Template-based vulnerability scanner — 8000+ community templates covering CVEs, exposures, misconfigurations.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Go install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Update templates
nuclei -update-templates
Docker
docker run projectdiscovery/nuclei -u https://target.com
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Run all templates
nuclei -u https://target.com
Critical + high severity only
nuclei -u https://target.com -severity critical,high
Specific category (CVEs)
nuclei -u https://target.com -t cves/
From URL list (bulk)
cat urls.txt | nuclei -severity critical,high -o findings.txt
JSON output for SOC ingestion
nuclei -u https://target.com -j -o findings.json
Custom template
nuclei -u https://target.com -t my-template.yaml
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
-c 50concurrent templates per target (default 25). Bump to 100 on high-bandwidth scans.-rl 500requests-per-second cap — tune to target tolerance.-bs 25bulk-size: targets per template batch. Higher = faster on lists, more memory.-mc 200,301,302filter status codes — skips templates whose match-status doesn’t apply.-statsshows live progress + ETA — essential for long scans.- Use
-asauto-scan to skip templates that don’t match target tech (no Apache templates on nginx).
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
-update-templatesfetches the latest community templates — but custom templates in your repo can conflict. Use-t custom/to pin.- High false-positive rate on generic detection templates (e.g., default credentials). Always validate manually.
- Some templates send DELETE / POST destructive payloads. Use
-itags safeor audit templates before mass scanning. - Memory: 1000-target list with all templates can hit 4GB+. Split with
-bs+ multiple processes.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Nessus / OpenVAS — full-stack VA scanners, paid/heavy.
- retire.js — JS dependency-specific.
India context and engagement notes
Standard external-attack-surface monitoring stack: subfinder | dnsx | httpx | nuclei -severity critical,high. Run weekly via GitHub Actions, alert on new findings via Slack/email. This is the “continuous reconnaissance” pattern that finds CVE-XXXX-XXXX exposures within hours of disclosure.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.