Skip to main content
Nuclei templates are YAML-based files that define security checks, vulnerability detection logic, and scanning workflows. They enable security researchers to codify detection patterns and share them across the community.

What are Nuclei templates?

A Nuclei template is a structured YAML file that describes:
  • What to check: Target systems, endpoints, or services
  • How to check: HTTP requests, DNS queries, TCP connections, etc.
  • What to match: Response patterns indicating vulnerabilities
  • What to extract: Useful information from responses

Why write templates?

Share discoveries

Contribute templates to help the security community detect vulnerabilities across all environments

Automate detection

Convert manual security testing into automated, repeatable checks

Zero false positives

Write precise detection logic that simulates real-world exploitation conditions

Protocol flexibility

Support for HTTP, DNS, TCP, SSL, WebSocket, WHOIS, JavaScript, and more

Template anatomy

Every Nuclei template consists of three main sections:

1. Identification

id: git-config-exposure
A unique identifier for the template using lowercase with hyphens.

2. Metadata

info:
  name: Git Config File Exposure
  author: pdteam
  severity: medium
  description: Detects exposed .git/config files on web servers
  tags: git,exposure,config
Descriptive information about what the template detects.

3. Protocol requests

http:
  - method: GET
    path:
      - "{{BaseURL}}/.git/config"
    
    matchers:
      - type: word
        words:
          - "[core]"
The actual detection logic using one or more protocol types.

Simple example

Here’s a complete template that detects exposed Git configuration files: 
id: git-config-exposure

info:
  name: Git Config File Exposure
  author: pdteam
  severity: medium
  description: Checks for exposed .git/config files
  tags: git,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/.git/config"
    
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "[core]"
      
      - type: status
        status:
          - 200

Template execution flow

1

Template loading

Nuclei parses and validates the YAML template
2

Request generation

Protocol-specific requests are built using template variables
3

Request execution

Requests are sent to target systems
4

Response matching

Matchers evaluate responses for vulnerability indicators
5

Data extraction

Extractors pull relevant information from matched responses
6

Result reporting

Findings are formatted and output to configured destinations

Template types

Nuclei supports various template types:
Use a single protocol (HTTP, DNS, etc.) to perform checks. Most common template type.
Combine multiple protocols in a single template for complex detection scenarios.
Chain multiple templates together with conditional logic for multi-step attacks.
Include complete URLs without requiring external input, useful for specific targets.

Template capabilities

Dynamic values

Templates support dynamic value generation:
  • Variables: Define reusable values with DSL functions
  • Payloads: Iterate over lists of values for fuzzing
  • Helper functions: Use built-in functions for encoding, hashing, etc.
  • Extractors: Capture data from responses for use in subsequent requests

Advanced features

  • Multi-step requests: Chain requests with data passing
  • Conditional logic: Control execution based on previous results
  • Race conditions: Test for timing vulnerabilities
  • Fuzzing: Automated parameter injection

Getting help

Template examples

Browse thousands of community templates

Discord community

Get help from template authors

Template validator

Use nuclei -validate to check your templates

Template editor

VS Code extensions available for syntax highlighting

Next steps

Syntax overview

Learn YAML structure and conventions

Write your first template

Step-by-step tutorial

Protocol types

Explore available protocols

Build docs developers (and LLMs) love

Get started for freeTalk to us