loading
loading
Scanners
A fast, customizable vulnerability scanner based on a simple YAML-based DSL.
overview
nuclei tests targets against a large library of community and custom templates, each describing one check in a simple YAML DSL. Because the logic lives in templates rather than code, coverage grows with the community and you can write checks for your own findings in minutes. It is fast, low on false positives, and built to run at scale.
On Trickest it is the testing stage of a recon-to-results pipeline. Point it at live hosts from httpx, filter by tags or severity to keep runs focused, and emit JSONL so every finding becomes a row you can triage, route, or alert on. Run targeted template sets per workflow rather than everything at once.
With 160 inputs, nuclei covers protocol selection, rate limiting, proxying, and headless browser checks, so one node fits both a quick severity sweep and a deep, scoped scan. Scheduled behind discovery, it turns continuous recon into continuous testing.
use cases
Run curated templates against probed hosts to surface CVEs, misconfigurations, and exposures across the estate.
Filter to critical and high, or to a technology's tag set, so a run returns the findings that matter instead of noise.
Schedule nuclei behind discovery so newly found hosts get tested automatically and findings land in a live table.
Point the templates folder at rules you wrote for a known finding and run them alongside the community set in one pass.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target | STRING | -target | Target URLs or hosts to scan. |
| list | FILE | -list | File of target URLs or hosts, the usual pipeline input. |
| templates | FOLDER | -templates | Folder of templates to run. |
| severity | STRING | -severity | Run templates by severity (info, low, medium, high, critical, unknown). |
| tags | STRING | -tags | Run templates by tag (comma-separated). |
| rate-limit | STRING | -rate-limit | Maximum requests to send per second (default 150). Aliased as -rl. |
| header | STRING | -header | Custom header or cookie for every HTTP request, in header:value format. |
| jsonl | BOOLEAN | -jsonl | Write findings in JSONL format, one per line. |
Showing key inputs. nuclei exposes 160 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sni | STRING | -sni | tls sni hostname to use (default: input domain name) |
| var | STRING | -var | custom vars in key=value format |
| code | BOOLEAN | -code | enable loading code protocol-based templates |
| dast | BOOLEAN | -dast | only run DAST templates |
| list | FILE | -list | List of target URLs/hosts to scan |
| tags | STRING | -tags | templates to run based on tags (comma-separated) |
| type | STRING | -type | templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript |
| ztls | BOOLEAN | -ztls | use ztls library with autofallback to standard one for tls13 |
| debug | BOOLEAN | -debug | show all requests and responses |
| jsonl | BOOLEAN | -jsonl | write output in JSONL(ines) format |
| proxy | STRING | -proxy | list of http/socks5 proxy to use (comma separated) |
| reset | BOOLEAN | -reset | reset removes all nuclei configuration and data files (including nuclei-templates) |
| stats | BOOLEAN | -stats | Display stats of the running scan. |
| author | STRING | -author | templates to run based on authors (comma-separated) |
| config | FILE | -config | path to the nuclei configuration file |
| header | STRING | -header | custom header/cookie to include in all http requests in header:value format |
| no-mhe | BOOLEAN | -no-mhe | disable skipping host from scan based on errors |
| redact | STRING | -redact | redact given list of keys from query parameter, request header and body |
| resume | FILE | -resume | Resume scan using resume.cfg (clustering will be disabled) |
| silent | STRING | -silent | display findings only |
| stream | BOOLEAN | -stream | stream mode - start elaborating without sorting the input |
| target | STRING | -target | target URLs/hosts to scan |
| no-meta | BOOLEAN | -no-meta | disable printing result metadata in cli output |
| passive | BOOLEAN | -passive | enable passive HTTP response processing mode |
| profile | STRING | -profile | template profile config file to run |
| project | BOOLEAN | -project | Use a project folder to avoid sending same request multiple times. |
| retries | STRING | -retries | number of times to retry a failed request (default 1) |
| timeout | STRING | -timeout | time to wait in seconds before timeout (default 10) |
| uncover | BOOLEAN | -uncover | enable uncover engine |
| verbose | BOOLEAN | -verbose | show verbose output |
| env-vars | BOOLEAN | -env-vars | enable environment variables to be used in template |
