Nuclei

Nuclei is a fast, template based vulnerability scanner focusing on extensive configurability, massive extensibility and ease of use.

Usage: nuclei [flags]

Options

Target

Option	Description
`-u`, `-target string[]`	target URLs/hosts to scan
`-l`, `-list string`	path to file containing a list of target URLs/hosts to scan (one per line)
`-eh`, `-exclude-hosts string[]`	hosts to exclude from the input list (IP, CIDR, hostname)
`-resume string`	resume scan using `resume.cfg` (clustering will be disabled)
`-sa`, `-scan-all-ips`	scan all the IPs associated with a DNS record
`-iv`, `-ip-version string[]`	IP version to scan of hostname (4,6) – default is 4

Target-Format

Option	Description
`-im`, `-input-mode string`	mode of input file (`list`, `burp`, `jsonl`, `yaml`, `openapi`, `swagger`) (default `"list"`)
`-ro`, `-required-only`	use only required fields in input format when generating requests
`-sfv`, `-skip-format-validation`	skip format validation (like missing vars) when parsing input file

Templates

Option	Description
`-nt`, `-new-templates`	run only new templates added in latest nuclei-templates release
`-ntv`, `-new-templates-version string[]`	run new templates added in specific version
`-as`, `-automatic-scan`	automatic web scan using Wappalyzer technology detection to tags mapping
`-t`, `-templates string[]`	list of template or template directory to run (comma-separated, file)
`-turl`, `-template-url string[]`	template URL or list containing template URLs to run (comma-separated, file)
`-ai`, `-prompt string`	generate and run template using AI prompt
`-w`, `-workflows string[]`	list of workflow or workflow directory to run (comma-separated, file)
`-wurl`, `-workflow-url string[]`	workflow URL or list containing workflow URLs to run (comma-separated, file)
`-validate`	validate the passed templates to nuclei
`-nss`, `-no-strict-syntax`	disable strict syntax check on templates
`-td`, `-template-display`	displays the templates content
`-tl`	list all available templates
`-tgl`	list all available tags
`-sign`	signs the templates with the private key defined in `NUCLEI_SIGNATURE_PRIVATE_KEY` environment variable
`-code`	enable loading code protocol-based templates
`-dut`, `-disable-unsigned-templates`	disable running unsigned templates or templates with mismatched signature
`-esc`, `-enable-self-contained`	enable loading self-contained templates
`-egm`, `-enable-global-matchers`	enable loading global matchers templates
`-file`	enable loading file templates

Filtering

Option	Description
`-a`, `-author string[]`	templates to run based on authors (comma-separated, file)
`-tags string[]`	templates to run based on tags (comma-separated, file)
`-etags`, `-exclude-tags string[]`	templates to exclude based on tags (comma-separated, file)
`-itags`, `-include-tags string[]`	tags to be executed even if they are excluded either by default or configuration
`-id`, `-template-id string[]`	templates to run based on template IDs (comma-separated, file, allow-wildcard)
`-eid`, `-exclude-id string[]`	templates to exclude based on template IDs (comma-separated, file)
`-it`, `-include-templates string[]`	path to template file or directory to be executed even if they are excluded either by default or configuration
`-et`, `-exclude-templates string[]`	path to template file or directory to exclude (comma-separated, file)
`-em`, `-exclude-matchers string[]`	template matchers to exclude in result
`-s`, `-severity value[]`	templates to run based on severity. Possible values: `info`, `low`, `medium`, `high`, `critical`, `unknown`
`-es`, `-exclude-severity value[]`	templates to exclude based on severity. Possible values: `info`, `low`, `medium`, `high`, `critical`, `unknown`
`-pt`, `-type value[]`	templates to run based on protocol type. Possible values: `dns`, `file`, `http`, `headless`, `tcp`, `workflow`, `ssl`, `websocket`, `whois`, `code`, `javascript`
`-ept`, `-exclude-type value[]`	templates to exclude based on protocol type. Possible values: `dns`, `file`, `http`, `headless`, `tcp`, `workflow`, `ssl`, `websocket`, `whois`, `code`, `javascript`
`-tc`, `-template-condition string[]`	templates to run based on expression condition

