Nuclei
Template-driven vulnerability scanner that fires thousands of community-maintained checks against live hosts in minutes
⚡ TL;DR
🎯 The Problem It Solves
Recon gives you a list of hosts; knowing which are actually vulnerable is the slow part. Nuclei turns a target list into a fast, repeatable vulnerability sweep using YAML templates — no per-tool scripting. It is the glue that turns \'we found 400 subdomains\' into \'11 of them are running a vulnerable service.\'
🔧 How It Works
You point nuclei at a URL, host list, or ASN. It loads its template library (HTTP, DNS, TCP, file, headless/JS, code protocols) and executes each template: send a request, match the response against a matcher, optionally extract and run a severity workflow. Templates are community-sourced (projectdiscovery/nuclei-templates) and cover CVEs, misconfigurations, exposed panels and tech fingerprints. Output can be JSON for piping into other tooling.
🚀 Installation & Quick Start
Installation
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest\n# Or download binary from GitHub releasesQuick Start
- Install: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
- Update templates: nuclei -update-templates
- Run a default scan: nuclei -u https://example.com -silent
- Target a list: nuclei -list hosts.txt -severity critical,high -o results.txt
- Pipe results: nuclei -u https://example.com -json | jq 'select(.severity=="critical")'
✅ Pros
- •Fast and deterministic — same template, same result, every run
- •Template library is huge and updated daily for new CVEs
- •Trivial to write a custom template for a bug you just found
- •Excellent for CI/CD and attack-surface monitoring, not just one-off tests
❌ Cons
- •Template quality varies; expect false positives you must triage
- •Default concurrency/rate limits need tuning or you'll get blocked or banned
- •It matches what templates know — novel bugs still need manual testing
- •Headless/JS templates are heavier and can be flaky in CI
💬 Practitioner Verdict
"Nuclei is the default for template-based scanning and for good reason. Pair it with a custom template workflow and it becomes a force multiplier for any team doing repeated external or internal testing. Just don\'t treat a green scan as \'safe\' — it only finds what its templates know."
📊 Specifications
- Language
- Go
- License
- MIT
- Platform
- Linux, macOS, Windows
- Kill Chain
- Vulnerability Analysis / Initial Access recon
- MITRE ATT&CK
- T1595, T1190
💰 Pricing Reality
Free and open source (MIT). ProjectDiscovery sells \'Nuclei Pro\' / cloud features (templates API, team management) on top, but the scanner itself costs nothing. Your real cost is the compute to scan at scale and the triage time.