| headless | BOOLEAN | -headless | enable templates that require headless browser support (root user on linux will disable sandbox) |
| no-color | BOOLEAN | -no-color | disable output content coloring (ANSI escape codes) |
| no-httpx | BOOLEAN | -no-httpx | disable httpx probing for non-url input |
| no-stdin | BOOLEAN | -no-stdin | disable stdin processing |
| omit-raw | BOOLEAN | -omit-raw | omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) |
| severity | STRING | -severity | templates to run based on severity. Possible values: info, low, medium, high, critical, unknown |
| template | FILE | -templates | template file to run |
| validate | BOOLEAN | -validate | validate the passed templates to nuclei |
| bulk-size | STRING | -bulk-size | maximum number of hosts to be analyzed in parallel per template (default 25) |
| client-ca | FILE | -client-ca | client certificate authority file (PEM-encoded) used for authenticating against scanned hosts |
| debug-req | BOOLEAN | -debug-req | show all sent requests |
| interface | STRING | -interface | network interface to use for network scan |
| list-tags | BOOLEAN | -tgl | list all available tags |
| resolvers | FILE | -resolvers | file containing resolver list for nuclei |
| source-ip | STRING | -source-ip | source ip address to use for network scan |
| tags-list | FILE | -tags | templates to run based on tags |
| templates | FOLDER | -templates | folder of templates to run |
| timestamp | BOOLEAN | -timestamp | enables printing timestamp in cli output |
| vars-list | FILE | -var | custom vars in key=value format |
| workflows | STRING | -workflows | list of workflow or workflow directory to run (comma-separated) |
| client-key | FILE | -client-key | client key file (PEM-encoded) used for authenticating against scanned hosts |
| debug-resp | BOOLEAN | -debug-resp | show all received responses |
| exclude-id | STRING | -exclude-id | templates to exclude based on template ids (comma-separated) |
| ip-version | STRING | -ip-version | IP version to scan of hostname (4,6) - (default 4) |
| proxy-list | FILE | -proxy | list of http/socks5 proxy to use |
| rate-limit | STRING | -rate-limit | maximum number of requests to send per second (default 150) |
| stats-json | BOOLEAN | -stats-json | Write statistics data to stdout in JSONL(ines) format |
| attack-type | STRING | -attack-type | type of payload combinations to perform (batteringram,pitchfork,clusterbomb) |
| author-list | FILE | -author | templates to run based on authors |
| client-cert | FILE | -client-cert | client certificate file (PEM-encoded) used for authenticating against scanned hosts |
| concurrency | STRING | -concurrency | maximum number of templates to be executed in parallel (default 25) |
| force-http2 | BOOLEAN | -force-http2 | force http2 connection on requests |
| secret-file | FILE | -secret-file | path to config file containing secrets for nuclei authenticated scan |
| template-id | STRING | -template-id | templates to run based on template ids (comma-separated) |
| enable-pprof | BOOLEAN | -enable-pprof | enable pprof debugging server |
| exclude-tags | STRING | -exclude-tags | templates to exclude based on tags (comma-separated) |
| exclude-type | STRING | -exclude-type | templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript |
| fuzzing-mode | STRING | -fuzzing-mode | overrides fuzzing mode set in template (multiple, single) |
| fuzzing-type | STRING | -fuzzing-type | overrides fuzzing type set in template (replace, prefix, postfix, infix) |
| hang-monitor | BOOLEAN | -hang-monitor | enable nuclei hang monitoring |
| headers-list | FILE | -header | custom list of headers/cookies to include in all http requests in header:value |
| health-check | BOOLEAN | -health-check | run diagnostic check up |
| include-tags | STRING | -include-tags | tags to be executed even if they are excluded either by default or configuration |
| metrics-port | STRING | -metrics-port | port to expose nuclei metrics on (default 9092) |
| page-timeout | STRING | -page-timeout | seconds to wait for each page in headless mode (default 20) |
| profile-list | BOOLEAN | -profile-list | list community template profiles |
| project-path | FOLDER | -project-path | Use a user defined project folder. Temporary folder is used if not specified but enabled. |
| scan-all-ips | BOOLEAN | -scan-all-ips | scan all the IP's associated with dns record |
| template-url | STRING | -template-url | template urls to run (comma-separated) |
| workflow-url | STRING | -workflow-url | workflow urls to run (comma-separated) |
| exclude-hosts | FILE | -exclude-hosts | hosts to exclude to scan from the input list (ip, cidr, hostname) |
| max-redirects | STRING | -max-redirects | max number of redirects to follow for http templates (default 10) |
