Nuclei Review 2026: 12K+ Templates Compared

Name: Nuclei
Availability: OnlineOnly

Nuclei is a template-based vulnerability scanner built by ProjectDiscovery. You write (or download) YAML templates that describe what to check, point Nuclei at your targets, and it fires off the requests. If the response matches the template conditions, it reports a finding.

Nuclei scan output showing detected vulnerabilities with severity levels

The project has 26,900+ GitHub stars, 3,100+ forks, and 210+ contributors. Written in Go (96% of the codebase), MIT licensed. The community maintains 12,000+ templates covering CVEs, misconfigurations, exposures, and default credentials.

Feature	Details
Language	Go (96%)
License	MIT
Templates	12,000+ community-maintained
Protocols	HTTP, DNS, TCP, SSL, File, Whois, Websocket, Headless
Default rate limit	150 requests/second
Concurrency	25 parallel hosts, 25 parallel templates
Request timeout	10 seconds (configurable)
Output formats	JSON, JSONL, SARIF, Markdown, plain text
Docker image	`projectdiscovery/nuclei`
Go requirement	1.24.2+

What is Nuclei?

Nuclei takes a different approach from traditional DAST tools. Instead of crawling an application and probing for vulnerabilities automatically, it runs specific checks defined in YAML templates. Each template describes exactly what request to send and what response pattern indicates a problem.

This template-driven design means two things. First, false positives drop to near zero because you are matching against specific, known conditions. Second, the community can contribute templates for new CVEs within hours of disclosure. The NIST National Vulnerability Database tracks over 200,000 CVEs, and Nuclei’s template library covers a growing subset of them.

Nuclei architecture showing template processing flow from input to detection

The 12,000+ templates in the official repository cover:

Known CVEs with specific version checks
Server misconfigurations and default credentials
Exposed admin panels and debug endpoints
SSL/TLS issues and weak configurations
DNS misconfigurations and zone transfer vulnerabilities
Technology detection and fingerprinting

Templates vs. Crawling

Nuclei does not crawl your application looking for forms to inject. It runs predefined checks. This makes it fast and precise for known issues but means it will not find custom application logic flaws. For unknown vulnerability discovery, pair Nuclei with a crawling DAST tool like ZAP or Nikto for server-level checks. See our DAST overview for more on dynamic testing approaches.

Key features

YAML Template DSL

Each template defines the protocol, request, matchers, and extractors in plain YAML. Easy to read, easy to version-control. Supports dynamic variables and conditional logic.

Multi-Protocol Support

Scans across HTTP, DNS, TCP, SSL/TLS, File, Whois, Websocket, and headless browser. Test web apps, APIs, network services, and DNS configurations with the same tool.

12,000+ Community Templates

Maintained by 210+ security researchers. New CVE templates often appear within hours of public disclosure. Filter by tags, severity, author, or custom conditions.

AI Template Generation

Generate templates from natural language descriptions using the -ai flag. Describe what you want to check and Nuclei creates the YAML template for you.

Performance Tuning

Default 150 req/sec rate limit with configurable concurrency (25 parallel hosts, 25 parallel templates). Request clustering groups similar requests to reduce total traffic.

Reporting Integrations

Push results to Jira, GitHub, GitLab, Elasticsearch, Splunk, and MongoDB. Built-in deduplication via report database prevents duplicate tickets.

Installation

# Go (requires 1.24.2+)
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Homebrew (macOS)
brew install nuclei

# Docker
docker pull projectdiscovery/nuclei:latest

# From source
git clone https://github.com/projectdiscovery/nuclei.git
cd nuclei/cmd/nuclei
go build
mv nuclei /usr/local/bin/
nuclei -version

Templates download automatically on first run to ~/.config/nuclei/.

