Can't Find Vulnerabilities? Try Nuclei, the Lightweight Template Scanner

The article introduces Nuclei, a fast, template‑driven vulnerability scanner that outperforms heavyweight tools like OpenVAS and Nessus, explains how to install it on Kali, update templates, run single‑target and bulk scans with various options, and demonstrates writing custom YAML templates and using its new AI‑assisted detection feature.

Black & White Path
Black & White Path
Black & White Path
Can't Find Vulnerabilities? Try Nuclei, the Lightweight Template Scanner

Overview

Nuclei is a template‑driven vulnerability scanner. The official template library contains over 7,000 YAML templates covering CVEs, default‑configuration leaks, penetration‑testing checks, technology fingerprinting, and network‑infrastructure detection. The library is updated daily.

Installation

On Kali Linux Nuclei is pre‑installed. If it is missing, install it with:

sudo apt update
sudo apt install nuclei -y

Updating Templates

Templates are the sole source of detection logic, so update them before scanning: nuclei -ut This command clones or pulls the official repository from GitHub into ~/.local/nuclei-templates/. If the automatic download fails, clone manually:

https://github.com/projectdiscovery/nuclei-templates

Scanning Targets

Single target

nuclei -u https://example.com

The default run loads all templates (e.g., 2,390 templates in the example) and sends a request for each.

Bulk scanning

nuclei -l targets.txt

Silent mode (show only findings)

nuclei -u https://example.com -silent

Severity filter

nuclei -u https://example.com -s high,critical

Supported severity levels: info, low, medium, high, critical, unknown.

Template ID selection

nuclei -u https://example.com -id spring4shell,log4shell

Multiple IDs are comma‑separated; wildcards are allowed.

Scanning a specific template directory

nuclei -u https://example.com -t http/cves/
# Scan only CVE templates
nuclei -u https://example.com -t http/cves/2024/

Technology‑aware scanning (-as)

In Nuclei 3.x the -as flag runs Wappalyzer first to detect the target’s technology stack (e.g., Nginx, PHP, WordPress) and then loads only the relevant templates, reducing scan time and false positives.

nuclei -u https://example.com -as -s medium,high,critical -o vulns.txt

AI‑Assisted Template Generation

From version 3.x, Nuclei can generate a detection template from a natural‑language description when an OpenAI‑compatible API key is configured.

nuclei -u https://example.com -ai "检测 Apache Shiro 反序列化漏洞"

Writing Custom Templates

A custom YAML template can be created to check for a specific condition. Example: detect whether a web application exposes an admin panel.

id: myapp-admin-panel
info:
  name: MyApp Admin Panel
  author: 逍遥子大表哥
  severity: info
  description: 检测 MyApp 后台管理页面
metadata:
  max-request: 1
http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "MyApp Admin"
          - "Dashboard"
        condition: or
      - type: status
        status:
          - 200

Save the file as myapp-admin.yaml and run it against a target:

nuclei -u https://example.com -t myapp-admin.yaml
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

AI integrationvulnerability scanningNucleitemplate scannerYAML templates
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.