Skip to main content

Core capabilities

Nuclei is designed for modern security teams who need fast, accurate, and customizable vulnerability detection.

YAML-based templates

Nuclei’s template system is its most powerful feature. Templates are written in simple YAML format, making them:

Easy to write - No programming required, just YAML syntax

Human-readable - Templates are self-documenting and easy to review

Shareable - Templates work across all platforms and Nuclei versions

Customizable - Adapt existing templates or create new ones easily
Example template structure: 
id: http-missing-security-headers

info:
  name: HTTP Missing Security Headers
  author: projectdiscovery
  severity: info
  description: Checks for missing security headers
  
http:
  - method: GET
    path:
      - "{{BaseURL}}"
      
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(header), 'x-frame-options')"

Multi-protocol support

Unlike traditional scanners limited to HTTP, Nuclei supports multiple protocols out of the box:
Full HTTP protocol support with:
  • Custom headers and cookies
  • Multiple HTTP methods (GET, POST, PUT, DELETE, etc.)
  • Request/response manipulation
  • Follow redirects control
  • Raw HTTP requests
Perfect for web application security testing.

Zero false positives

Nuclei reduces false positives through:
1

Multi-step verification

Templates can perform multiple verification steps to confirm a vulnerability exists, not just pattern matching.
2

Dynamic matchers

Use DSL (Domain Specific Language) functions to validate responses dynamically based on context.
3

Real-world simulation

Templates simulate actual exploitation steps to verify vulnerabilities are exploitable.
4

Response validation

Validate multiple response attributes (status code, headers, body, timing) before reporting.
By simulating real-world exploitation steps, Nuclei significantly reduces false positives compared to signature-based scanners.

High-performance scanning

Nuclei is built for speed:

Parallel processing

Execute multiple templates simultaneously with configurable concurrency

Request clustering

Automatically groups identical requests across templates to reduce redundant network calls

Optimized engine

Written in Go for maximum performance and low resource usage

Rate limiting

Built-in rate limiting to control scan speed and avoid target overload
Performance tuning options: 
# Maximum parallel templates
nuclei -target example.com -concurrency 50

# Requests per second limit
nuclei -target example.com -rate-limit 150

# Bulk size per template
nuclei -target example.com -bulk-size 25

Advanced features

Workflows

Workflows enable multi-step scanning logic where one template’s output feeds into another: 
workflows:
  - template: http/technologies/tech-detect.yaml
    subtemplates:
      - tags: wordpress
      - tags: joomla
Workflows allow:
  • Conditional template execution
  • Technology-specific scanning
  • Reduced scan time by running relevant templates only
  • Complex attack chain simulation

Fuzzing and DAST

Nuclei includes built-in fuzzing capabilities for Dynamic Application Security Testing: 
# Enable DAST mode
nuclei -target https://example.com -dast

# Control fuzzing aggression
nuclei -target https://example.com -dast -fuzz-aggression high
Fuzzing features:
  • Automatic injection point detection
  • Multiple payload types (XSS, SQLi, command injection, etc.)
  • Smart parameter fuzzing
  • Scope control for targeted fuzzing

Interactsh integration

Detect out-of-band (OOB) vulnerabilities with built-in Interactsh support:
  • Blind SSRF detection
  • Out-of-band SQL injection
  • XXE with no direct response
  • DNS exfiltration
  • Remote code execution verification
Interactsh runs automatically - no configuration needed. Nuclei uses public Interactsh servers by default or you can host your own.
# Use custom Interactsh server
nuclei -target example.com -interactsh-server https://your-server.com

# Disable Interactsh
nuclei -target example.com -no-interactsh

Headless browser support

For testing JavaScript-heavy applications: 
# Enable headless browser
nuclei -target https://example.com -headless

# Show browser window
nuclei -target https://example.com -headless -show-browser
Headless capabilities:
  • JavaScript execution
  • DOM-based XSS detection
  • Client-side vulnerabilities
  • Browser-based actions (click, type, navigate)