Output

Option	Description
`-o`, `-output string`	output file to write found issues/vulnerabilities
`-sresp`, `-store-resp`	store all request/response passed through nuclei to output directory
`-srd`, `-store-resp-dir string`	store all request/response passed through nuclei to custom directory (default `"output"`)
`-silent`	display findings only
`-nc`, `-no-color`	disable output content coloring (ANSI escape codes)
`-j`, `-jsonl`	write output in JSONL(ines) format
`-irr`, `-include-rr`, `-omit-raw`	include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED: use `-omit-raw`] (default `true`)
`-or`, `-omit-raw`	omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
`-ot`, `-omit-template`	omit encoded template in the JSON, JSONL output
`-nm`, `-no-meta`	disable printing result metadata in CLI output
`-ts`, `-timestamp`	enables printing timestamp in CLI output
`-rdb`, `-report-db string`	nuclei reporting database (always use this to persist report data)
`-ms`, `-matcher-status`	display match failure status
`-me`, `-markdown-export string`	directory to export results in Markdown format
`-se`, `-sarif-export string`	file to export results in SARIF format
`-je`, `-json-export string`	file to export results in JSON format
`-jle`, `-jsonl-export string`	file to export results in JSONL(ine) format
`-rd`, `-redact string[]`	redact given list of keys from query parameter, request header and body

Configurations

Option	Description
`-config string`	path to the nuclei configuration file
`-tp`, `-profile string`	template profile config file to run
`-tpl`, `-profile-list`	list community template profiles
`-fr`, `-follow-redirects`	enable following redirects for HTTP templates
`-fhr`, `-follow-host-redirects`	follow redirects on the same host
`-mr`, `-max-redirects int`	max number of redirects to follow for HTTP templates (default `10`)
`-dr`, `-disable-redirects`	disable redirects for HTTP templates
`-rc`, `-report-config string`	nuclei reporting module configuration file
`-H`, `-header string[]`	custom header/cookie to include in all HTTP requests in `header:value` format (CLI or file)
`-V`, `-var value`	custom vars in `key=value` format
`-r`, `-resolvers string`	file containing resolver list for nuclei
`-sr`, `-system-resolvers`	use system DNS resolving as error fallback
`-dc`, `-disable-clustering`	disable clustering of requests
`-passive`	enable passive HTTP response processing mode
`-fh2`, `-force-http2`	force HTTP/2 connection on requests
`-ev`, `-env-vars`	enable environment variables to be used in template
`-cc`, `-client-cert string`	client certificate file (PEM-encoded) used for authenticating against scanned hosts
`-ck`, `-client-key string`	client key file (PEM-encoded) used for authenticating against scanned hosts
`-ca`, `-client-ca string`	client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
`-sml`, `-show-match-line`	show match lines for file templates, works with extractors only
`-ztls`	use ZTLS library with autofallback to standard one for TLS 1.3 [Deprecated] — autofallback to ZTLS is enabled by default
`-sni string`	TLS SNI hostname to use (default: input domain name)
`-dka`, `-dialer-keep-alive value`	keep-alive duration for network requests
`-lfa`, `-allow-local-file-access`	allows file (payload) access anywhere on the system
`-lna`, `-restrict-local-network-access`	blocks connections to the local/private network
`-i`, `-interface string`	network interface to use for network scan
`-at`, `-attack-type string`	type of payload combinations to perform (`batteringram`, `pitchfork`, `clusterbomb`)
`-sip`, `-source-ip string`	source IP address to use for network scan
`-rsr`, `-response-size-read int`	max response size to read in bytes
`-rss`, `-response-size-save int`	max response size to save in bytes (default `1048576`)
`-reset`	reset removes all nuclei configuration and data files (including `nuclei-templates`)
`-tlsi`, `-tls-impersonate`	enable experimental client hello (JA3) TLS randomization
`-hae`, `-http-api-endpoint string`	experimental HTTP API endpoint

INTERACTSH

Option	Description
`-iserver`, `-interactsh-server string`	Interactsh server URL for self-hosted instance (default: `oast.pro`, `oast.live`, `oast.site`, `oast.online`, `oast.fun`, `oast.me`)
`-itoken`, `-interactsh-token string`	Authentication token for self-hosted Interactsh server
`-interactions-cache-size int`	Number of requests to keep in the interactions cache (default `5000`)
`-interactions-eviction int`	Number of seconds to wait before evicting requests from cache (default `60`)
`-interactions-poll-duration int`	Number of seconds to wait before each interaction poll request (default `5`)
`-interactions-cooldown-period int`	Extra time for interaction polling before exiting (default `5`)
`-ni`, `-no-interactsh`	Disable Interactsh server for OAST testing, exclude OAST-based templates

