Vulnerability Analysisvulnerability scanneryaml templatesnuclei-templatesoastdastfuzzinginteractsh

Nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL. Sends requests across targets using templates for zero false positives and fast scanning on large number of hosts.

Description

Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use. It is used to send requests across targets based on a template leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offers scanning for a variety of protocols including TCP, DNS, HTTP, File, etc. With powerful and flexible templating, all kinds of security checks can be modelled with Nuclei.

The tool focuses on extensive configurability, massive extensibility and ease of use. It supports features like automatic web scanning with wappalyzer technology detection, AI-generated templates, workflows, filtering by tags/authors/IDs, rate limiting, headless browser support, interactsh for OAST testing, fuzzing/DAST modes, and uncover for passive reconnaissance.

Nuclei is suitable for vulnerability scanning in security assessments, continuous integration pipelines, and large-scale network scans due to its speed and low false positive rate.

How It Works

Nuclei operates by executing YAML-based templates that define requests and matchers for specific protocols like TCP, DNS, HTTP, File. Templates are applied to target URLs/hosts, with clustering and parallel execution for efficiency. It uses Interactsh for out-of-band interaction testing, supports headless browsers for JavaScript-heavy checks, and employs DSL for custom logic. Fuzzing and DAST modes enable dynamic analysis, while uncover integrates passive sources for target discovery. Configurations control rate limits, retries, redirects, and output formats including JSONL and Markdown.

Installation

bash

sudo apt install nuclei

Flags

-u, -target string[]target URLs/hosts to scan

-l, -list stringpath to file containing a list of target URLs/hosts to scan (one per line)

-t, -templates string[]list of template or template directory to run (comma-separated, file)

-o, -output stringoutput file to write found issues/vulnerabilities

-rl, -rate-limit intmaximum number of requests to send per second (default 150)

-c, -concurrency intmaximum number of templates to be executed in parallel (default 25)

-tags string[]templates to run based on tags (comma-separated, file)

-silentdisplay findings only

-j, -jsonlwrite output in JSONL(ines) format

-headlessenable templates that require headless browser support (root user on Linux will disable sandbox)

-ni, -no-interactshdisable interactsh server for OAST testing, exclude OAST based templates

-dastenable / run dast (fuzz) nuclei templates

Examples

Run nuclei on single host

nuclei -target example.com

Run nuclei with specific template directories

nuclei -target example.com -t http/cves/ -t ssl

Run nuclei against a list of hosts

nuclei -list hosts.txt

Run nuclei with a JSON output

nuclei -target example.com -json-export output.json

Run nuclei with sorted Markdown outputs (with environment variables)

MARKDOWN_EXPORT_SORT_MODE=template nuclei -target example.com -markdown-export nuclei_report/

Run nuclei filtering by CVE tags

nuclei -target example.com -tags cve

Run nuclei on host list with silent output to file

nuclei -list hosts.txt -o results.txt -silent

Updated 2026-Mar-13kali.org ↗