Nuclei review

This review focuses on Nuclei as a tool for security professionals assessing API scanning options. The evaluation emphasizes objective capability coverage, transparency about limitations, and alignment with real-world testing workflows rather than marketing narratives.

Nuclei operates as a black-box scanner that sends requests to a target endpoint and analyzes responses for indicators of misconfiguration. It supports HTTP/1.1 and HTTP/2, follows redirects by default, and allows template-based customization for protocol-specific checks. Because it does not require code or runtime instrumentation, it works across any language, framework, or cloud provider. Scan duration is typically under a minute for a baseline profile, with deeper template sets increasing time proportionally. The tool is limited to read-only methods and text-based payloads; it does not perform active exploitation such as SQL injection or command injection, nor does it probe for blind SSRF using out-of-band channels.

Nuclei includes a broad set of templates that map findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Coverage includes authentication bypass attempts, JWT misconfigurations such as alg=none or weak key assumptions, IDOR via sequential ID probing, privilege escalation through admin endpoint exposure, CORS wildcard usage, dangerous HTTP methods, error and stack trace leakage, exposed API keys, missing security headers, and insecure redirects. For LLM/AI security, it runs predefined adversarial probe sets focused on prompt extraction, jailbreak patterns, and data exfiltration indicators. Outside these mapped areas, the tool does not claim to detect business logic flaws or compliance guarantees; it supports audit evidence collection and helps prepare for assessments but does not replace a human pentester or an auditor.

For authenticated scans, Nuclei supports Bearer tokens, API keys, Basic auth, and cookie-based credentials. Domain verification is enforced through DNS TXT records or a well-known HTTP file to ensure only domain owners submit credentials. The scanner forwards a restricted allowlist of headers, including Authorization, X-API-Key, Cookie, and custom headers matching X-Custom-*. OpenAPI specifications in versions 2.0, 3.0, and 3.1 with recursive $ref resolution are parsed, and findings are cross-referenced against the spec to highlight undefined security schemes or deprecated operations. Note that authentication increases the surface for testing but does not enable intrusive exploit paths.

Nuclei provides multiple interfaces: a CLI with JSON and text output options, a web dashboard for managing scans and viewing reports, a GitHub Action for CI/CD gating, an MCP server for integration with AI coding assistants, and an API client for custom workflows. Continuous monitoring features such as scheduled rescans and diff detection are available in higher tiers, with alert throttling and signed webhooks for event-driven pipelines. Data handling emphasizes user control, with on-demand deletion and retention limits. The tool does not offer automatic remediation, patching, or blocking; it reports findings with guidance for manual follow-up.

Key limitations include the absence of state-modifying tests, blind out-of-band channels, and deep business logic analysis. Organizations should treat Nuclei as one layer in a broader program that includes manual review, code analysis, and human-led assessments for high-stakes audits. Complementary controls such as runtime application self-protection, WAF tuning, and secure development practices remain necessary.