| new-templates | BOOLEAN | -new-templates | run only new templates added in latest nuclei-templates release |
| no-interactsh | BOOLEAN | -no-interactsh | disable interactsh server for OAST testing, exclude OAST based templates |
| omit-template | BOOLEAN | -omit-template | omit encoded template in the JSON, JSONL output |
| report-config | FILE | -report-config | nuclei reporting module configuration file |
| scan-strategy | STRING | -scan-strategy | strategy to use while scanning(auto/host-spray/template-spray) (default auto) |
| show-var-dump | BOOLEAN | -show-var-dump | show variables dump for debugging |
| system-chrome | BOOLEAN | -system-chrome | use local installed Chrome browser instead of nuclei installed |
| target-folder | FOLDER | -target | folder containing files to execute file templates on |
| template-urls | FILE | -template-url | list of template urls to run |
| uncover-delay | STRING | -uncover-delay | delay between uncover query requests in seconds (0 to disable) (default 1) |
| uncover-field | STRING | -uncover-field | uncover fields to return (ip,port,host) (default "ip:port") |
| uncover-limit | STRING | -uncover-limit | uncover results to return (default 100) |
| uncover-query | STRING | -uncover-query | uncover search query |
| workflow-urls | FILE | -workflow-url | list of workflow urls to run |
| automatic-scan | BOOLEAN | -automatic-scan | automatic web scan using wappalyzer technology detection to tags mapping |
| js-concurrency | STRING | -js-concurrency | maximum number of javascript runtimes to be executed in parallel (default 120) |
| list-templates | BOOLEAN | -tl | list all available templates |
| matcher-status | BOOLEAN | -matcher-status | display match failure status |
| max-host-error | STRING | -max-host-error | max errors for a host before skipping from scan (default 30) |
| proxy-internal | BOOLEAN | -proxy-internal | proxy all internal requests |
| stats-interval | STRING | -stats-interval | number of seconds to wait between showing a statistics update (default 5) |
| templates-list | FILE | -templates | list of template to run |
| uncover-engine | STRING | -uncover-engine | uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas) (default shodan) |
| workflows-list | FILE | -workflows | list of workflow or workflow directory to run |
| exclude-id-list | FILE | -exclude-id | templates to exclude based on template ids |
| honeypot-detect | BOOLEAN | -honeypot-detect | detect potential honeypot hosts based on match concentration |
| show-match-line | BOOLEAN | -show-match-line | show match lines for file templates, works with extractors only |
| tls-impersonate | BOOLEAN | -tls-impersonate | enable experimental client hello (ja3) tls randomization |
| exclude-matchers | STRING | -exclude-matchers | template matchers to exclude in result |
| exclude-severity | STRING | -exclude-severity | templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown |
| follow-redirects | BOOLEAN | -follow-redirects | enable following redirects for http templates |
| headless-options | STRING | -headless-options | start headless chrome with additional options |
| interactsh-token | STRING | -interactsh-token | authentication token for self-hosted interactsh server |
| no-strict-syntax | BOOLEAN | -no-strict-syntax | Disable strict syntax check on templates |
| prefetch-secrets | BOOLEAN | -prefetch-secrets | prefetch secrets from the secrets file |
| system-resolvers | BOOLEAN | -system-resolvers | use system DNS resolving as error fallback |
| template-id-list | FILE | -template-id | templates to run based on template ids |
| track-error-file | FILE | -track-error | adds given error to max-host-error watchlist |
| dialer-keep-alive | STRING | -dialer-keep-alive | keep-alive duration for network requests. |
| disable-redirects | BOOLEAN | -disable-redirects | disable redirects for http templates |
| display-templates | BOOLEAN | -vv | display templates loaded for scan |
| exclude-tags-list | FILE | -exclude-tags | templates to exclude based on tags |
| exclude-templates | STRING | -exclude-templates | template or template directory to exclude (comma-separated) |
| include-tags-list | FILE | -include-tags | tags to be executed even if they are excluded either by default or configuration |
| include-templates | STRING | -include-templates | templates to be executed even if they are excluded either by default or configuration |
| interactsh-server | STRING | -interactsh-server | interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) |
| list-dsl-function | BOOLEAN | -list-dsl-function | list all supported DSL function signatures |
| rate-limit-minute | STRING | -rate-limit-minute | maximum number of requests to send per minute |
