// the find
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
Nuclei is a YAML-template-driven vulnerability scanner that lets you write or download detection logic for CVEs, misconfigurations, and DAST checks, then run it at scale against any target. The template library is the real product — 9,000+ community-maintained templates covering everything from Log4Shell to S3 bucket exposure. If you're doing recurring security assessments, bug bounty, or CI/CD security gates, this is the tool.
The YAML DSL is genuinely well-designed: matchers, extractors, multi-step flows, and OOB interaction via interactsh are all first-class. Request clustering is smart — identical requests across templates are deduplicated automatically, so running 5000 templates doesn't mean 5000 requests per host. The template signing system (ECDSA) lets you verify community templates haven't been tampered with before executing code-protocol templates. Active daily maintenance with a perf regression CI workflow, PGO builds, and a flamegraph pipeline — this is not a weekend project.
The `-code` protocol (executes arbitrary scripts) is opt-in for good reason, but the security boundary between 'analyze a target' and 'run arbitrary code on your box' is thinner than most users realize — the docs mention it in passing rather than leading with it. Running nuclei as a service is explicitly flagged as risky in the README but the HTTP API endpoint exists anyway, which is a footgun. False-negative rate on the community templates is unknowable — template quality is inconsistent, and there's no signal about which templates are actually maintained vs. rotting. The AI template generation (`-ai` flag) produces templates that need manual review but the UX implies otherwise.