June 16, 2026

How to Install Nuclei on Your Machine The Open-Source Vulnerability Scanner That’s Changing the…

A practical, no-fluff guide to getting Nuclei up and running on macOS, Linux, and Windows in under 5 minutes.*

InfoShieldah

4 min read

— -

If you work in cybersecurity — whether you're a pentester, blue teamer, SOC analyst, or DevSecOps engineer — you've probably heard of Nuclei. If you haven't, here's the short version:

Nuclei is a free, open-source vulnerability scanner built by ProjectDiscovery that uses YAML-based templates to detect security issues across web applications, APIs, networks, cloud infrastructure, and now even AI/LLM endpoints.

With 40,000+ community-contributed templates covering everything from CISA's Known Exploited Vulnerabilities (KEV) catalog to AI/LLM attack surfaces, it's become one of the most powerful tools in a security professional's arsenal.

Let's get it installed.

— -

Prerequisites

Before installing Nuclei, you'll need:

  • Operating System: macOS, Linux, or Windows
  • Go 1.21+ (only if building from source)
  • 2+ GB RAM for running large-scale scans
  • Internet connection (for template downloads)
  • Written authorization to scan any target systems (this is non-negotiable — only scan what you own or have explicit permission to test)

— -

Installation Methods

Method 1: Homebrew (macOS — Recommended)

If you're on a Mac and have Homebrew installed, this is the fastest path:

brew install nuclei

That's it. Verify the installation:

nuclei -version

You should see something like:

Nuclei Engine Version: v3.x.x

— -

Method 2: Go Install (macOS / Linux / Windows)

If you have Go installed (1.21 or higher):

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Make sure your Go binary path is in your system PATH:

# Add to your ~/.zshrc or ~/.bashrc
export PATH=$PATH:$(go env GOPATH)/bin

Reload your shell:

source ~/.zshrc

Verify:

nuclei -version

— -

Method 3: Direct Binary Download (No Dependencies)

Don't have Go or Homebrew? Download the pre-built binary directly:

macOS (Apple Silicon):

curl -L [https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_darwin_arm64.zip](https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_darwin_arm64.zip) -o nuclei.zip
unzip nuclei.zip
sudo mv nuclei /usr/local/bin/
rm nuclei.zip

macOS (Intel):

curl -L [https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_darwin_amd64.zip](https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_darwin_amd64.zip) -o nuclei.zip
unzip nuclei.zip
sudo mv nuclei /usr/local/bin/
rm nuclei.zip

Linux (amd64):

curl -L [https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip](https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_linux_amd64.zip) -o nuclei.zip
unzip nuclei.zip
sudo mv nuclei /usr/local/bin/
rm nuclei.zip

Windows (PowerShell):

Invoke-WebRequest -Uri "[https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_windows_amd64.zip](https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_windows_amd64.zip)" -OutFile nuclei.zip
Expand-Archive nuclei.zip -DestinationPath .
Move-Item nuclei.exe C:\Windows\System32\
Remove-Item nuclei.zip

— -

Method 4: Docker (Isolated Environment)

If you prefer containerized tools:

docker pull projectdiscovery/nuclei:latest

# Run a scan
docker run rm projectdiscovery/nuclei -u [https://your-target.com](https://your-target.com)

— -

First Run — Downloading Templates

The first time you run Nuclei, it automatically downloads the template library:

nuclei -u [https://your-target.com](https://your-target.com)

You'll see output like:

[INF] Nuclei Templates are not installed, installing…
[INF] Successfully downloaded nuclei-templates (v10.4.3)
[INF] Total templates: 40000+

To manually update templates anytime:

nuclei -update-templates

Templates are stored at ~/nuclei-templates/ by default.

