Overview Rate limiting controls how fast Nuclei sends requests and executes templates. Proper configuration prevents overwhelming targets while maximizing scan efficiency.
Rate limit fundamentals Requests per second Control the maximum number of requests sent per second:
# Default: 150 requests per second nuclei -target https://example.com -rate-limit 150 # Conservative: 50 requests per second nuclei -target https://example.com -rate-limit 50 # Aggressive: 300 requests per second nuclei -target https://example.com -rate-limit 300
Short flag:
nuclei -u https://example.com -rl 100
Default rate limit is 150 requests per second, which is suitable for most scenarios.
Rate limit duration Specify the duration window for rate limiting:
# 100 requests per second (default) nuclei -target https://example.com -rate-limit 100 -rate-limit-duration 1s # 500 requests per 5 seconds nuclei -target https://example.com -rate-limit 500 -rate-limit-duration 5s # 1000 requests per minute nuclei -target https://example.com -rate-limit 1000 -rate-limit-duration 60s
Short flags:
nuclei -u https://example.com -rl 100 -rld 1s
Rate limit duration defaults to 1 second. Adjust this to match your target’s rate limiting windows.
Concurrency controls Bulk size Control how many hosts are processed in parallel per template:
# Default: 25 hosts nuclei -list targets.txt -bulk-size 25 # Conservative: 10 hosts nuclei -list targets.txt -bulk-size 10 # Aggressive: 50 hosts nuclei -list targets.txt -bulk-size 50
Short flag:
nuclei -list targets.txt -bs 25
Increase bulk size when scanning many targets with few templates. Decrease for few targets with many templates.
Template concurrency Control how many templates execute simultaneously:
# Default: 25 templates nuclei -target https://example.com -concurrency 25 # Conservative: 10 templates nuclei -target https://example.com -concurrency 10 # Aggressive: 50 templates nuclei -target https://example.com -concurrency 50
Short flag:
nuclei -u https://example.com -c 25
Headless concurrency Control headless browser template execution:
# Headless bulk size (default: 10) nuclei -target https://example.com -headless -headless-bulk-size 10 # Headless template threads (default: 10) nuclei -target https://example.com -headless -headless-concurrency 10
Short flags:
nuclei -u https://example.com -headless -hbs 10 -headc 10
Headless templates consume more resources. Keep concurrency lower than standard HTTP templates.
JavaScript concurrency Control JavaScript runtime concurrency:
# Default: 120 concurrent JS runtimes nuclei -target https://example.com -js-concurrency 120 # Conservative: 60 nuclei -target https://example.com -js-concurrency 60
Short flag:
nuclei -u https://example.com -jsc 120
Payload concurrency Control payload execution per template:
# Default: 25 payloads nuclei -target https://example.com -payload-concurrency 25 # Conservative: 10 nuclei -target https://example.com -payload-concurrency 10
Short flag:
nuclei -u https://example.com -pc 25
Probe concurrency Control HTTP probing concurrency with httpx:
# Default: 50 probes nuclei -list ips.txt -probe-concurrency 50 # Aggressive: 100 probes nuclei -list ips.txt -probe-concurrency 100
Short flag:
nuclei -list ips.txt -prc 50
Template loading concurrency Control how many templates load in parallel:
# Default: 50 concurrent loads nuclei -target https://example.com -template-loading-concurrency 50 # Conservative: 25 nuclei -target https://example.com -template-loading-concurrency 25
Short flag:
nuclei -u https://example.com -tlc 50
Timeout controls Request timeout Set timeout for individual requests:
# Default: 10 seconds nuclei -target https://example.com -timeout 10 # Slow targets: 30 seconds nuclei -target https://slow-site.com -timeout 30 # Fast timeout: 5 seconds nuclei -target https://example.com -timeout 5
Timeout applies to:
HTTP requests
Network connections
DNS queries
Other protocol operations
Page timeout Set timeout for headless browser pages:
# Default: 20 seconds nuclei -target https://example.com -headless -page-timeout 20 # Slow JavaScript apps: 60 seconds nuclei -target https://spa-app.com -headless -page-timeout 60
Dialer keep-alive Set keep-alive duration for network connections:
# Default: system default nuclei -target https://example.com -dialer-keep-alive 30s # Long connections nuclei -target https://example.com -dialer-keep-alive 60s
Short flag:
nuclei -u https://example.com -dka 30s
Retry controls Number of retries Set how many times to retry failed requests:
# Default: 1 retry nuclei -target https://example.com -retries 1 # No retries nuclei -target https://example.com -retries 0 # Multiple retries nuclei -target https://unstable-site.com -retries 3
Increase retries for unstable networks or intermittent targets. Decrease for faster scans.
