Automated Scanning with Nuclei

Run template-based vulnerability checks across every web service to surface CVEs, misconfigurations, and exposures fast.

nuclei does most of the heavy lifting in the hunting phase. It runs a big community library of YAML templates — each one a precise check for a specific CVE, misconfiguration, default credential, or information exposure — against your targets. It’s fast, the false-positive rate is low (each template encodes a real matcher), and the template set gets updated constantly.

Setup

nuclei -update            # update the binary
nuclei -update-templates  # pull the latest template library

Run against your live URLs

Feed nuclei the live URL list from HTTP probing. Use a project file so re-runs don’t repeat work:

nuclei -l recon/live-urls.txt \
  -project -project-path .nuclei \
  -severity low,medium,high,critical \
  -o recon/nuclei-all.txt \
  -json-export recon/nuclei-all.json \
  -stats

Scan by template category

Arsenic splits nuclei into focused passes — technologies first (to fingerprint what’s there), then CVEs (to find what’s exploitable). Running targeted template groups is faster and easier to triage than one giant run:

# Fingerprint technologies / detections
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
  -tags tech -o recon/nuclei-technologies.txt

# Known CVEs
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
  -tags cve -severity high,critical -o recon/nuclei-cves.txt

# Exposures: panels, config files, backups, secrets
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
  -t http/exposures/ -t http/exposed-panels/ -o recon/nuclei-exposures.txt

# Default credentials
nuclei -l recon/live-urls.txt -project -project-path .nuclei \
  -t http/default-logins/ -o recon/nuclei-default-logins.txt

Split results back to per-host

To keep findings with their host (Arsenic stores nuclei-cves.txt under each host’s recon/), partition the output by hostname:

while read -r host; do
  grep -F "$host" recon/nuclei-cves.txt > "hosts/$host/recon/nuclei-cves.txt"
  [ -s "hosts/$host/recon/nuclei-cves.txt" ] || rm -f "hosts/$host/recon/nuclei-cves.txt"
done < <(ls hosts/)

Be a good guest

  • -rl 150 — cap requests/second (rate limit) for fragile targets.
  • -c 25 — control concurrency.
  • -exclude-tags intrusive,dos,fuzz — skip templates that can damage or destabilize a target unless you’re explicitly cleared for them.
  • -proxy http://127.0.0.1:8080 — route through Burp to log and review every request.

Triage every hit

Nuclei is high-signal but it isn’t infallible. For each result:

  1. Read the matched template (nuclei -tl -t <template> shows it).
  2. Reproduce the finding manually — curl, browser, or Burp.
  3. Only then promote it to a finding.

The template severity is a starting point; the real severity depends on the asset and the business context. A “medium” exposure on an admin panel can be your highest-impact finding.

Next: map service versions to public exploits with searchsploit.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)