Skip to main content
Nuclei is a versatile vulnerability scanner designed to solve modern security challenges. This page explores common use cases and how Nuclei can be applied to different security scenarios.

Core use cases

Vulnerability assessment

Continuous scanning for known CVEs and vulnerabilities

Security audits

Comprehensive security configuration reviews

Penetration testing

Automated reconnaissance and vulnerability identification

Bug bounty hunting

Rapid scanning across large scopes

Enterprise security

Continuous vulnerability scanning

Nuclei excels at continuous monitoring of infrastructure for newly disclosed vulnerabilities.
Modern attackers exploit new CVEs within days of disclosure. Traditional scanners take weeks to update. Nuclei’s community-driven template library is updated within hours of new CVE disclosures.
Implementation: 
# Daily automated scans for new vulnerabilities
nuclei -list production-hosts.txt -nt -json-export daily-scan.json
The -nt flag runs only newly added templates from the latest release.

Asset discovery and inventory

Use Nuclei with technology detection to maintain an accurate asset inventory. 
# Automatic technology detection and targeted scanning
nuclei -u https://example.com -automatic-scan

Compliance and configuration auditing

Verify security configurations across your infrastructure:
  • SSL/TLS configuration compliance
  • Security header validation
  • Default credential detection
  • Exposed administrative interfaces
# Audit security configurations
nuclei -list targets.txt -t ssl/ -t misconfigurations/ -t default-logins/

DevSecOps and CI/CD

Shift-left security testing

Integrate Nuclei into your development pipeline to catch vulnerabilities early.
1

Install Nuclei in CI/CD

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
2

Scan staging environment

nuclei -u $STAGING_URL -s critical,high -o findings.json
3

Fail pipeline on findings

# Exit with error if critical/high findings exist
if [ -s findings.json ]; then exit 1; fi

Pre-deployment security gates

Prevent vulnerable code from reaching production: 
# Scan before deployment
nuclei -u $DEPLOYMENT_URL -s critical,high -es info,low -silent

Regression testing

Ensure previously fixed vulnerabilities don’t reappear: 
# Test specific fixed vulnerabilities
nuclei -u $APP_URL -t previously-fixed-vulns/ -silent

Penetration testing

Reconnaissance and enumeration

Nuclei automates the initial reconnaissance phase: 
# Comprehensive reconnaissance
nuclei -u https://target.com -tags tech,panel,exposure,misconfig

Vulnerability validation

Quickly validate potential vulnerabilities identified through other means: 
# Validate specific CVE
nuclei -u https://target.com -t cves/2024/CVE-2024-XXXXX.yaml

Multi-step exploitation workflows

Use Nuclei workflows for complex attack chains: 
# Example workflow for multi-step attack
id: multi-step-workflow

info:
  name: Multi-step exploitation
  author: pentest-team

workflows:
  - template: enumerate-endpoints.yaml
  - template: check-authentication.yaml
    subtemplates:
      - template: exploit-vulnerability.yaml

Bug bounty hunting

Rapid scope scanning

Scan large bug bounty scopes efficiently: 
# Scan bug bounty targets
nuclei -list scope.txt -c 25 -rl 150 -s medium,high,critical

Template customization

Create custom templates for unique vulnerabilities: 
# Use custom templates for program-specific issues
nuclei -u https://target.com -t custom-bounty-templates/

Integration with recon tools

Combine Nuclei with subdomain enumeration tools: 
# Subfinder + httpx + nuclei pipeline
subfinder -d target.com | httpx -silent | nuclei -silent