Error handling Max host errors Skip hosts after a certain number of errors:
# Default: 30 errors nuclei -list targets.txt -max-host-error 30 # Strict: 10 errors nuclei -list targets.txt -max-host-error 10 # Lenient: 100 errors nuclei -list targets.txt -max-host-error 100
Short flag:
nuclei -list targets.txt -mhe 30
Track additional errors Add custom error types to the error count:
nuclei -list targets.txt -track-error "connection refused,timeout"
Short flag:
nuclei -list targets.txt -te "connection refused"
Disable host error tracking Disable automatic host skipping:
nuclei -list targets.txt -no-mhe
Short flag:
nuclei -list targets.txt -nmhe
Disabling host error tracking can lead to wasted time on unreachable targets.
Conservative profile (production-safe) Safe settings for production environments:
nuclei -list targets.txt \ -rate-limit 50 \ -concurrency 10 \ -bulk-size 10 \ -timeout 15 \ -retries 2
Use when:
Scanning production systems
Network bandwidth is limited
Target stability is unknown
Running during business hours
Balanced profile (default) Optimal balance between speed and safety:
nuclei -list targets.txt \ -rate-limit 150 \ -concurrency 25 \ -bulk-size 25 \ -timeout 10 \ -retries 1
Use when:
General purpose scanning
Mixed target environments
Standard security assessments
Aggressive profile (fast scanning) Maximize scan speed:
nuclei -list targets.txt \ -rate-limit 500 \ -concurrency 100 \ -bulk-size 50 \ -timeout 5 \ -retries 0 \ -max-host-error 10
Use when:
Scanning test environments
Time-sensitive assessments
Robust targets with good connectivity
Bug bounty hunting
Aggressive settings may trigger rate limiting or WAF blocks on some targets.
Resource-constrained profile Minimize resource usage:
nuclei -list targets.txt \ -rate-limit 25 \ -concurrency 5 \ -bulk-size 5 \ -timeout 30 \ -headless-concurrency 2 \ -js-concurrency 30
Use when:
Running on low-end hardware
Limited memory available
High network latency
Scanning from VPS with constraints
Scan strategy optimization Combine rate limiting with scan strategies:
# Host spray: all templates against each host nuclei -list targets.txt \ -scan-strategy host-spray \ -rate-limit 200 \ -bulk-size 50 # Template spray: each template against all hosts nuclei -list targets.txt \ -scan-strategy template-spray \ -rate-limit 200 \ -concurrency 50
Short flag:
nuclei -list targets.txt -ss host-spray -rl 200 -bs 50
Response size limits Read size Limit how much response data to read:
# Default: 10 MB nuclei -target https://example.com -response-size-read 10485760 # Conservative: 5 MB nuclei -target https://example.com -response-size-read 5242880
Short flag:
nuclei -u https://example.com -rsr 10485760
Save size Limit response size when storing:
# Default: 1 MB nuclei -target https://example.com -response-size-save 1048576 # Larger responses: 5 MB nuclei -target https://example.com -response-size-save 5242880
Short flag:
nuclei -u https://example.com -rss 1048576
Practical examples Example 1: Production web app scan nuclei -target https://production-app.com \ -rate-limit 50 \ -concurrency 10 \ -bulk-size 10 \ -timeout 15 \ -retries 2 \ -severity high,critical \ -exclude-tags dos,intrusive
Example 2: Internal network scan nuclei -target 192.168.1.0/24 \ -rate-limit 200 \ -concurrency 50 \ -bulk-size 50 \ -timeout 5 \ -probe-concurrency 100
Example 3: Slow/unstable target nuclei -target https://slow-site.com \ -rate-limit 10 \ -concurrency 5 \ -timeout 60 \ -retries 5 \ -max-host-error 100
