Output basics Nuclei provides flexible output options to save, format, and export scan results for analysis, reporting, and integration with other tools.
File output Save to file Write findings to a text file:
nuclei -target https://example.com -output results.txt
Short flag:
nuclei -u https://example.com -o findings.txt
The output file contains one finding per line in Nuclei’s default format:
[CVE-2021-44228] [http] [critical] https://example.com/api [self-signed-ssl] [ssl] [info] example.com:443
Output files are appended to by default. Delete or rename old output files before new scans to avoid mixing results.
JSON export Export detailed results in JSON format:
JSON Lines (JSONL) Export in JSON Lines format (one JSON object per line):
nuclei -target https://example.com -jsonl-export output.jsonl
Short flag:
nuclei -u https://example.com -jle output.jsonl
Or use the -jsonl flag to output to stdout:
nuclei -target https://example.com -jsonl
Short flag:
nuclei -u https://example.com -j
JSON array Export as a single JSON array:
nuclei -target https://example.com -json-export output.json
Short flag:
nuclei -u https://example.com -je output.json
JSONL format is better for streaming and processing large result sets, while JSON array format is better for one-time analysis.
JSON structure Nuclei’s JSON output includes:
{ "template-id" : "CVE-2021-44228" , "info" : { "name" : "Apache Log4j RCE" , "author" : [ "pdteam" ], "severity" : "critical" , "description" : "Apache Log4j2 remote code execution" , "tags" : [ "cve" , "rce" , "log4j" ] }, "type" : "http" , "host" : "https://example.com" , "matched-at" : "https://example.com/api" , "timestamp" : "2024-03-01T12:00:00Z" , "curl-command" : "curl -X GET https://example.com/api" , "matcher-name" : "log4j-detection" , "request" : "GET /api HTTP/1.1..." , "response" : "HTTP/1.1 200 OK..." }
JSON customization Omit raw requests/responses Reduce output size by omitting HTTP request/response pairs:
nuclei -target https://example.com -jsonl-export output.jsonl -omit-raw
Short flag:
nuclei -u https://example.com -jle output.jsonl -or
Omit template encoding Exclude encoded template from JSON output:
nuclei -target https://example.com -jsonl-export output.jsonl -omit-template
Short flag:
nuclei -u https://example.com -jle output.jsonl -ot
Omitting raw data and templates significantly reduces output file size for large scans.
Markdown export Generate organized Markdown reports:
nuclei -target https://example.com -markdown-export reports/
Short flag:
nuclei -u https://example.com -me reports/
This creates a directory structure:
reports/ ├── example.com/ │ ├── CVE-2021-44228.md │ ├── self-signed-ssl.md │ └── index.md
Markdown sorting Control how Markdown reports are organized:
By template
By host
By severity
No sorting
Sort by template ID (default): MARKDOWN_EXPORT_SORT_MODE = template nuclei -u example.com -me reports/
Sort by target host: MARKDOWN_EXPORT_SORT_MODE = host nuclei -u example.com -me reports/
Sort by severity level: MARKDOWN_EXPORT_SORT_MODE = severity nuclei -u example.com -me reports/
No sorting (faster): MARKDOWN_EXPORT_SORT_MODE = none nuclei -u example.com -me reports/
SARIF export Export in SARIF format for integration with code analysis platforms:
nuclei -target https://example.com -sarif-export output.sarif
Short flag:
nuclei -u https://example.com -se output.sarif
SARIF (Static Analysis Results Interchange Format) is widely supported by GitHub, GitLab, Azure DevOps, and other platforms.
Response storage Store all HTTP requests and responses:
Store responses # Store in default directory (./output) nuclei -target https://example.com -store-resp # Store in custom directory nuclei -target https://example.com -store-resp -store-resp-dir responses/
Short flags:
nuclei -u https://example.com -sresp -srd responses/
This creates files like:
output/ ├── https_example.com_443/ │ ├── request_1.txt │ ├── response_1.txt │ ├── request_2.txt │ └── response_2.txt
Storing all responses can generate large amounts of data. Use disk space wisely.
Display options Silent mode Display only findings, no progress or banner:
nuclei -target https://example.com -silent
Perfect for piping to other tools:
nuclei -u https://example.com -silent | grep critical
Disable printing result metadata:
nuclei -target https://example.com -no-meta
Short flag:
nuclei -u https://example.com -nm
Timestamps Enable timestamps in output:
nuclei -target https://example.com -timestamp
Short flag:
nuclei -u https://example.com -ts
Output includes timestamps:
[2024-03-01 12:00:00] [CVE-2021-44228] [http] [critical] https://example.com
Matcher status Show match failure status for debugging:
nuclei -target https://example.com -matcher-status
Short flag:
nuclei -u https://example.com -ms
Matcher status helps debug template logic by showing why certain conditions failed.
No color Disable colored output:
nuclei -target https://example.com -no-color
Short flag:
nuclei -u https://example.com -nc
Useful for log files and CI/CD pipelines.