Cloud security

Multi-cloud scanning

Nuclei supports scanning across AWS, GCP, Azure, and other cloud platforms. 
# Scan for AWS misconfigurations
nuclei -list aws-resources.txt -t cloud/aws/
Examples:
  • Open S3 buckets
  • Exposed ELB endpoints
  • Public RDS instances
  • Misconfigured IAM policies
# Scan Azure resources
nuclei -list azure-resources.txt -t cloud/azure/
Examples:
  • Subdomain takeover vulnerabilities
  • Exposed storage accounts
  • Misconfigured App Services
# Scan GCP resources
nuclei -list gcp-resources.txt -t cloud/gcp/
Examples:
  • Open Cloud Storage buckets
  • Exposed BigQuery datasets
  • Misconfigured Firebase instances

Kubernetes security

Scan Kubernetes clusters and services: 
# Scan k8s exposed services
nuclei -list k8s-services.txt -t technologies/kubernetes/

Application security testing

Web application scanning

Nuclei templates cover all OWASP Top 10 vulnerabilities:
  1. Broken Access Control: Authorization bypass templates
  2. Cryptographic Failures: SSL/TLS misconfiguration detection
  3. Injection: SQL injection, XSS, command injection templates
  4. Insecure Design: Business logic vulnerability templates
  5. Security Misconfiguration: Default credentials, exposed configs
  6. Vulnerable Components: CVE detection for libraries/frameworks
  7. Authentication Failures: Weak authentication mechanism detection
  8. Data Integrity Failures: Deserialization vulnerability templates
  9. Security Logging Failures: Detection of missing security controls
  10. SSRF: Server-Side Request Forgery templates
nuclei -u https://webapp.com -tags owasp

API security testing

Test REST and GraphQL APIs: 
# Scan API endpoints
nuclei -u https://api.example.com -t http/vulnerabilities/

DAST (Dynamic Application Security Testing)

Use Nuclei’s fuzzing capabilities for dynamic testing: 
# Enable DAST mode
nuclei -u https://example.com -dast

Network security

Port and service scanning

Scan network services for vulnerabilities: 
# Scan network range
nuclei -target 10.0.0.0/24 -t network/

Protocol-specific testing

Nuclei supports multiple protocols:
  • HTTP/HTTPS: Web application testing
  • DNS: DNS enumeration and validation
  • TCP/TLS: Network service testing
  • SSL: Certificate and configuration auditing
  • WebSocket: WebSocket endpoint testing
  • WHOIS: Domain registration information
# Multi-protocol scanning
nuclei -u example.com -t dns/ -t ssl/ -t network/

Research and threat intelligence

CVE validation

Researchers use Nuclei to create proof-of-concept templates for new CVEs: 
# Test new CVE template
nuclei -u https://target.com -t research/CVE-2024-NEW.yaml -debug

Threat hunting

Proactively search for indicators of compromise: 
# Hunt for specific threats
nuclei -list infrastructure.txt -t custom-threat-hunting/

Team collaboration

Shared template libraries

Organizations can maintain private template libraries: 
# Use organization templates
nuclei -u https://target.com -t /org/security-templates/

Results aggregation

Centralize results across security teams: 
# Upload to ProjectDiscovery Cloud for team visibility
nuclei -list targets.txt -dashboard -team-id YOUR_TEAM_ID

Integration scenarios

SIEM integration

Export findings to Splunk, Elastic, or other SIEM platforms

Issue tracking

Automatic ticket creation in Jira, GitHub, GitLab

Webhook notifications

Real-time alerts via Slack, Discord, Teams

Custom workflows

Build custom security automation workflows

Performance at scale

Nuclei is designed for large-scale scanning:
  • 50x faster scans with ProjectDiscovery Cloud
  • Template clustering to reduce redundant requests
  • Connection pooling for optimal performance
  • Rate limiting to respect target resources
# Optimized large-scale scanning
nuclei -list 10000-targets.txt -c 50 -bs 100 -rl 200 -timeout 10

Learn more

Examples

See real-world command examples

Template library

Explore the template library

Running Nuclei

Learn how to run Nuclei

Pro & Enterprise

Explore enterprise features

Build docs developers (and LLMs) love

Get started for freeTalk to us