Custom DSL functions

Nuclei includes 100+ built-in DSL functions for template logic:
  • contains(str, substr) - Check if string contains substring
  • len(str) - Get string length
  • to_lower(str) - Convert to lowercase
  • regex(pattern, str) - Regular expression matching
  • base64_decode(str) - Decode base64
  • base64(str) - Base64 encode
  • url_encode(str) - URL encode
  • hex_encode(str) - Hex encode
  • html_escape(str) - HTML escape
  • md5(str) - MD5 hash
  • sha256(str) - SHA256 hash
  • resolve(host) - DNS resolution
  • ip_format(ip) - Format IP address
  • compare_versions(v1, v2) - Version comparison
  • rand_int(min, max) - Random integer
  • rand_text_alpha(n) - Random alphabetic string
  • timestamp() - Current Unix timestamp
View all DSL functions: 
nuclei -list-dsl-function

Cloud integration

Nuclei integrates with ProjectDiscovery Cloud for:

Result visualization

View and analyze scan results in a web dashboard

Centralized storage

Store all scan results in one place

Team collaboration

Share findings and templates with your team

Continuous monitoring

Set up recurring scans and get alerts
Enable cloud upload: 
# Configure authentication
nuclei -auth

# Upload results to dashboard
nuclei -target https://example.com -dashboard
Cloud features are completely optional and free. Nuclei works fully offline without any cloud connection.

Integration capabilities

CI/CD integration

Nuclei is designed for automation:
GitHub Actions
name: Nuclei Scan
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
        with:
          target: 'https://example.com'

Reporting integrations

Nuclei integrates with popular platforms:

Jira

Automatically create tickets for findings

GitHub

Create GitHub issues and security alerts

GitLab

Integration with GitLab issue tracking

Slack

Send notifications to Slack channels

Webhooks

Custom webhook integrations

Elasticsearch

Send results to Elasticsearch

Splunk

Forward findings to Splunk

APIs

REST API for custom integrations

Library/SDK usage

Embed Nuclei into your Go applications: 
import nuclei "github.com/projectdiscovery/nuclei/v3/lib"

// Create engine
ne, err := nuclei.NewNucleiEngine(
    nuclei.WithTemplateFilters(nuclei.TemplateFilters{
        Severity: "high,critical",
    }),
)

// Load targets
ne.LoadTargets([]string{"https://example.com"}, false)

// Execute scan
err = ne.ExecuteWithCallback(nil)

Template ecosystem

Community templates

The nuclei-templates repository contains:
  • 7,000+ templates covering various vulnerabilities
  • Daily updates for new CVEs and security issues
  • Community contributions from thousands of security researchers
  • Organized by category (CVEs, misconfigurations, exposed panels, etc.)

Template categories

Templates for known CVE vulnerabilities:
  • Log4Shell (CVE-2021-44228)
  • Spring4Shell (CVE-2022-22965)
  • ProxyShell, ProxyLogon
  • Thousands more CVEs

Custom templates

Create your own templates for:
  • Organization-specific checks
  • Custom vulnerability research
  • Proprietary application testing
  • Security policy compliance

Learn to write templates

Detailed guide on creating custom Nuclei templates

Security and privacy

Important: This project is primarily built to be used as a standalone CLI tool. Running Nuclei as a service may pose security risks. Use with caution and additional security measures.

Safe scanning practices

  • Permission required - Always get permission before scanning targets you don’t own
  • Rate limiting - Use appropriate rate limits to avoid DoS
  • Network isolation - Run scans from controlled networks
  • Data handling - Secure storage of scan results containing sensitive data

Template signing

Nuclei supports template signing for security: 
# Sign templates
nuclei -sign -templates /path/to/templates/

# Only run signed templates
nuclei -target example.com -disable-unsigned-templates

Next steps

Explore specific features in detail:

Running scans

Master different scanning techniques

Template selection

Learn advanced filtering and selection

Output options

Export and format scan results

Write templates

Create custom detection templates

Build docs developers (and LLMs) love

Get started for freeTalk to us