Example 4: Fast bug bounty scan nuclei -list bounty-targets.txt \ -rate-limit 500 \ -concurrency 100 \ -bulk-size 100 \ -timeout 5 \ -retries 0 \ -severity critical,high \ -silent
Example 5: Headless scanning nuclei -target https://spa-app.com \ -headless \ -rate-limit 50 \ -headless-concurrency 5 \ -headless-bulk-size 5 \ -page-timeout 30 \ -timeout 20
Example 6: Large scale CI/CD nuclei -list 10000-targets.txt \ -rate-limit 300 \ -concurrency 75 \ -bulk-size 75 \ -timeout 10 \ -max-host-error 20 \ -retries 1 \ -template-loading-concurrency 100 \ -silent \ -no-color
Enable statistics Monitor scan performance in real-time:
nuclei -list targets.txt \ -rate-limit 200 \ -stats \ -stats-interval 10
Output:
Templates: 3500 | Hosts: 100 | RPS: 198 | Errors: 12 | Matches: 45
Enable metrics endpoint Expose Prometheus metrics:
nuclei -list targets.txt \ -metrics-port 9092
Access at http://localhost:9092/metrics.
Optimization tips
Start conservative
Begin with lower values and increase gradually: nuclei -u example.com -rl 50 -c 10
Monitor for errors
Watch for connection errors and timeouts: nuclei -list targets.txt -stats -error-log errors.log
Adjust based on target
Different targets need different settings:
CDN-protected : Lower rate limitsInternal apps : Higher concurrencyAPIs : Balance rate limit with endpoint limits
Consider network conditions
High latency : Increase timeoutLow bandwidth : Decrease concurrencyUnstable : Increase retries
Match scan strategy
Many targets, few templates : Increase bulk sizeFew targets, many templates : Increase concurrencyMixed : Use auto strategy Tuning for specific scenarios API testing nuclei -target https://api.example.com \ -rate-limit 100 \ -concurrency 20 \ -timeout 15 \ -tags api
Cloud environments (AWS, GCP, Azure) nuclei -list cloud-assets.txt \ -rate-limit 200 \ -concurrency 50 \ -bulk-size 50 \ -timeout 10 \ -probe-concurrency 100
WAF-protected targets nuclei -target https://waf-protected.com \ -rate-limit 20 \ -concurrency 5 \ -timeout 20 \ -retries 3 \ -random-agent
VPN/Tor scanning nuclei -list targets.txt \ -rate-limit 25 \ -concurrency 5 \ -timeout 60 \ -retries 5 \ -proxy socks5://127.0.0.1:9050
Common issues and solutions Too many connection errors Symptom : High error rate, hosts getting skippedSolution :nuclei -list targets.txt \ -rate-limit 50 \ -concurrency 10 \ -retries 3 \ -max-host-error 50
Scan too slow Symptom : Low RPS, templates taking too longSolution :nuclei -list targets.txt \ -rate-limit 300 \ -concurrency 50 \ -bulk-size 50 \ -timeout 8 \ -exclude-type headless
Memory issues Symptom : High memory usage, OOM errorsSolution :nuclei -list targets.txt \ -rate-limit 100 \ -concurrency 10 \ -headless-concurrency 2 \ -js-concurrency 30 \ -template-loading-concurrency 25
Getting rate limited Symptom : 429 errors, WAF blocksSolution :nuclei -target example.com \ -rate-limit 10 \ -rate-limit-duration 60s \ -concurrency 5 \ -random-agent \ -header "X-Custom: value"
Best practices Test before large scans : Run a small test first to verify settings.
Use statistics : Always enable stats for long-running scans to monitor performance.
Respect rate limits : Honor target rate limits and terms of service.
Document your settings : Save optimized configurations for different target types.
Next steps
Running scans Learn different scanning modes and strategies
Output options Export and format scan results
Target specification Advanced target configuration
Filtering templates Filter templates for optimal scanning