| suppress-honeypot | BOOLEAN | -suppress-honeypot | suppress output for flagged honeypot hosts |
| templates-version | BOOLEAN | -templates-version | shows the version of the installed nuclei-templates |
| uncover-ratelimit | STRING | -uncover-ratelimit | override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60) |
| disable-clustering | BOOLEAN | -disable-clustering | disable clustering of requests |
| headless-bulk-size | STRING | -headless-bulk-size | maximum number of headless hosts to be analyzed in parallel per template (default 10) |
| honeypot-threshold | STRING | -honeypot-threshold | number of distinct template IDs required to flag a honeypot host (default 15) |
| input-read-timeout | STRING | -input-read-timeout | timeout on input read (default 3m0s) |
| response-size-read | STRING | -response-size-read | max response size to read in bytes (default 10485760) |
| response-size-save | STRING | -response-size-save | max response size to read in bytes (default 1048576) |
| template-condition | STRING | -template-condition | templates to run based on expression condition |
| template-directory | STRING | -templates | template directory to run |
| leave-default-ports | BOOLEAN | -leave-default-ports | leave default HTTP/HTTPS ports (eg. host:80,host:443 |
| payload-concurrency | STRING | -payload-concurrency | max payload concurrency for each template (default 25) |
| stop-at-first-match | BOOLEAN | -stop-at-first-match | stop processing HTTP requests after the first match (may break template/workflow logic) |
| disable-update-check | BOOLEAN | -disable-update-check | disable automatic nuclei/templates update check |
| headless-concurrency | STRING | -headless-concurrency | maximum number of headless templates to be executed in parallel (default 10) |
| list-headless-action | BOOLEAN | -list-headless-action | list available headless actions |
| exclude-matchers-list | FILE | -exclude-matchers | template matchers to exclude in result |
| follow-host-redirects | BOOLEAN | -follow-host-redirects | follow redirects on the same host |
| interactions-eviction | STRING | -interactions-eviction | number of seconds to wait before evicting requests from cache (default 60) |
| new-templates-version | STRING | -new-templates-version | run new templates added in specific version |
| exclude-templates-list | FILE | -exclude-templates | template or template directory to exclude |
| include-templates-list | FILE | -include-templates | templates to be executed even if they are excluded either by default or configuration |
| allow-local-file-access | BOOLEAN | -allow-local-file-access | allows file (payload) access anywhere on the system |
| interactions-cache-size | STRING | -interactions-cache-size | number of requests to keep in the interactions cache (default 5000) |
| interactions-poll-duration | STRING | -interactions-poll-duration | number of seconds to wait before each interaction poll request (default 5) |
| interactions-cooldown-period | STRING | -interactions-cooldown-period | extra time for interaction polling before exiting (default 5) |
| template-loading-concurrency | STRING | -template-loading-concurrency | maximum number of concurrent template loading operations |
| restrict-local-network-access | BOOLEAN | -restrict-local-network-access | blocks connections to the local / private network |
example
# scan a host list with CVE templates at high severity, JSONL outputnuclei -list hosts.txt -tags cve -severity critical,high -rate-limit 150 -jsonl -o findings.jsonl[tech-detect:nginx] [http] [info] https://app.example.com[waf-detect:cloudflare] [http] [info] https://app.example.com[http-missing-security-headers] [http] [info] https://app.example.com[tls-version] [ssl] [info] app.example.com:443[apache-detect] [http] [info] https://api.example.com[git-config] [http] [medium] https://example.com/.git/config[CVE-2022-41040] [http] [critical] https://api.example.com/owa[CVE-2021-44228] [http] [critical] https://api.example.com/api/v1guidance
Use nuclei to test a known set of live hosts against known issues. It does not discover hosts, so feed it subfinder and httpx output, and scope runs with tags or severity rather than scanning everything.
Classic web scanner. nuclei is faster, template-driven, and easier to extend.
Another signature scanner. nuclei has the larger template ecosystem.
Active web app scanner that crawls and tests. nuclei tests known hosts against a template library instead.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
Targets are probed by httpx, then nuclei tests the live hosts against its templates and writes findings as a queryable output.
Facts on this page come from the live Trickest tool library.