Nuclei scanner user agent
Nuclei is a fast, template-based vulnerability scanner widely used in security testing and, by attackers, for mass probing. Its requests can carry a Nuclei user agent, though it is frequently configured to hide or randomise it. Seeing Nuclei means template-driven vulnerability scanning is hitting the site.
What this means
Nuclei runs community and custom templates that each test for a specific vulnerability or exposure, sending targeted requests and matching responses. It is popular in legitimate security testing and is also used by attackers to scan many hosts quickly for known weaknesses.
Its traffic is probe-like: many distinct, specific requests aimed at known vulnerable paths or parameters, not normal browsing. Intent depends on whether the scan is authorised.
How Nuclei identifies itself
Nuclei requests can carry a user agent containing a Nuclei token, which makes authorised scans recognisable. But Nuclei is commonly configured to randomise or replace its user agent, so absence of the token is common in hostile scanning.
Match on the Nuclei token substring where present, and otherwise rely on the template-probe behaviour pattern. The Nuclei project documents the scanner and its options.
- Requests can carry a Nuclei user-agent token
- User agent is often randomised or hidden in hostile use
- Template-probe behaviour is the durable signal
Authorised vs opportunistic scans
If Nuclei is your own scanner, allowlist its source and exclude it from human analytics. If a Nuclei scan comes from an unknown source, treat it as opportunistic probing: log it, apply rate limiting or blocking per policy, and check whether it found anything reachable.
Keep scanner traffic out of human metrics so it neither distorts engagement nor hides the security signal you want to act on.
How it appears in analytics and logs
A request carrying a Nuclei user agent is a template-based vulnerability scan. From your own pipeline it is expected; from an unknown source it is opportunistic probing — often mass-scanning for known vulnerabilities — and is a security event, not analytics.
Diagnostic use case
Recognise Nuclei scanning in logs, separate authorised testing from opportunistic probing, and treat unsolicited scans as a security signal.
What WebmasterID can help detect
WebmasterID classifies Nuclei-style scanner traffic server-side as automation/security probing and surfaces it on the bot-intelligence view, so scans are visible and never counted as human visits.
Common mistakes
- Counting vulnerability-scanner requests as human visits.
- Assuming Nuclei always carries its token — it is often randomised.
- Dismissing repeated template probes instead of treating them as a security signal.
Privacy and accuracy notes
Nuclei detection uses only the user agent and request behaviour. No human identity is profiled. WebmasterID records scanner traffic as a bot/security event, separate from human analytics.
Frequently asked questions
- Why am I seeing Nuclei requests for paths I do not have?
- Nuclei templates test for many known vulnerabilities across common paths, so it probes URLs whether or not they exist. From an unknown source, that is opportunistic scanning to treat as a security event.
Related pages
- OWASP ZAP scanner user agent
OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner used in penetration testing and CI security checks. Its requests can carry a ZAP user agent, though it can be configured to spoof a browser. Seeing ZAP means a security scan is hitting the site — ideally an authorised one.
- Security scanner user agents
The public web receives constant probing from security scanners — vulnerability tools, research crawlers, and internet-wide scanners. Some identify themselves clearly in the user agent; others mimic browsers. This page explains why probing is expected background noise and why reacting with blanket blocks can do more harm than good.
- masscan and port scanner traffic
masscan is a high-speed network port scanner. It and similar tools probe IP ranges to find open ports and services; when they touch a web port they typically send minimal or no HTTP user agent. Recognising this scanning is about request shape and network behaviour more than the user-agent string.
- Bot intelligence
Surface vulnerability-scanning traffic, separate from humans.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.