Fuzzing

Option	Description
`-ft`, `-fuzzing-type string`	overrides fuzzing type set in template (`replace`, `prefix`, `postfix`, `infix`)
`-fm`, `-fuzzing-mode string`	overrides fuzzing mode set in template (`multiple`, `single`)
`-fuzz`	enable loading fuzzing templates (Deprecated: use `-dast` instead)
`-dast`	enable / run DAST (fuzz) nuclei templates
`-dts`, `-dast-server`	enable DAST server mode (live fuzzing)
`-dtr`, `-dast-report`	write DAST scan report to file
`-dtst`, `-dast-server-token string`	DAST server token (optional)
`-dtsa`, `-dast-server-address string`	DAST server address (default `"localhost:9055"`)
`-dfp`, `-display-fuzz-points`	display fuzz points in the output for debugging
`-fuzz-param-frequency int`	frequency of uninteresting parameters for fuzzing before skipping (default `10`)
`-fa`, `-fuzz-aggression string`	fuzzing aggression level controls payload count for fuzz (`low`, `medium`, `high`) (default `"low"`)
`-cs`, `-fuzz-scope string[]`	in-scope URL regex to be followed by fuzzer
`-cos`, `-fuzz-out-scope string[]`	out-of-scope URL regex to be excluded by fuzzer

Uncover

Option	Description
`-uc`, `-uncover`	enable uncover engine
`-uq`, `-uncover-query string[]`	uncover search query
`-ue`, `-uncover-engine string[]`	uncover search engine (`shodan`, `censys`, `fofa`, `shodan-idb`, `quake`, `hunter`, `zoomeye`, `netlas`, `criminalip`, `publicwww`, `hunterhow`, `google`, `odin`, `binaryedge`, `onyphe`, `driftnet`) (default `shodan`)
`-uf`, `-uncover-field string`	uncover fields to return (`ip`, `port`, `host`) (default `"ip:port"`)
`-ul`, `-uncover-limit int`	uncover results to return (default `100`)
`-ur`, `-uncover-ratelimit int`	override ratelimit of engines with unknown ratelimit (default 60 req/min) (default `60`)

Ratelimit

Option	Description
`-rl`, `-rate-limit int`	maximum number of requests to send per second (default `150`)
`-rld`, `-rate-limit-duration value`	maximum number of requests to send per second duration window (default `1s`)
`-rlm`, `-rate-limit-minute int`	maximum number of requests to send per minute (DEPRECATED)
`-bs`, `-bulk-size int`	maximum number of hosts to be analyzed in parallel per template (default `25`)
`-c`, `-concurrency int`	maximum number of templates to be executed in parallel (default `25`)
`-hbs`, `-headless-bulk-size int`	maximum number of headless hosts to be analyzed in parallel per template (default `10`)
`-headc`, `-headless-concurrency int`	maximum number of headless templates to be executed in parallel (default `10`)
`-jsc`, `-js-concurrency int`	maximum number of JavaScript runtimes to be executed in parallel (default `120`)
`-pc`, `-payload-concurrency int`	max payload concurrency for each template (default `25`)
`-prc`, `-probe-concurrency int`	HTTP probe concurrency with httpx (default `50`)

Optimizations

Option	Description
`-timeout int`	time to wait in seconds before timeout (default `10`)
`-retries int`	number of times to retry a failed request (default `1`)
`-ldp`, `-leave-default-ports`	leave default HTTP/HTTPS ports (e.g. host:80, host:443)
`-mhe`, `-max-host-error int`	max errors for a host before skipping from scan (default `30`)
`-te`, `-track-error string[]`	adds given error to max-host-error watchlist (standard, file)
`-nmhe`, `-no-mhe`	disable skipping host from scan based on errors
`-project`	use a project folder to avoid sending same request multiple times
`-project-path string`	set a specific project path (default `"/tmp"`)
`-spm`, `-stop-at-first-match`	stop processing HTTP requests after the first match (may break template/workflow logic)
`-stream`	stream mode - start elaborating without sorting the input
`-ss`, `-scan-strategy value`	strategy to use while scanning (`auto`/`host-spray`/`template-spray`) (default `auto`)
`-irt`, `-input-read-timeout value`	timeout on input read (default `3m0s`)
`-nh`, `-no-httpx`	disable httpx probing for non-url input
`-no-stdin`	disable stdin processing

Headless

Option	Description
`-headless`	enable templates that require headless browser support (root user on Linux will disable sandbox)
`-page-timeout int`	seconds to wait for each page in headless mode (default `20`)
`-sb`, `-show-browser`	show the browser on the screen when running templates with headless mode
`-ho`, `-headless-options string[]`	start headless chrome with additional options
`-sc`, `-system-chrome`	use locally installed Chrome browser instead of nuclei installed
`-lha`, `-list-headless-action`	list available headless actions