Usage

Basic scanning

# Scan a single target with all templates
nuclei -u https://example.com

# Scan a list of targets
nuclei -l urls.txt

# Filter by severity
nuclei -u https://example.com -severity high,critical

# Filter by tags
nuclei -u https://example.com -tags cve,exposure

# Use specific templates
nuclei -u https://example.com -t cves/ -t misconfigurations/

Output options

# JSON output
nuclei -u https://example.com -j -o results.json

# SARIF for GitHub Security
nuclei -u https://example.com -se results.sarif

# Markdown report
nuclei -u https://example.com -me report/

# Upload to ProjectDiscovery Cloud
nuclei -u https://example.com -pd

Advanced filtering

# Template condition expressions
nuclei -tc "contains(id,'xss') || contains(tags,'ssrf')"

# Exclude specific templates
nuclei -u https://example.com -exclude-tags dos

# Rate limiting
nuclei -u https://example.com -rl 50 -bs 10 -c 10

Start Narrow

Running all 12,000+ templates against a target generates a lot of traffic. Start with specific tags like -tags cve,critical and widen the scope as needed. Use -rl to stay within acceptable rate limits.

Integrations

Issue Tracking & SIEM

Jira

GitHub Issues

GitLab Issues

Elasticsearch

Splunk

MongoDB

Cloud Platform (Paid)

ProjectDiscovery Cloud

AWS

GCP

Azure

Cloudflare

Getting started

Install Nuclei — Use go install, brew install nuclei, or Docker. Templates download automatically on first run.

Run your first scan — nuclei -u https://your-target.com -tags cve checks for known CVEs. Results print to terminal with severity and template ID.

Filter and tune — Use -severity, -tags, and -exclude-tags to control what runs. Set -rl for rate limiting if needed.

Export results — Output as JSON, SARIF, or Markdown. Push to Jira or GitHub Issues with a reporting config file.

Writing custom templates

id: custom-admin-panel
info:
  name: Custom Admin Panel Detection
  author: your-name
  severity: info
  tags: exposure,admin

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin"
      - "{{BaseURL}}/admin/login"
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "Admin Login"
          - "Administration Panel"
      - type: status
        status:
          - 200

Save as .yaml in your templates directory and run with -t path/to/template.yaml.

When to use Nuclei

Nuclei is the right pick when you need to check a large number of targets for known vulnerabilities quickly. Its template system means you are not relying on a scanner’s built-in detection logic — you can see exactly what each check does and modify it.

It fills a different role than crawling DAST tools. Nuclei tells you “this target has CVE-2024-XXXX” or “this server exposes a default admin panel.” It does not discover new, unknown vulnerabilities in your application code.

For a complete testing workflow, run Nuclei alongside a crawling scanner. Nuclei handles known issues fast; the crawling tool finds application-specific flaws.

Frequently Asked Questions

What is Nuclei and how does it work?

Nuclei is an open-source vulnerability scanner by ProjectDiscovery that uses YAML templates to define what to check and how to detect it. You point it at targets and pick templates. It sends requests based on those definitions and matches responses against expected patterns. Supports HTTP, DNS, TCP, SSL, Websocket, and headless browser protocols.

Is Nuclei free?

Yes. Nuclei is MIT licensed and completely free. The CLI, all 12,000+ community templates, and the Go source code are open-source. ProjectDiscovery offers a paid cloud platform for teams that want managed scanning, collaboration, and reporting features.

How does Nuclei compare to ZAP?

ZAP is a full DAST proxy that crawls applications and tests them interactively. Nuclei is template-driven — it runs predefined checks against targets. Nuclei is faster for known vulnerability detection and easier to customize with YAML templates. ZAP provides deeper crawling and better authenticated scanning out of the box.

Can Nuclei run in CI/CD pipelines?

Yes. Nuclei is a single Go binary. Add it to any CI/CD workflow, filter templates by tags (cve, exposure, misconfiguration), and output as JSON or SARIF to fail builds or feed issue trackers. Docker image available as projectdiscovery/nuclei.

How do I write custom Nuclei templates?

Templates are YAML files that define the request, matchers, and extractors. You specify the protocol, path, method, headers, and body, then define conditions that indicate a vulnerability. Nuclei also supports AI-powered template generation from natural language descriptions using the -ai flag.