Basic scan execution Nuclei provides flexible options for running vulnerability scans against single or multiple targets.
Run a basic scan
Execute a scan against a single target URL: nuclei -target https://example.com
You can also use the short flag -u: nuclei -u https://example.com
On first run, Nuclei automatically downloads the latest templates from the nuclei-templates repository.
Monitor scan progress
Nuclei displays real-time progress and findings: [2024-03-01 12:00:00] [CVE-2021-44228] [http] [critical] https://example.com/api [2024-03-01 12:00:01] [self-signed-ssl] [ssl] [info] example.com:443
Each line shows the timestamp, template ID, protocol, severity, and target.
View statistics
Enable statistics to monitor scan metrics: nuclei -target https://example.com -stats
For JSON-formatted statistics: nuclei -target https://example.com -stats -stats-json
Scanning modes Single target scan Scan a single web application or host:
Web application
IP address
Domain
Host with port
nuclei -target https://example.com
Multiple targets from file Scan multiple targets listed in a file (one per line):
Or use the short flag:
Create a urls.txt file with one target per line: https://example.com https://test.example.com 192.168.1.0/24
Network subnet scan Scan an entire network range using CIDR notation:
nuclei -target 192.168.1.0/24
This scans all hosts in the subnet for network-related vulnerabilities.
Scan all IPs for a domain Scan all IP addresses associated with a DNS record:
nuclei -target example.com -scan-all-ips
Or use the short flag:
nuclei -target example.com -sa
This is useful when a domain has multiple A records or is behind a CDN.
Pipe targets directly from other tools:
echo https://example.com | nuclei
Chain with other ProjectDiscovery tools:
subfinder -d example.com -silent | httpx -silent | nuclei
Disable stdin with -no-stdin if you want to prevent reading from stdin.
Nuclei supports multiple input file formats:
List (default)
Burp Suite
OpenAPI/Swagger
JSONL
Simple list of URLs, one per line: Import from Burp Suite XML: nuclei -list burp-export.xml -input-mode burp
Short flag: nuclei -list burp-export.xml -im burp
Scan from OpenAPI specification: nuclei -list swagger.json -input-mode openapi
Or: nuclei -list openapi.yaml -input-mode swagger
Use JSONL format for structured input: nuclei -list targets.jsonl -input-mode jsonl
Scan strategies Control how Nuclei distributes work across targets and templates:
# Auto-select optimal strategy (default) nuclei -target example.com -scan-strategy auto # Host spray: all templates against each host nuclei -list targets.txt -scan-strategy host-spray # Template spray: each template against all hosts nuclei -list targets.txt -scan-strategy template-spray
Short flag:
nuclei -list targets.txt -ss template-spray
host-spray : Better for scanning many targets with few templatestemplate-spray : Better for scanning few targets with many templatesauto : Automatically selects the best strategy Resume interrupted scans Save and resume scan state to continue interrupted scans:
# Start a scan with resume capability nuclei -list targets.txt -resume scan-state.cfg # If interrupted, resume from where it stopped nuclei -resume scan-state.cfg
Template clustering is automatically disabled when using resume functionality.
Target exclusion Exclude specific hosts from scanning:
# Exclude specific hosts nuclei -list targets.txt -exclude-hosts 192.168.1.1,192.168.1.2 # Exclude CIDR ranges nuclei -list targets.txt -exclude-hosts 10.0.0.0/8 # Exclude hostnames nuclei -list targets.txt -exclude-hosts internal.example.com
Short flag:
nuclei -list targets.txt -eh 192.168.1.1
IP version selection Choose which IP version to use for scanning:
# IPv4 only (default) nuclei -target example.com -ip-version 4 # IPv6 only nuclei -target example.com -ip-version 6 # Both IPv4 and IPv6 nuclei -target example.com -ip-version 4,6
Short flag:
nuclei -target example.com -iv 4,6
Streaming mode Process input without sorting, useful for large input sets:
nuclei -list large-targets.txt -stream
Streaming mode starts processing immediately without waiting to read all inputs, reducing memory usage for large target lists.
Passive mode Enable passive HTTP response processing without sending new requests:
nuclei -list responses.txt -passive
Useful for analyzing HTTP responses from files using matchers/extractors.
Headless browser scans Enable headless browser support for JavaScript-heavy applications:
# Enable headless mode nuclei -target https://example.com -headless # Show browser window (for debugging) nuclei -target https://example.com -headless -show-browser # Use system Chrome instead of bundled nuclei -target https://example.com -headless -system-chrome
Short flags:
nuclei -target https://example.com -headless -sb -sc
Headless mode requires additional dependencies. On Linux, running as root will disable the sandbox.
Project mode Avoid sending duplicate requests across multiple scans:
# Enable project mode with default path nuclei -list targets.txt -project # Use custom project path nuclei -list targets.txt -project -project-path ./my-scan-project
Project mode tracks sent requests to avoid duplication, useful for continuous scanning workflows.
Automatic technology-based scanning Automatically detect technologies and run relevant templates:
nuclei -target https://example.com -automatic-scan
Short flag:
nuclei -target https://example.com -as
This uses Wappalyzer technology detection to automatically select applicable templates.
New templates only Run only templates added in the latest release:
nuclei -target https://example.com -new-templates
Or run templates from a specific version:
nuclei -target https://example.com -new-templates-version v9.6.0
Short flags:
nuclei -target https://example.com -nt nuclei -target https://example.com -ntv v9.6.0
Validation mode Validate template syntax without running scans:
nuclei -validate -templates custom-templates/
Disable strict syntax checking:
nuclei -validate -templates custom-templates/ -no-strict-syntax
Short flag:
nuclei -validate -t custom-templates/ -nss
Advanced options Stop at first match Stop processing a template when it first matches:
nuclei -target example.com -stop-at-first-match
Short flag:
nuclei -target example.com -spm
This may break template or workflow logic that depends on multiple matches.
Set timeout for reading from input:
nuclei -list targets.txt -input-read-timeout 5m
Short flag:
nuclei -list targets.txt -irt 5m
Disable HTTP probing Skip HTTP probing for non-URL inputs:
nuclei -list ips.txt -no-httpx
Short flag:
Practical examples Quick security assessment nuclei -u https://example.com \ -severity high,critical \ -silent \ -json-export findings.json
Comprehensive network scan nuclei -target 10.0.0.0/24 \ -rate-limit 100 \ -concurrency 50 \ -output results.txt \ -stats
Resume large scan # Initial scan nuclei -list 10000-targets.txt \ -resume large-scan.cfg \ -output findings.txt # Resume if interrupted nuclei -resume large-scan.cfg
Technology detection scan nuclei -target https://app.example.com \ -automatic-scan \ -severity medium,high,critical \ -json-export tech-findings.json
Passive analysis cat http-responses.txt | nuclei -passive -templates http/
Next steps
Target specification Learn advanced target specification techniques
Template selection Master template filtering and selection
Output options Export results in various formats
Rate limiting Control scan speed and performance