Nuclei is a template-driven scanner most offensive teams keep in rotation. It is also not a penetration test. Here is how operators actually run it, and the line where it stops.
operator@oiu:~ // nucleiHygiene · Not a Pentest
$nuclei-tcves/-severityhigh,critical-rl50
templates cover
ok
known CVEs
exposed admin panels
default credentials
signed misconfigurations
operator catches
gap
chained attack paths
business-logic flaws
auth abuse · IDOR
post-exploitation
the scan finds the door·the operator walks through it
File · Answer first
Answer first
Treat Nuclei as a coverage engine, not a verdict. It earns its place in three slots: continuous external sweeps, regression checks after deploys, and the recon hour at the front of a scoped engagement. Inside those slots it is fast and reliable at anything that already has a name: CVEs, default credentials, exposed panels, misconfigurations. What it cannot do is decide which of those matter together. That decision, chaining its output and everything else into a working attack path against your business, is the pentest. The sections below cover how to run the tool well, then exactly where it hands off to a human.
File · How operators
How operators actually run it
[01]Pin your template set. Forking projectdiscovery/nuclei-templates and pinning a commit prevents silent rule drift between runs. Pull upstream on a schedule, not on every CI invocation.
[02]Scope by severity and tag, not by 'all'. A daily run targets -severity high,critical against your public surface. A weekly run sweeps -tags exposure,misconfig,default-login. Running every template against every asset every night produces noise, not signal.
[03]Rate-limit deliberately.-rl 50 is a reasonable starting point against your own infrastructure; production WAFs and CDNs will throttle or block higher rates and give you false negatives that look like clean scans.
[04]Wire it to CI on the surfaces that matter. A passive run against staging on every merge is the highest-leverage placement. Block the deploy on critical findings; ticket the rest.
[05]Write your own templates for your own bugs. The format is YAML and intentionally simple. Internal templates for your hard-coded auth quirks, your custom headers, and your past-incident IOCs are where the tool earns its keep.
File · False-positive triage
False-positive triage is the actual job
A raw Nuclei report against any real external surface will return findings that are technically true and operationally meaningless: a server-version banner the patch policy already accepts, a default page on an isolated VLAN, a CVE on a binary that is not in the request path. Triage is where unaccompanied automation falls apart. The operator question is never 'does the template match?' It is 'does this match reach something that matters, and what happens if I push on it?'
File · Where Nuclei
Where Nuclei structurally stops
[01]Chained attack paths. A low-severity SSRF plus an internal metadata service plus an over-permissive IAM role is the breach. Nuclei sees the SSRF in isolation, scored medium, and moves on.
[02]Business logic. Price manipulation, IDOR across tenants, race conditions in a checkout flow, privilege escalation through workflow state. None of these have a template, because the bug is in your rules, not a known shape.
[03]Authentication abuse. Session fixation, JWT confusion, OAuth misuse, multi-step auth bypasses. These require an operator with valid credentials reasoning about your specific flow.
[04]Post-exploitation. What an attacker does after the initial foothold (lateral movement, persistence, data staging) is by definition not a template match.
File · Bailey's take
Bailey's take
Operator NoteOPR · STANDARD-OF-WORK
“In 15 years of running offensive work, Nuclei is one of the few open-source tools I have never asked a team to stop using. It is also the one I most often see vendors hide behind. If your 'pentest' deliverable is a re-skinned Nuclei export, you didn't buy a pentest. You bought a subscription.”
Bailey Besheer, Managing Director of Cybersecurity Services
File · How we
How we use it on engagements
On an Alacrinet engagement, Nuclei runs in the first 24 hours as part of reconnaissance, alongside our own internal templates and the rest of the toolchain. Its output is an input to the operator, not a deliverable to the client. What you receive at the end is the chained narrative: how the low-severity finding the scanner shrugged at became domain admin, customer data, or production code execution.
File · FAQ
Frequently Asked Questions
Q1 Can Nuclei replace an annual penetration test?
No. It is the wrong tool for the question. Nuclei finds known shapes; a pentest finds the chained paths those shapes enable. They are complementary.
Q2 How often should I run Nuclei against my surface?
Daily against critical-severity templates on public assets, weekly for broader sweeps, and on every staging deploy via CI. Pull template updates on a schedule, not on every run.
Q3 Is a vendor using Nuclei a red flag?
No. Every competent offensive team uses it. The red flag is when the scanner output is the whole deliverable rather than raw material for it. Ask to see chained findings written as attack narratives.
Q4 Should I write my own Nuclei templates?
Yes. Internal templates for your specific auth quirks, custom headers, and past-incident indicators are where the tool produces the highest signal-to-noise.