ENNAENNA

Nuclei Cheat Sheet

Template-based vulnerability scanner for fast, configurable security checks. Covers template selection, severity filtering, rate limiting, output formatting, and workflow orchestration.

View Nuclei tool page

Template Selection

Scan using all CVE detection templates

$ nuclei -u https://target.com -t cves/

Scan with multiple template directories

$ nuclei -u https://target.com -t exposures/ -t misconfigurations/

Run only templates tagged as XSS or SQLi

$ nuclei -u https://target.com -tags xss,sqli

Exclude subdomain takeover templates from scan

$ nuclei -u https://target.com -et takeovers/

Update the nuclei template repository to latest version

$ nuclei -update-templates

Severity Filtering

Scan a list of URLs for only critical and high severity issues

$ nuclei -l urls.txt -s critical,high

Find medium-severity CVEs on a single target

$ nuclei -u https://target.com -s medium -tags cve

Exclude informational and low severity findings

$ nuclei -l urls.txt -es info,low

Rate Limiting & Performance

Limit to 100 requests/sec with 25 concurrent templates

$ nuclei -l urls.txt -rl 100 -c 25

Process 50 templates and 10 hosts in each batch

$ nuclei -l urls.txt -bs 50 -hbs 10

Set 10-second timeout with 2 retries per request

$ nuclei -l urls.txt -timeout 10 -retries 2

Enable headless browser templates with 5 concurrent browsers

$ nuclei -l urls.txt -headless -headc 5

Output & Reporting

Save scan results to a plain text file

$ nuclei -l urls.txt -o results.txt

Output results in JSON Lines format for parsing

$ nuclei -l urls.txt -jsonl -o results.jsonl

Export matched results organized by template to a directory

$ nuclei -l urls.txt -me output_dir/

Include matched response content in the output

$ nuclei -l urls.txt -ms -o results.txt

Workflows & Automation

Run a predefined WordPress assessment workflow

$ nuclei -l urls.txt -w workflows/wordpress-workflow.yaml

Pipe critical CVE findings to notification tool

$ cat urls.txt | nuclei -t cves/ -s critical -silent | notify

Full pipeline: subdomain enum to live hosts to vulnerability scan

$ subfinder -d target.com -silent | httpx -silent | nuclei -t cves/ -s critical,high

Scan authenticated endpoints with a custom header

$ nuclei -l urls.txt -t cves/ -H "Authorization: Bearer TOKEN"

More Cheat Sheets

Nmap Cheat Sheet

6 sections

Hashcat Cheat Sheet

5 sections

SQLMap Cheat Sheet

5 sections

ffuf Cheat Sheet

5 sections

Subfinder Cheat Sheet

4 sections

Metasploit Cheat Sheet

5 sections