Debug

Option	Description
`-debug`	show all requests and responses
`-dreq`, `-debug-req`	show all sent requests
`-dresp`, `-debug-resp`	show all received responses
`-p`, `-proxy string[]`	list of http/socks5 proxy to use (comma separated or file input)
`-pi`, `-proxy-internal`	proxy all internal requests
`-ldf`, `-list-dsl-function`	list all supported DSL function signatures
`-tlog`, `-trace-log string`	file to write sent requests trace log
`-elog`, `-error-log string`	file to write sent requests error log
`-version`	show nuclei version
`-hm`, `-hang-monitor`	enable nuclei hang monitoring
`-v`, `-verbose`	show verbose output
`-profile-mem string`	generate memory (heap) profile & trace files
`-vv`	display templates loaded for scan
`-svd`, `-show-var-dump`	show variables dump for debugging
`-vdl`, `-var-dump-limit int`	limit the number of characters displayed in var dump (default `255`)
`-ep`, `-enable-pprof`	enable pprof debugging server
`-tv`, `-templates-version`	shows the version of the installed nuclei-templates
`-hc`, `-health-check`	run diagnostic check up

Update

Option	Description
`-up`, `-update`	update nuclei engine to the latest released version
`-ut`, `-update-templates`	update nuclei-templates to latest released version
`-ud`, `-update-template-dir string`	custom directory to install / update nuclei-templates
`-duc`, `-disable-update-check`	disable automatic nuclei/templates update check

Statistics

Option	Description
`-stats`	display statistics about the running scan
`-sj`, `-stats-json`	display statistics in JSONL(ines) format
`-si`, `-stats-interval int`	number of seconds to wait between showing a statistics update (default `5`)
`-mp`, `-metrics-port int`	port to expose nuclei metrics on (default `9092`)
`-hps`, `-http-stats`	enable http status capturing (experimental)

Cloud

Option	Description
`-auth`	configure ProjectDiscovery Cloud (pdcp) API key (default `true`)
`-tid`, `-team-id string`	upload scan results to given team id (optional) (default `"none"`)
`-cup`, `-cloud-upload`	upload scan results to pdcp dashboard [DEPRECATED use `-dashboard`]
`-sid`, `-scan-id string`	upload scan results to existing scan id (optional)
`-sname`, `-scan-name string`	scan name to set (optional)
`-pd`, `-dashboard`	upload / view nuclei results in ProjectDiscovery Cloud (pdcp) UI dashboard
`-pdu`, `-dashboard-upload string`	upload / view nuclei results file (jsonl) in ProjectDiscovery Cloud (pdcp) UI dashboard

Authentification

Option	Description
`-sf`, `-secret-file string[]`	path to config file containing secrets for nuclei authenticated scan
`-ps`, `-prefetch-secrets`	prefetch secrets from the secrets file

Examples

Run nuclei on single host:

$ nuclei -target example.com

Run nuclei with specific template directories:

$ nuclei -target example.com -t http/cves/ -t ssl

Run nuclei against a list of hosts:

$ nuclei -list hosts.txt

Run nuclei with a JSON output:

$ nuclei -target example.com -json-export output.json

Run nuclei with sorted Markdown outputs (with environment variables):

$ MARKDOWN_EXPORT_SORT_MODE=template nuclei -target example.com -markdown-export nuclei_report/

Additional documentation is available at: https://docs.nuclei.sh/getting-started/running

Nuclei Templates

Nuclei templates define the structure and logic for performing security checks and scans. They are YAML-based files that describe how Nuclei interacts with targets, specifying requests, matching rules, and workflow controls. A large collection of templates can be found here.

Template Structure

A typical Nuclei template consists of the following key sections:

id: Unique identifier for the template.
info: Metadata about the template such as name, author, severity, and tags.
requests: Defines one or more HTTP (or other protocol) requests to perform.
matchers: Conditions to identify successful detections.
extractors: Optional fields to extract specific data from responses.
variables: Custom variables for dynamic behavior.
workflow: (optional) Defines multi-step interactions or dependent requests.

Example:

id: nginx-status
 
info:
  name: Nginx Status Page
  author: dhiyaneshDK
  severity: info
  metadata:
    max-request: 2
  tags: misconfig,nginx,status
 
http:
  - method: GET
    path:
      - "{{BaseURL}}/nginx_status"
      - "{{BaseURL}}/nginx-status"
 
    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Active connections:'
 
      - type: status
        status:
          - 200
# digest: 4b0a00483046022100dcf1bf9040c63ef1587fcbde9f47b98e53284fbfedb819a0f1e89ec12f2e7cce0221008cd908eb9e96d5faa7f1b0056fd22a3c929a9af5b520776640021a22c7c530e8:922c64590222798bb761d5b6d8e72950

Knowledge Base

Explorer

nuclei