🔒SecurityRepoIndex

Nuclei

Template-driven vulnerability scanner that fires thousands of community-maintained checks against live hosts in minutes

4.7/ 529,704 GitHub starsGoMIT

⚡ TL;DR

What
Template-driven vulnerability scanner that fires thousands of community-maintained checks against live hosts in minutes
Who
Bug bounty hunters, Red teams, Attack-surface management teams, Security engineers doing continuous scanning
Catch
Template quality varies; expect false positives you must triage
Verdict
⭐⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Recon gives you a list of hosts; knowing which are actually vulnerable is the slow part. Nuclei turns a target list into a fast, repeatable vulnerability sweep using YAML templates — no per-tool scripting. It is the glue that turns \'we found 400 subdomains\' into \'11 of them are running a vulnerable service.\'

🔧 How It Works

You point nuclei at a URL, host list, or ASN. It loads its template library (HTTP, DNS, TCP, file, headless/JS, code protocols) and executes each template: send a request, match the response against a matcher, optionally extract and run a severity workflow. Templates are community-sourced (projectdiscovery/nuclei-templates) and cover CVEs, misconfigurations, exposed panels and tech fingerprints. Output can be JSON for piping into other tooling.

🚀 Installation & Quick Start

Installation

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest\n# Or download binary from GitHub releases

Quick Start

  1. Install: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
  2. Update templates: nuclei -update-templates
  3. Run a default scan: nuclei -u https://example.com -silent
  4. Target a list: nuclei -list hosts.txt -severity critical,high -o results.txt
  5. Pipe results: nuclei -u https://example.com -json | jq 'select(.severity=="critical")'

✅ Pros

  • Fast and deterministic — same template, same result, every run
  • Template library is huge and updated daily for new CVEs
  • Trivial to write a custom template for a bug you just found
  • Excellent for CI/CD and attack-surface monitoring, not just one-off tests

❌ Cons

  • Template quality varies; expect false positives you must triage
  • Default concurrency/rate limits need tuning or you'll get blocked or banned
  • It matches what templates know — novel bugs still need manual testing
  • Headless/JS templates are heavier and can be flaky in CI

💬 Practitioner Verdict

"Nuclei is the default for template-based scanning and for good reason. Pair it with a custom template workflow and it becomes a force multiplier for any team doing repeated external or internal testing. Just don\'t treat a green scan as \'safe\' — it only finds what its templates know."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
MIT
Platform
Linux, macOS, Windows
Kill Chain
Vulnerability Analysis / Initial Access recon
MITRE ATT&CK
T1595, T1190

💰 Pricing Reality

Free and open source (MIT). ProjectDiscovery sells \'Nuclei Pro\' / cloud features (templates API, team management) on top, but the scanner itself costs nothing. Your real cost is the compute to scan at scale and the triage time.

👥 Community Health

Stars29,704
Forks3,708
Contributors239
Health Score9.5/10

🏷️ Tags

Vulnerability ScannerOpen SourceFree

🔗 Similar Tools