Nuclei: the answer to 'is this CVE actually on our perimeter?'

Every morning a CVE lands in your inbox with a CVSS 9.8 and a vendor advisory that reads like a hostage note. The next forty minutes are the same forty minutes you spent yesterday: opening the asset spreadsheet someone last updated in Q3, grepping ticket history for the product name, asking in chat whether the edge appliance was ever actually decommissioned. The advisory says the bug is bad. Nobody can tell you, in the next ten minutes, whether you have it.

Nuclei is the tool that answers that question for anything on your external surface. You take the CVE ID from the morning digest, grab the matching template from the public repo, point the scanner at the hosts you care about, and you get a yes or a no. Not a maturity score, not a dashboard, not a sales call. A yes or a no.

What it actually is

Nuclei is a CLI scanner written in Go, open-sourced by ProjectDiscovery under MIT. The engine is a few thousand lines; the value lives in the templates. Templates are YAML files that describe a detection: what request to send, what response pattern to match, what tag to file it under. The public template repo holds 12,000+ of them, contributed by the community and reviewed by the ProjectDiscovery team, covering CVEs, misconfigurations, exposed services, default credentials, and the long tail of “this should not be reachable from the internet.”

The shape of a real-world run is unromantic. Pull the templates repo. Filter by -tags cve-2026-xxxxx or by severity. Feed it a list of hosts. Wait. Read the output. Two flags worth knowing on day one: -rate-limit so you don’t melt your own load balancer, and -severity critical,high when you want signal first and noise later.

What April 2026 shipped

The template repo moves quickly enough that “what’s new” is a real category. The April 2026 release added 226 new templates covering 123 CVEs. That’s roughly four new CVE detections per day for a single month, which is the cadence you want if your prioritization rule routes through KEV and EPSS and you need verification to keep up. It also means a template you ran against your perimeter in January is not the same template by May. Pin versions in production. Update deliberately, not automatically.

The workflow that earns its keep

The pattern that pays for itself looks like this:

• Morning digest names a CVE that affects something you might have.
• git pull on your local nuclei-templates checkout.
• nuclei -l perimeter-hosts.txt -tags cve-2026-xxxxx -severity critical,high.
• Three minutes later you either have an incident or you have an answer.

The answer is allowed to be “no, we don’t run that.” That’s still operationally useful. It moves a CVE from your “investigate” pile to your “logged and dismissed” pile, which is the only way a small team gets through a Patch Tuesday without skipping items.

The honest limits

Nuclei is an external-surface tool. It sends network requests and matches on responses. It does not log into your Windows hosts and check DLL versions, it does not parse your package manager state, it does not know whether the patched build is actually installed on the box behind the load balancer. If the bug only manifests post-authentication, or only on an internal host, or only in a code path that requires a specific config the scanner can’t reach, Nuclei will tell you nothing useful. Authenticated host scanning is a different category of product, and Nuclei is not pretending to be one.

Template quality is a real variable. Most are good. Some are noisy. A few will false-positive on a banner that looks like the vulnerable version but isn’t. Read the template before you run it against anything that matters. The YAML is short and legible; this is a thirty-second exercise, not a research project.

And the part everyone learns once: do not scan things you do not own. Nuclei is loud by design. Running it against a third-party SaaS, a partner network, or “that domain that resolves to our IP for some reason” is the fastest way to get a stern email from an upstream provider or a worse one from legal. Scope your target list deliberately. Use the rate limit. Keep the logs.

Where it sits in the stack

Nuclei is not a vulnerability management program. It’s the verification step inside one. KEV and EPSS tell you which CVEs are worth caring about this week. Your asset inventory tells you what you might own. Nuclei is what closes the loop between the advisory and the actual machine. Without it, “we patched it” is a claim. With it, “we scanned and we don’t see it” is evidence.

Get it

GitHub: https://github.com/projectdiscovery/nuclei. Templates: https://github.com/projectdiscovery/nuclei-templates. Both repos, no signup, no email gate. The CLI is the product; the cloud platform is the upsell you can ignore until you actually need orchestration.

The reason this tool keeps showing up in PatchDay Alert reading lists is simple: the digest names the bug, and Nuclei is what gets you from naming it to knowing whether it’s yours.