Skip to main content

Target input methods

Nuclei provides multiple ways to specify scan targets, from single URLs to complex network ranges.

Single target

Specify a single target using the -target or -u flag: 
nuclei -target https://example.com
When no protocol is specified, Nuclei will probe the target to determine if it’s HTTP or HTTPS.

Multiple targets from file

Provide multiple targets in a text file, one per line:
targets.txt
https://example.com
https://test.example.com
http://app.example.com:8080
192.168.1.10
10.0.0.0/24
Scan all targets from the file: 
nuclei -list targets.txt
Or use the short flag: 
nuclei -l targets.txt

Network ranges (CIDR notation)

Scan entire network subnets using CIDR notation: 
nuclei -target 192.168.1.0/24
CIDR scanning is particularly useful for network vulnerability assessments and internal infrastructure scanning.

IP version selection

Control which IP version to use when scanning domains: 
# IPv4 only (default)
nuclei -target example.com -ip-version 4

# IPv6 only
nuclei -target example.com -ip-version 6

# Both IPv4 and IPv6
nuclei -target example.com -ip-version 4,6
Short flag: 
nuclei -target example.com -iv 4,6
Use -ip-version 6 to specifically test IPv6 infrastructure vulnerabilities.

Scan all IP addresses

Scan all IPs associated with a DNS record: 
nuclei -target example.com -scan-all-ips
Short flag: 
nuclei -target example.com -sa
This is useful when:
  • A domain has multiple A records
  • Testing load balancer configurations
  • Scanning CDN-backed applications
  • Verifying consistency across multiple servers

Standard input (stdin)

Pipe targets directly into Nuclei: 
echo "https://example.com" | nuclei
Stdin mode enables powerful integration with other security tools in your pipeline.

Disable stdin

Prevent reading from stdin when needed: 
nuclei -target example.com -no-stdin

Target exclusion

Exclude specific targets from your scan: 
nuclei -list targets.txt -exclude-hosts 192.168.1.1
Short flag:
nuclei -list targets.txt -eh 192.168.1.1
Excluded hosts are completely skipped from scanning. Double-check your exclusion list to avoid missing important targets.

Special input formats

Nuclei supports importing targets from various file formats:

Burp Suite XML

Import targets from Burp Suite: 
nuclei -list burp-export.xml -input-mode burp
Short flag: 
nuclei -list burp-export.xml -im burp

OpenAPI/Swagger specifications

Extract endpoints from API specifications: 
nuclei -list openapi.yaml -input-mode openapi
This automatically extracts all endpoints from your API specification for comprehensive API security testing.

JSONL format

Use structured JSONL input: 
nuclei -list targets.jsonl -input-mode jsonl

YAML format

Provide targets in YAML format: 
nuclei -list targets.yaml -input-mode yaml

Format options

-required-only
boolean
Use only required fields when generating requests from input formats:
nuclei -list openapi.yaml -im openapi -required-only
Short flag: -ro
-skip-format-validation
boolean
Skip format validation (like missing variables):
nuclei -list swagger.json -im swagger -skip-format-validation
Short flag: -sfv

Default port handling

Control how Nuclei handles default HTTP/HTTPS ports: 
# Remove default ports from URLs (default behavior)
nuclei -target example.com:80
# Becomes: http://example.com

# Keep default ports in URLs
nuclei -target example.com:80 -leave-default-ports
# Remains: http://example.com:80
Short flag: 
nuclei -target example.com:443 -ldp
Keeping default ports can be useful when testing applications that explicitly check the port in security rules.

HTTP probing

By default, Nuclei uses httpx to probe non-URL inputs (like IP addresses or domains) to determine if they’re running HTTP/HTTPS services.

Disable HTTP probing

nuclei -list ips.txt -no-httpx
Short flag: 
nuclei -list ips.txt -nh
Disabling HTTP probing means Nuclei won’t automatically discover HTTP services. Use this when you already know your targets are HTTP/HTTPS endpoints.

Probe concurrency

Control the number of concurrent HTTP probes: 
nuclei -list targets.txt -probe-concurrency 100
Short flag: 
nuclei -list targets.txt -prc 100

Network interface selection

Specify which network interface to use for scanning: 
nuclei -target 192.168.1.0/24 -interface eth0
Short flag: 
nuclei -target 192.168.1.0/24 -i eth0
List available interfaces: 
ip link show

Source IP address

Set a custom source IP address for network requests: 
nuclei -target example.com -source-ip 192.168.1.100
Short flag: 
nuclei -target example.com -sip 192.168.1.100
Useful when you have multiple network interfaces and need to scan from a specific IP.

Practical examples

Example 1: Internal network scan

Scan internal network excluding management subnet: 
nuclei -target 192.168.0.0/16 \
  -exclude-hosts 192.168.100.0/24 \
  -rate-limit 200 \
  -output internal-scan.txt

Example 2: Multi-target domain scan

Scan all IPs for multiple domains: 
cat domains.txt | nuclei -scan-all-ips -severity high,critical

Example 3: API security testing

Test all endpoints from OpenAPI spec: 
nuclei -list api-spec.yaml \
  -input-mode openapi \
  -tags api,auth \
  -json-export api-findings.json

Example 4: Subdomain pipeline

Discover subdomains and scan with Nuclei: 
subfinder -d example.com -silent | \
httpx -silent -ports 80,443,8080,8443 | \
nuclei -templates cves/ -severity critical,high

Example 5: IPv6 infrastructure scan

Scan IPv6 addresses only: 
nuclei -list ipv6-targets.txt \
  -ip-version 6 \
  -templates network/ \
  -output ipv6-results.txt

Example 6: Targeted exclusion scan

Scan production network excluding critical infrastructure: 
nuclei -target 10.0.0.0/8 \
  -exclude-hosts production-critical.txt \
  -rate-limit 50 \
  -severity medium,high,critical \
  -silent

Integration with discovery tools

ProjectDiscovery toolchain

Combine multiple tools for comprehensive coverage: 
subfinder -d example.com | \
  dnsx -silent | \
  httpx -silent | \
  nuclei

Asset discovery platforms

Integrate with Uncover for asset discovery: 
nuclei -uncover \
  -uncover-query "org:example" \
  -uncover-engine shodan \
  -uncover-limit 100
Short flags: 
nuclei -uc -uq "port:8080" -ue shodan -ul 500

Best practices

1

Verify target ownership

Always ensure you have permission to scan your targets. Unauthorized scanning is illegal.
2

Use appropriate rate limits

Start with conservative rate limits, especially for production systems:
nuclei -target example.com -rate-limit 50
3

Test exclusions first

Before large scans, verify your exclusion list:
nuclei -list targets.txt -exclude-hosts exclusions.txt -silent | head -n 10
4

Use CIDR wisely

Be cautious with large CIDR ranges. Start small:
# Start with small range
nuclei -target 192.168.1.0/28

# Then expand if needed
nuclei -target 192.168.1.0/24
5

Leverage pipelines

Chain tools to filter and prepare targets:
cat targets.txt | httpx -silent -status-code -mc 200,301,302 | nuclei

Next steps

Running scans

Learn different scanning modes and strategies

Template selection

Select which templates to run in your scans

Filtering templates

Filter by severity, tags, and more

Rate limiting

Control scan speed and concurrency

Build docs developers (and LLMs) love

Get started for freeTalk to us