Running a Simple Nuclei Scan
June 20, 2025Integrating NordVPN with Nuclei
June 20, 2025
Running a More Advanced Nuclei Scan
🛡️ Important: Nuclei should only be used for ethical purposes, such as authorized security testing, bug bounty programs, or educational research. Never run recon tools like Nuclei against systems you don’t own or have explicit permission to test. This guide assumes you’re using Nuclei responsibly and legally.
Now that you’ve run a basic scan, it’s time to unlock Nuclei’s real power. In this guide, we’ll go deeper — using tags, filtering by severity, targeting specific CVEs, and chaining Nuclei with other tools for better results.
1. Filter by Severity
You can filter your Nuclei scans by severity to focus on more impactful findings. This is especially useful when hunting for bugs with higher payout potential.
Nuclei supports the following severity levels:
info– Informational findings (e.g. tech fingerprinting)low– Minor issues or leaks (often non-exploitable)medium– Misconfigs, exposed panels, possible weak pointshigh– Confirmed or likely vulnerabilitiescritical– Serious issues like RCE, full takeovers, auth bypasses
You can scan either a list of URLs or a single host:
# Scan a list of targets from a filenuclei -l targets.txt -severity medium,high,critical -o important-findings.txt
# Scan a single hostnuclei -u https://target.com -severity medium,high,critical -o important-findings.txt
Tip: If you’re just getting started or testing output, you can include info and low to get a broader view. Once you’re targeting live assets, filtering to just high,critical reduces noise.
2. Use Template Tags
If you’re focused on bug bounty targets, here are the most useful -tags to prioritize:
rce– Remote code execution bugs (often high or critical)xss– Cross-site scripting (including reflected/stored)unauth– Services or admin panels with no authenticationtakeover– Potential subdomain takeover conditionssqli– SQL injection vectorstoken– Leaked secrets, API keys, auth tokensexposure– Exposed files like .env, .git, configs, logscve– Templates targeting known CVEswordpress– WordPress-specific vulnerabilitiesmisconfiguration– Poorly configured apps or headers
Example scan using these tags:
nuclei -l targets.txt -tags rce,xss,unauth,takeover,sqli,exposure -severity medium,high,critical -o recon-findings.txt
For a full list of tags and the latest template updates, browse: Nuclei Templates on GitHub
Want to scan for a specific category, like RCE or XSS?
nuclei -l targets.txt -tags rce,xss,exposure -o targeted.txt
Tags let you filter templates by category instead of running everything.
3. Target Specific CVEs
To run only CVE-based checks:
nuclei -l targets.txt -t cves/ -o cve-results.txt
This is useful for checking against known public vulnerabilities.
4. Live Stats and Debugging
Add stats, verbose output, or full debug info to watch the scan in real-time:
nuclei -l targets.txt -stats -v -debug
Helpful when you’re scanning slow or unstable hosts and want visibility into what’s happening.
5. Chain with Subdomain Recon Tools
Nuclei works best when combined with tools like subfinder and httpx. Here’s a quick example recon chain:
subfinder -d target.com -silent | httpx -silent | nuclei -t cves/ -o results.txtThis automates subdomain discovery, probes for live hosts, and scans with Nuclei in one flow.
Next: Use Nuclei Safely with NordVPN
Next up, we’ll show you how to safely rotate your IP address using NordVPN — ideal when scanning targets that rate-limit or block recon tools.
Continue to: Integrating NordVPN with Nuclei
Ready for a reliable, high-performance VPS at an unbeatable price? We host our own Kali labs on Hostinger: 4 vCPU, NVMe storage, 16 GB RAM and 16 TB bandwidth, backed by 24/7 support and a 30-day money-back guarantee. You’ll save up to 20% when you lock in a 24-month plan. Grab a Hostinger VPS using this referral link and support our content.
👉 Claim your Hostinger VPS (from only US$ 9.99/mo)
