2033%203%204%206%209%207%2014%201%203%201%205-1%206-3%201-6-3-8-5-3%206-2%2013-6%2018-3%204-7%208-11%2010-6%203-13%203-19%201s-10-8-14-13c-5-10-5-20-4-30%201-8%204-15%209-21-14-5-29-8-42-2-10%204-16%2011-19%2021-1%205%200%2011-3%2015-3%203-9%203-12%200s-4-7-3-11c1-12%207-22%2016-30%206-4%2012-7%2019-9%2015-4%2031-3%2045%203Z%22%20fill%3D%22%23000000%22%2F%3E%3Cg%20fill%3D%22%23000000%22%3E%3Cpath%20d%3D%22M675%20381c5%200%208%204%209%208-11%203-23%208-34%2013l-16%208c-7%204-14%207-22%209-5%201-9%200-13%203l-7%208c-3%203-4%207-6%2012-1-1-3-2-3-4-2-5%200-11%202-16%202-6%203-12%208-17%203-4%205-8%209-10%204-3%2010-4%2014%200l1%206%2025-14c11-4%2021-8%2033-6ZM481%20383c14%202%2032%201%2044%207%209%204%2013%2011%2018%2019l-1%204c-4%203-9%204-14%202-4-2-6-6-9-8-2-2-5-2-8-3l-25-2c-12-1-24-6-36-7l-27-5-5-2c9-3%2019-4%2029-5%2011%200%2023-2%2034%200Z%22%2F%3E%3Cpath%20d%3D%22M540%20387c6-2%2012-2%2016%202%206%203%209%209%2011%2015%200-4%202-9%205-12%206%203%2011%209%2013%2015%201%205%202%2010%200%2015s-9%208-13%205c-4-4-4-12-5-18-1%204-2%208-5%2010s-7%201-9-2l-5-12-7-15-1-3Z%22%2F%3E%3C%2Fg%3E%3Cpath%20d%3D%22M607%20606c0%203-2%206-4%209-4%206-11%2010-18%2012-5%201-9-2-13%200-4%200-8%201-12-1-2-1-2-4%200-6%203-4%208-7%2012-7%204-1%207-1%2010%202l1%207c5-2%207-5%2011-8l13-8Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M608%20667c2%200%204%200%205%202l-1%2015c5-1%2010-4%2016-2%200%204-4%207-7%209l-35%2012c-17%204-34%207-51%208-7%201-15-1-22-3-2-1-4-1-4-4%204-2%209%200%2012-1%202-5%207-7%2011-10l31-19c3-1%207-4%2010-4%204-1%207%204%2011%204%208-2%2016-7%2024-7ZM607%20712c1%204%201%208-1%2011-2%205-7%209-12%2011-6%202-12%203-18%202-2%200-6-2-6-5%201-2%205-2%207-3%208-4%2018-7%2025-13%202-1%203-3%205-3Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M492%20216c35%200%2070%207%20103%2017%2023%206%2045%2014%2066%2024%2023%2012%2045%2025%2063%2044%2015%2013%2027%2028%2035%2046%203%208%205%2017%206%2026%201%2013%200%2026-2%2039-2%2010-6%2022-13%2030l-2-6c0-20-5-40-12-59%201%2019-3%2040-15%2055-4%204-8%205-12%207s-9%202-13%202c-7-1-15-4-22-7-2-2-5-3-6-6-4-13-5-27-9-40l-6-17c-2%2010-4%2019-8%2028-3%2011-8%2021-15%2030l-8%207-3-14-4-17c-5-21-14-42-26-61v29c-2%2016-3%2031-10%2045-3%207-4%2014-10%2018-8%204-18%205-27%205-13%200-28%202-41-1-6-2-8-7-11-12l-14-31-11-20c-2%2022-2%2043-1%2064-1%202%200%204-2%205-1%202-3%201-5%200-9-4-16-11-23-18-9-12-19-24-25-37l2%2017c3%2012%207%2024%2012%2035l2%208-5-2c-7-5-12-12-17-19-7-12-11-27-12-41-5%2019-7%2039-8%2059l-2%2010c-1%203-3%204-6%205l-33%205h-11a670%20670%200%200%200%2013%20152l15%2061c1%203%200%205-2%207-15-8-26-23-36-38v63l-3%206a245%20245%200%200%201-64-94l-6-16a397%20397%200%200%201-27-151c1-40%209-80%2026-116a217%20217%200%200%201%2076-91l31-17c11-4%2022-9%2034-10%2010-1%2021-3%2031%200%204%201%208-1%2012-2%2020-4%2041-6%2061-6Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
What it is
Nuclei is a fast, template-based vulnerability scanner by ProjectDiscovery. Its community-driven template library covers CVEs, misconfigurations, exposed admin panels, default credentials, and security checks. You point Nuclei at a target, and it runs thousands of checks in parallel using YAML templates.
