Skip to main content

Your first scan

Let’s run your first vulnerability scan with Nuclei. We’ll scan a test target to demonstrate how Nuclei works.
1

Basic scan

Run a simple scan against a single target:
nuclei -target https://example.com
This will run all applicable templates against the target and display any findings.
By default, Nuclei automatically downloads and updates templates on first run.
2

View the results

Nuclei will output results in real-time as it finds vulnerabilities:
[2024-03-01 12:00:00] [self-signed-ssl] [ssl] [info] example.com:443
[2024-03-01 12:00:01] [http-missing-security-headers] [http] [info] https://example.com
Each line shows:
  • Timestamp
  • Template ID
  • Protocol type
  • Severity level
  • Target URL
3

Save results to a file

Export results to a file for later analysis:
nuclei -target https://example.com -json-export results.json
This creates a JSON file with detailed findings.

Common scanning scenarios

Single target scan

Scan a single web application: 
nuclei -target https://example.com
You can also use the short flag -u: 
nuclei -u https://example.com

Scanning multiple targets

Scan multiple targets from a file. Create a urls.txt file with one URL per line:
urls.txt
https://example.com
https://test.example.com
https://app.example.com
Then scan all targets: 
nuclei -list urls.txt
Use the -l short flag: nuclei -l urls.txt

Network scan

Scan an entire subnet for network-related issues: 
nuclei -target 192.168.1.0/24
This will scan the entire subnet for network vulnerabilities such as open ports or misconfigured services.

Scan with specific templates

Run only specific templates or template directories: 
nuclei -target example.com -t http/cves/

Filter by severity

Run only high and critical severity templates: 
nuclei -target example.com -severity critical,high
Or use the short flag: 
nuclei -target example.com -s critical,high
Available severity levels: info, low, medium, high, critical, unknown

Filter by tags

Run templates with specific tags: 
nuclei -target example.com -tags cve,xss,sqli
Exclude certain tags: 
nuclei -target example.com -exclude-tags dos

Output formats

Nuclei supports multiple output formats:
Export results in JSON format:
nuclei -target example.com -json-export output.json
Or use JSONL (JSON Lines) for streaming output:
nuclei -target example.com -jsonl-export output.jsonl

Advanced scanning options

Rate limiting

Control the scan speed to avoid overwhelming targets: 
# Limit to 50 requests per second
nuclei -target example.com -rate-limit 50

# Reduce concurrent template execution
nuclei -target example.com -concurrency 10

Custom headers

Add custom headers to all requests: 
nuclei -target example.com -header "Authorization: Bearer token123"
Or use multiple headers: 
nuclei -target example.com -H "Cookie: session=abc" -H "User-Agent: Custom"

Proxy support

Route requests through a proxy: 
nuclei -target example.com -proxy http://127.0.0.1:8080
Supports HTTP, HTTPS, and SOCKS5 proxies.

Resume interrupted scans

If a scan is interrupted, resume it later: 
# First scan (interrupted)
nuclei -list urls.txt -resume scan-state.cfg

# Resume the scan
nuclei -resume scan-state.cfg
Nuclei automatically creates resume files when you press Ctrl+C to gracefully stop a scan.

Practical examples

Example 1: Quick security check

Run a fast security assessment on a web application: 
nuclei -u https://example.com \
  -severity high,critical \
  -silent \
  -json-export findings.json

Example 2: Comprehensive scan

Perform a thorough scan with all templates: 
nuclei -list targets.txt \
  -output results.txt \
  -json-export results.json \
  -stats \
  -silent

Example 3: CVE scanning

Scan for known CVEs only: 
nuclei -u https://example.com \
  -tags cve \
  -severity medium,high,critical

Example 4: Network vulnerability scan

Scan network infrastructure: 
nuclei -target 10.0.0.0/24 \
  -type network,dns \
  -rate-limit 100

Integration with other tools

Pipeline with subfinder

Combine with other ProjectDiscovery tools: 
subfinder -d example.com -silent | httpx -silent | nuclei
This:
  1. Finds subdomains with subfinder
  2. Filters live hosts with httpx
  3. Scans with Nuclei

Use with custom templates

Scan with your own custom template: 
nuclei -u https://example.com -t /path/to/custom-template.yaml

Cloud integration

Upload scan results to ProjectDiscovery Cloud: 
nuclei -target https://example.com -dashboard
This feature is free and doesn’t require a subscription. Configure with nuclei -auth first.

Understanding the output

When Nuclei finds a vulnerability, it displays: 
[template-id] [protocol] [severity] target-url
Example: 
[CVE-2021-44228] [http] [critical] https://example.com/api/login
  • template-id: The template that detected the issue
  • protocol: The protocol used (http, dns, network, etc.)
  • severity: Issue severity (info, low, medium, high, critical)
  • target-url: The affected URL or target

Verbose output

For more details, enable verbose mode: 
nuclei -target example.com -v
Or very verbose: 
nuclei -target example.com -vv

Getting help

View all available options: 
nuclei -h
View specific flag groups: 
nuclei -help target
nuclei -help templates
nuclei -help output

Next steps

Key features

Explore Nuclei’s powerful capabilities in depth

Template selection

Learn advanced template filtering techniques

Output options

Master result export and reporting

Write templates

Create your own custom vulnerability templates

Build docs developers (and LLMs) love

Get started for freeTalk to us