// Exact Nuclei command structure, template selection, and bounded high-throughput execution controls.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | nuclei |
| description | Exact Nuclei command structure, template selection, staged scanning workflow, and bounded high-throughput execution controls with timeout backoff. |
Official docs:
Nuclei scans MUST follow a staged escalation pattern. NEVER run an unscoped broad template sweep on the first call.
Goal: Find the most impactful vulnerabilities with minimal noise and time.
-s critical,high.-as (automatic-scan) combined with severity filter.-rl 30 -c 10 -bs 10.-timeout 10 -retries 1.-ni.nuclei -u <target> -s critical,high -ni -rl 30 -c 10 -bs 10 -timeout 10 -retries 1 -silent -j -o nuclei_stage1.jsonlGoal: Add medium-severity findings and tech-mapped templates.
-s critical,high,medium.-as.-rl 50 -c 20 -bs 20.nuclei -u <target> -as -s critical,high,medium -ni -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -j -o nuclei_stage2.jsonlGoal: Run all applicable templates for comprehensive assessment.
-s info,low,medium,high,critical).nuclei -u <target> -as -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -stats -j -o nuclei_stage3.jsonlIf ANY nuclei invocation runs longer than expected or appears hung:
First timeout / excessive duration (>5m for Stage 1, >15m for Stage 2):
-rl 30 -> -rl 15.-c 10 -bs 10 -> -c 5 -bs 5.-as, switch to explicit template tags or severity-only filtering to reduce template count.Second timeout / excessive duration:
-s critical only, -rl 10 -c 3 -bs 3.Never retry the exact same command after a timeout. Each retry MUST have reduced -rl, -c, -bs, or stricter template filters.
-u, -target <url> single target-l, -list <file> targets file-im, -input-mode <mode> list/burp/jsonl/yaml/openapi/swagger-t, -templates <path|tag> explicit template path(s)-tags <tag1,tag2> run by tag-s, -severity <critical,high,...> severity filter-as, -automatic-scan tech-mapped automatic scan-ni, -no-interactsh disable OAST/interactsh requests-rl, -rate-limit <n> global request rate cap-c, -concurrency <n> template concurrency-bs, -bulk-size <n> hosts in parallel per template-timeout <seconds> request timeout-retries <n> retries-stats periodic scan stats output-silent findings-only output-j, -jsonl JSONL output-o <file> output filenuclei -u https://target.tld -s critical,high -ni -silent -j -o nuclei_s1.jsonlnuclei -u https://target.tld -as -s critical,high,medium -ni -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -j -o nuclei_s2.jsonlnuclei -u https://target.tld -tags cve -s critical,high -ni -silent -j -o nuclei_cve.jsonlnuclei -u https://target.tld -t http/cves/ -t http/misconfiguration/ -rl 30 -c 10 -bs 10 -j -o nuclei_tech.jsonl-s critical,high). An unscoped -as alone on the first call is a protocol violation.-s, -tags, or -t); avoid unscoped broad runs.-rl, -c, and -bs explicit for predictable resource use.-ni when outbound interactsh/OAST traffic is not expected or not allowed.-j -o <file>) for automation.-c/-bs before lowering -rl.-as vs explicit -t/-tags) and that the target is reachable.If uncertain, query web_search with:
site:docs.projectdiscovery.io nuclei <flag> running