Nuclei targets security researchers, penetration testers, and DevSecOps teams who need automated vulnerability scanning across web applications, APIs, and infrastructure.
How it saves time or tokens
Nuclei replaces manual security checks with automated template scanning. The community maintains thousands of templates updated for new CVEs within days of disclosure. Running Nuclei against a target in CI/CD catches vulnerabilities before deployment.
Templates are YAML files you can read, modify, and write. Custom checks for your application take minutes to create.
How to use
- Install Nuclei:
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest - Update templates:
nuclei -update-templates - Scan a target:
nuclei -u https://example.com - Filter by severity:
nuclei -u https://example.com -severity critical,high
Example
# Custom Nuclei template: check for exposed .env file
id: exposed-env-file
info:
name: Exposed .env File
author: security-team
severity: high
description: Checks for publicly accessible .env files containing secrets
http:
- method: GET
path:
- '{{BaseURL}}/.env'
matchers-condition: and
matchers:
- type: word
words:
- 'DB_PASSWORD'
- 'API_KEY'
- 'SECRET'
condition: or
- type: status
status:
- 200Run: nuclei -t exposed-env.yaml -u https://target.com
Related on TokRepo
- Security tools -- Security scanning and auditing
- DevOps tools -- CI/CD security integration
Common pitfalls
- Running all templates against a production target generates heavy traffic; use rate limiting (
-rl 100) and severity filters - Some templates trigger active exploitation attempts; use
-tags safefor passive-only scanning in production - False positives occur with broad templates; validate critical findings manually before reporting
Frequently Asked Questions
The community template library contains thousands of templates covering CVEs, misconfigurations, exposed panels, default credentials, and technology detection. The library is updated frequently as new vulnerabilities are disclosed.
Yes. Templates are YAML files with a simple structure: define the HTTP request, set matchers for the response, and specify metadata. Custom templates for internal application checks typically take 5-10 minutes to write.
Use caution. Some templates perform active exploitation. Filter with '-tags safe' for passive detection only. Always get authorization before scanning targets. Use rate limiting to avoid impacting production performance.
Yes. Nuclei supports HTTP, DNS, TCP, and other protocols. For APIs, you can scan individual endpoints, test for authentication bypass, and check for common API vulnerabilities using templates.
Nessus and Burp Suite are commercial tools with GUIs and enterprise features. Nuclei is free, open source, and CLI-based. Nuclei's template system makes it highly customizable. Use Nuclei for automated CI/CD scanning; use Burp Suite for manual penetration testing.
Citations (3)
- Nuclei GitHub— Nuclei is a fast template-based vulnerability scanner
- Nuclei Templates— Community-driven vulnerability templates
- ProjectDiscovery— ProjectDiscovery open-source security tools
Related on TokRepo
Discussion
Related Assets
Conda — Cross-Platform Package and Environment Manager
Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.
Sphinx — Python Documentation Generator
Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.
Neutralinojs — Lightweight Cross-Platform Desktop Apps
Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.