Ethical Hacking #nuclei#vulnerability scanner#bug bounty

Nuclei Vulnerability Scanner: Complete Tutorial for 2026

Master Nuclei, the template-based vulnerability scanner used by bug bounty hunters and pentesters worldwide.

April 26, 2026 8 min read

Nuclei is an open-source, template-based vulnerability scanner from ProjectDiscovery that has become indispensable in modern security testing. Unlike traditional scanners that run fixed checks, Nuclei uses YAML templates — community-written rules that define exactly what to detect and how. With thousands of templates covering CVEs, misconfigurations, exposed panels, and more, Nuclei can scan a target and surface actionable findings within minutes.

Installation

Go Install (Recommended)

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Ensure ~/go/bin is in your PATH:

echo 'export PATH=$PATH:~/go/bin' >> ~/.bashrc && source ~/.bashrc

Binary Download

wget https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip
unzip nuclei_linux_amd64.zip && mv nuclei /usr/local/bin/

Update Templates

nuclei -update-templates

Templates are stored in ~/.local/nuclei-templates/ and maintained by the community at github.com/projectdiscovery/nuclei-templates.

Basic Usage

Scan a single target with all default templates:

nuclei -u https://target.com

Scan multiple targets from a file:

nuclei -l targets.txt

Save output to a file:

nuclei -u https://target.com -o results.txt

Filtering by Severity and Tags

Run only critical and high severity templates:

nuclei -u https://target.com -severity critical,high

Run templates tagged with cve or misconfig:

nuclei -u https://target.com -tags cve
nuclei -u https://target.com -tags misconfig,exposure

Exclude certain tags (useful to skip noisy checks):

nuclei -u https://target.com -exclude-tags dos,fuzz

Template Categories

Nuclei templates are organized into directories:

Directory	Description
`cves/`	CVE-specific detections
`exposures/`	Exposed files, configs, APIs
`misconfiguration/`	Insecure headers, CORS, etc.
`technologies/`	Technology fingerprinting
`default-logins/`	Default credential checks
`takeovers/`	Subdomain takeover detection
`fuzzing/`	Parameter fuzzing
`network/`	Network/port-based checks

Run a specific directory:

nuclei -u https://target.com -t misconfiguration/
nuclei -u https://target.com -t cves/2024/

Practical Bug Bounty Workflow

A typical bug bounty recon-to-scan pipeline:

# 1. Find subdomains
subfinder -d target.com -o subdomains.txt

# 2. Check which are alive with httpx
httpx -l subdomains.txt -o alive.txt

# 3. Run Nuclei on live targets
nuclei -l alive.txt -severity critical,high,medium -o nuclei_results.txt

All three tools (subfinder, httpx, nuclei) are from ProjectDiscovery and integrate seamlessly.

Running Specific CVE Templates

Check a target for a specific CVE:

nuclei -u https://target.com -t cves/2021/CVE-2021-44228.yaml  # Log4Shell
nuclei -u https://target.com -t cves/2023/CVE-2023-44487.yaml  # HTTP/2 Rapid Reset

Check for all Log4j variants:

nuclei -u https://target.com -tags log4j

Custom Templates

Writing a custom template is straightforward. Here’s a basic HTTP template that checks for an exposed .env file:

id: exposed-env-file

info:
  name: Exposed .env File
  author: yourhandle
  severity: high
  description: Detects publicly accessible .env files exposing credentials.
  tags: exposure,config

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"
    matchers:
      - type: word
        words:
          - "APP_KEY="
          - "DB_PASSWORD="
        condition: or
      - type: status
        status:
          - 200
        condition: and

Save as custom-env-check.yaml and run:

nuclei -u https://target.com -t custom-env-check.yaml

Rate Limiting and Stealth

Slow down scanning to avoid detection or respect rate limits:

nuclei -u https://target.com -rate-limit 10 -timeout 5

Use a proxy for traffic analysis:

nuclei -u https://target.com -proxy http://127.0.0.1:8080

PDCP (ProjectDiscovery Cloud Platform)

ProjectDiscovery offers a cloud-hosted version of their tools at cloud.projectdiscovery.io with a free tier. It integrates nuclei, subfinder, httpx, and more with a web UI and scheduled scans.

Output Formats

Nuclei supports multiple output formats:

nuclei -u https://target.com -o results.json -json
nuclei -u https://target.com -o results.md -markdown-export .
nuclei -u https://target.com -o results.sarif -sarif-export .

JSON output is useful for piping into SIEM tools or custom dashboards.

Responsible Use

Always run Nuclei only on targets you are authorized to test. In bug bounty programs, check the scope carefully — some programs exclude automated scanner traffic or specific subdomains. Use -rate-limit to be a good citizen on shared infrastructure.

Nuclei is one of the most powerful additions to any security toolkit. Its template ecosystem grows daily, meaning you gain new detection capabilities without updating the tool itself — just run nuclei -update-templates regularly.

#automation #pentesting #bug bounty #vulnerability scanner #nuclei

// related articles

ethical-hacking Python for Ethical Hackers: Scripting Guide 7 min read ethical-hacking FFUF Web Fuzzing Complete Guide for Pentesters 7 min read ethical-hacking Gobuster Directory & DNS Brute-Forcing Tutorial 7 min read