Nuclei — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Template-based vulnerability scanner — 8000+ community templates covering CVEs, exposures, misconfigurations.

Use case: Vulnerability ScanningDifficulty: IntermediateHomepage: https://github.com/projectdiscovery/nuclei

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Go install

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Update templates

nuclei -update-templates

Docker

docker run projectdiscovery/nuclei -u https://target.com

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Run all templates

nuclei -u https://target.com

Critical + high severity only

nuclei -u https://target.com -severity critical,high

Specific category (CVEs)

nuclei -u https://target.com -t cves/

From URL list (bulk)

cat urls.txt | nuclei -severity critical,high -o findings.txt

JSON output for SOC ingestion

nuclei -u https://target.com -j -o findings.json

Custom template

nuclei -u https://target.com -t my-template.yaml

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -c 50 concurrent templates per target (default 25). Bump to 100 on high-bandwidth scans.
  • -rl 500 requests-per-second cap — tune to target tolerance.
  • -bs 25 bulk-size: targets per template batch. Higher = faster on lists, more memory.
  • -mc 200,301,302 filter status codes — skips templates whose match-status doesn’t apply.
  • -stats shows live progress + ETA — essential for long scans.
  • Use -as auto-scan to skip templates that don’t match target tech (no Apache templates on nginx).

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • -update-templates fetches the latest community templates — but custom templates in your repo can conflict. Use -t custom/ to pin.
  • High false-positive rate on generic detection templates (e.g., default credentials). Always validate manually.
  • Some templates send DELETE / POST destructive payloads. Use -itags safe or audit templates before mass scanning.
  • Memory: 1000-target list with all templates can hit 4GB+. Split with -bs + multiple processes.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Nessus / OpenVAS — full-stack VA scanners, paid/heavy.
  • retire.js — JS dependency-specific.

India context and engagement notes

Standard external-attack-surface monitoring stack: subfinder | dnsx | httpx | nuclei -severity critical,high. Run weekly via GitHub Actions, alert on new findings via Slack/email. This is the “continuous reconnaissance” pattern that finds CVE-XXXX-XXXX exposures within hours of disclosure.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants