Automated Scanning with Nuclei
Run template-based vulnerability checks across every web service to surface CVEs, misconfigurations, and exposures fast.
By now you have a full inventory: services with versions, live web apps with fingerprinted technologies, and discovered content. Hunting is where you work through that inventory for known weaknesses — fast, broad, and automated first, then manual verification.
This is identification, not exploitation. The output is a list of probable findings, each of which you then confirm by hand (see Evidence & Reporting). Automated scanners produce false positives, so never report a finding you haven’t reproduced.
Run the cheap, broad passes first to triage, then go deep on what they flag:
nuclei (broad) ──┐
searchsploit ────┼──▶ triaged candidate findings ──▶ manual verification ──▶ report
takeover checks ─┘
Then pivot to manual, application-specific testing on the high-value targets the recon screenshots surfaced — login panels, admin consoles, APIs. Automation finds the easy 80%; the findings that actually matter usually come out of the manual 20%.
Hunting is the loudest phase — nuclei alone can fire thousands of requests per
host. Re-read your rules of
engagement:
honor rate limits (nuclei -rl), keep intrusive templates off fragile
production, and never run exploitation modules without explicit authorization.
Start with nuclei.
Run template-based vulnerability checks across every web service to surface CVEs, misconfigurations, and exposures fast.
Map the service versions you found to public exploits in Exploit-DB.
Find dangling DNS records pointing at unclaimed cloud resources you can hijack.