— -

Basic Usage — Your First Scan

Scan a single target:

nuclei -u [https://example.com](https://example.com)

Scan with specific severity:

nuclei -u [https://example.com](https://example.com) -severity critical,high

Scan for CISA KEV (actively exploited vulnerabilities):

nuclei -u [https://example.com](https://example.com) -tags kev

Scan for AI/LLM attack surface (new templates):

nuclei -u [https://example.com](https://example.com) -tags ai,llm

Scan a list of targets:

nuclei -l targets.txt -severity critical,high -o results.txt

Scan with rate limiting (be nice to targets):

nuclei -u [https://example.com](https://example.com) -rate-limit 50 -bulk-size 10

— -

Useful Flags to Know

| Flag | Purpose | | — — — | — — — — -| | -u | Single target URL | | -l | File containing list of targets | | -t | Specific template or template directory | | -tags | Filter templates by tag (e.g., cve, kev, ai, misconfig) | | -severity | Filter by severity (info, low, medium, high, critical) | | -o | Output file for results | | -rate-limit | Max requests per second | | -silent | Show only results, no banner | | -json | Output in JSON format | | -update-templates | Update template library |

— -

The AI Template Editor — Generate Templates Without Writing YAML

This is where it gets interesting. ProjectDiscovery offers an AI-powered template editor at:

cloud.projectdiscovery.io](https://cloud.projectdiscovery.io)**)

What it does:

  • Give it a CVE ID, vulnerability writeup, or description in plain English
  • It generates a working Nuclei template with built-in validation
  • Iterative testing reduces false positives
  • It can reference NIST NVD, CVE databases, and external writeups for context

Free tier is available — no credit card required.

— -

Template Categories Worth Exploring

| Category | Tag | What It Detects | | — — — — — | — — -| — — — — — — — — | | CISA KEV | kev | Actively exploited vulns from CISA's catalog | | AI/LLM | ai, llm | Exposed model endpoints, prompt injection surfaces | | CVEs | cve | Known CVEs with working detection | | Misconfigurations | misconfig | Cloud, web server, and app misconfigs | | Exposed Panels | panel | Admin panels, dashboards, login pages | | Default Credentials | default-login | Services with factory credentials | | Takeovers | takeover | Subdomain and service takeover vectors |

— -

Automating Scans (Cron Job)

Run Nuclei on a schedule to continuously monitor your attack surface:

# Add to crontab (runs daily at 2 AM)
crontab -e

# Add this line:
0 2 * * * /usr/local/bin/nuclei -l /path/to/targets.txt -severity critical,high -tags kev -o /path/to/daily-scan-$(date +\%F).txt

— -

Integrating with Your Security Stack

Nuclei plays well with other tools:

  • Pipe from Subfinder (subdomain discovery):
subfinder -d target.com | nuclei -severity critical,high
  • Pipe from httpx (live host detection):
cat subdomains.txt | httpx | nuclei -tags cve,kev
  • Export to SIEM (JSON format):
nuclei -l targets.txt -json -o results.json
# Ingest results.json into Splunk/ELK

— -

What Makes Nuclei Different

| Feature | Nuclei (Free) | Traditional Scanners ($$$) | | — — — — -| — — — — — — — -| — — — — — — — — — — — — — | | Cost | $0 | $50K–$200K/year | | Template updates | Weekly (community-driven) | Monthly/quarterly | | AI/LLM coverage | Yes (as of April 2026) | Limited or none | | CISA KEV coverage | Yes | Varies | | Custom detections | YAML (minutes to write) | Vendor-locked, complex | | False positive rate | Low (template validation) | Often high | | Community | 40K+ templates, open source | Closed |

— -

Final Thoughts

Nuclei isn't a replacement for your entire vulnerability management program. But it's quickly becoming the tool that fills the gaps commercial scanners miss — especially for:

  • New CVEs that haven't made it into commercial feeds yet
  • AI/LLM infrastructure that traditional tools don't understand
  • CISA KEV priorities that need immediate validation
  • Custom detection logic specific to your environment

The barrier to entry is literally one command. Give it a try.

— -

Resources:

— -

If this helped, share it with someone who's still paying six figures for the same detections a YAML file can give them for free.