Task 1 of 4

What Nuclei Actually Is — and Why Everyone Uses It

Nuclei is a template-based vulnerability scanner built by ProjectDiscovery. Unlike traditional scanners that have a fixed list of checks hardcoded inside, Nuclei runs YAML files called templates — each one describing exactly how to detect a specific vulnerability.

The community maintains over 9,000 templates covering CVEs, misconfigurations, exposed panels, default credentials, and tech detection. When a new CVE drops, someone usually publishes a Nuclei template within hours. You update your templates and immediately have detection for it.

WHY NUCLEI IS THE STANDARD
Speed
Scans thousands of endpoints in minutes with concurrent requests and smart rate limiting
Community templates
9,000+ templates covering every major CVE, misconfiguration, and exposure — constantly updated
Pipeline-friendly
Reads target lists from files or stdin — chain it with Subfinder and httpx naturally
False positive control
Templates specify exact matchers — what the response must contain — reducing noise
Custom templates
Write your own YAML template for a specific vulnerability you found — run it across all your targets
Free and open source
No licence, no paid tiers for the core scanner — the paid cloud platform is optional

How a template works — the anatomy

Every Nuclei template is a YAML file with 4 sections: who it is, what request to make, what to look for in the response, and how severe it is.

EXAMPLE TEMPLATE — EXPOSED ENV FILE
id: exposed-env-file

info:
  name: Exposed .env File
  author: community
  severity: critical
  tags: exposure,config,env

requests:
  - method: GET
    path:
      - "{{BaseURL}}/.env"          # request this path on every target

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "DB_PASSWORD"            # response must contain this
          - "APP_KEY"
        condition: or
      - type: status
        status:
          - 200                    # and must return 200
When Nuclei runs this against critbook.com, it requests critbook.com/.env and checks if the response contains "DB_PASSWORD" or "APP_KEY" with a 200 status. If yes — flagged as critical.
1

What is the key architectural difference between Nuclei and traditional vulnerability scanners?

Answer all 1 question to continue