Statistics Enable statistics Display scan statistics:
nuclei -target https://example.com -stats
Shows periodic updates:
Templates: 3500 | Hosts: 1 | RPS: 150 | Errors: 0 | Matches: 5
Statistics interval Control update frequency (in seconds):
nuclei -target https://example.com -stats -stats-interval 10
Short flag:
nuclei -u https://example.com -stats -si 10
JSON statistics Output statistics in JSON format:
nuclei -target https://example.com -stats -stats-json
Short flag:
nuclei -u https://example.com -stats -sj
HTTP statistics Enable HTTP status code tracking:
nuclei -target https://example.com -http-stats
Short flag:
nuclei -u https://example.com -hps
Tracks request/response statistics for analysis.
Metrics endpoint Expose metrics via HTTP endpoint:
nuclei -target https://example.com -metrics-port 9092
Short flag:
nuclei -u https://example.com -mp 9092
Access metrics at http://localhost:9092/metrics.
Metrics are exposed in Prometheus format for monitoring integration.
Reporting database Persist results to a database for deduplication:
nuclei -target https://example.com -report-db results.db
Short flag:
nuclei -u https://example.com -rdb results.db
Benefits:
Automatic deduplication
Historical tracking
Persistent storage
Reporting integrations Configure external reporting systems:
nuclei -target https://example.com -report-config reporting-config.yaml
Short flag:
nuclei -u https://example.com -rc reporting-config.yaml
Supported integrations:
Jira
Slack
GitHub Issues
Elasticsearch
Splunk
Custom webhooks
Data redaction Redact sensitive data from output:
# Redact specific keys nuclei -target https://example.com \ -jsonl-export output.jsonl \ -redact Authorization,Cookie,api-key # Redact from file nuclei -target https://example.com \ -jsonl-export output.jsonl \ -redact redact-keys.txt
Short flag:
nuclei -u https://example.com -jle output.jsonl -rd Authorization,Cookie
Redaction removes sensitive data from query parameters, request headers, and request body.
Verbose output Verbose mode Show additional details:
nuclei -target https://example.com -verbose
Short flag:
nuclei -u https://example.com -v
Very verbose mode Show template loading and detailed execution:
nuclei -target https://example.com -vv
Shows:
Templates being loaded
Request/response pairs
Matcher evaluation
Workflow execution
Variable dump Display variable values for debugging:
nuclei -target https://example.com -show-var-dump
Short flag:
nuclei -u https://example.com -svd
Limit displayed characters:
nuclei -u https://example.com -svd -var-dump-limit 500
Short flag:
nuclei -u https://example.com -svd -vdl 500
Debug output Debug mode Show all requests and responses:
nuclei -target https://example.com -debug
Debug requests only nuclei -target https://example.com -debug-req
Short flag:
nuclei -u https://example.com -dreq
Debug responses only nuclei -target https://example.com -debug-resp
Short flag:
nuclei -u https://example.com -dresp
Debug mode generates extensive output. Use with single targets for troubleshooting.
Trace and error logs Trace log Log all requests to a file:
nuclei -target https://example.com -trace-log trace.log
Short flag:
nuclei -u https://example.com -tlog trace.log
Error log Log errors to a separate file:
nuclei -target https://example.com -error-log errors.log
Short flag:
nuclei -u https://example.com -elog errors.log
Practical examples Example 1: Comprehensive reporting nuclei -list targets.txt \ -output findings.txt \ -json-export findings.json \ -markdown-export reports/ \ -sarif-export findings.sarif \ -report-db scan-results.db \ -stats
Example 2: Silent pipeline cat targets.txt | \ nuclei -silent -jsonl | \ jq -r 'select(.info.severity=="critical") | .host'
Example 3: Detailed debugging nuclei -u https://example.com \ -t custom-template.yaml \ -debug \ -verbose \ -matcher-status \ -trace-log trace.log
Example 4: Production scan nuclei -list production.txt \ -severity critical,high \ -silent \ -jsonl-export findings.jsonl \ -omit-raw \ -no-color \ -report-db production-scan.db
Example 5: CI/CD integration nuclei -target $CI_TARGET \ -silent \ -no-color \ -sarif-export nuclei-results.sarif \ -severity critical,high \ -exclude-tags dos,intrusive
Example 6: Research and analysis nuclei -list research-targets.txt \ -jsonl-export full-results.jsonl \ -store-resp \ -store-resp-dir responses/ \ -stats \ -stats-json \ -report-db research.db
Format Use Case Size Streaming Machine Readable Text Quick review Small Yes No JSONL Processing Medium Yes Yes JSON Analysis Medium No Yes Markdown Reports Large No No SARIF CI/CD Integration Large No Yes
Best practices
Choose appropriate formats
Select output formats based on your workflow: # Development: verbose + debug nuclei -u example.com -v -debug-req # Production: silent + JSON + database nuclei -list targets.txt -silent -jle results.jsonl -rdb scan.db # Reporting: Markdown + SARIF nuclei -u example.com -me reports/ -se results.sarif
Use deduplication
Always use report database for recurring scans: nuclei -list targets.txt -report-db scan.db
Optimize output size
Omit unnecessary data for large scans: nuclei -list large-targets.txt -jle results.jsonl -or -ot
Enable statistics
Monitor long-running scans: nuclei -list targets.txt -stats -si 30
Next steps
Rate limiting Control scan speed and performance
Cloud integration Upload results to ProjectDiscovery Cloud
Filtering templates Filter what gets scanned and reported
Running scans Back to scanning fundamentals