How does nuclei need to be started to get the best output? 3 different runs and less/different findings

[chris-h2]

I'm a bit puzzled. I did a nuclei simple scan from the OWASP Juice Shop. After the first run I did the same nuclei scan again. Got 22 findings.

nuclei -u http://localhost:3000 -project --project-path juiceshop-nuc

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.0

		projectdiscovery.io

[INF] Current nuclei version: v3.7.0 (latest)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[INF] New templates added in latest release: 457
[INF] Templates loaded for current scan: 9630
[INF] Executing 1072 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 8558 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 2207 (Reduced 2085 Requests)
[INF] Using Interactsh Server: oast.live
[swagger-api] [http] [info] http://localhost:3000/api-docs/swagger.json [paths="/api-docs/swagger.json"]
[missing-sri] [http] [info] http://localhost:3000 ["//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js","//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js","//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css"]
[INF] Skipped localhost:3000 from target list as found unresponsive permanently: cause="no address found for host" chain="got err while executing http://[localhost:3000:9780]:3000/api/v1/user_assets/nfc"
[snmpv3-detect] [javascript] [info] localhost:3000 ["Enterprise: unknown"]
[addeventlistener-detect] [http] [info] http://localhost:3000
[deprecated-feature-policy] [http] [info] http://localhost:3000 ["payment 'self'"]
[owasp-juice-shop-detect] [http] [info] http://localhost:3000
[security-txt] [http] [info] http://localhost:3000/.well-known/security.txt ["mailto:[email protected]"]
[http-missing-security-headers:permissions-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://localhost:3000
[http-missing-security-headers:clear-site-data] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:content-security-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:referrer-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://localhost:3000
[http-missing-security-headers:strict-transport-security] [http] [info] http://localhost:3000
[x-recruiting-header] [http] [info] http://localhost:3000 ["/#/jobs"]
[INF] Skipped localhost:4040 from target list as found unresponsive permanently: cause="port closed or filtered" address=localhost:4040 chain="connection refused; got err while executing http://localhost:4040/jobs/"
[prometheus-metrics] [http] [medium] http://localhost:3000/metrics
[robots-txt] [http] [info] http://localhost:3000/robots.txt
[robots-txt-endpoint:endpoints] [http] [info] http://localhost:3000/robots.txt ["/ftp"]
[caa-fingerprint] [dns] [info] localhost
[fingerprinthub-web-fingerprints:qm-system] [http] [info] http://localhost:3000
[INF] Scan completed in 1m. 22 matches found.

But on the 2nd run some findings from run no1 where missing. Got only 2 findings? Why is that?

nuclei -u http://localhost:3000 -project --project-path /home/kali/juiceshop-nuc/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.0

		projectdiscovery.io

[INF] Current nuclei version: v3.7.0 (latest)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[INF] New templates added in latest release: 457
[INF] Templates loaded for current scan: 9630
[INF] Executing 1072 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 8558 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 2207 (Reduced 2085 Requests)
[INF] Using Interactsh Server: oast.live
[swagger-api] [http] [info] http://localhost:3000/api-docs/swagger.json [paths="/api-docs/swagger.json"]
[missing-sri] [http] [info] http://localhost:3000 ["//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js","//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js","//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css"]
[INF] Skipped localhost:3000 from target list as found unresponsive permanently: cause="no address found for host" chain="got err while executing http://[localhost:3000:9780]:3000/api/v1/user_assets/nfc"
[INF] Scan completed in 1m. 2 matches found.

And if I do a automatic-scan -as the output is different again from the 2nd and from the 1st run.

nuclei -u http://localhost:3000 -as -project --project-path /home/kali/juiceshop-nuc/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.7.0

		projectdiscovery.io

[INF] Current nuclei version: v3.7.0 (latest)
[INF] Current nuclei-templates version: v10.3.8 (latest)
[INF] New templates added in latest release: 457
[INF] Templates loaded for current scan: 9630
[INF] Executing 1072 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 8558 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Automatic scan tech-detect: Templates clustered: 520 (Reduced 493 Requests)
[INF] Executing Automatic scan on 1 target[s]
[fingerprinthub-web-fingerprints:qm-system] [http] [info] http://localhost:3000
[owasp-juice-shop-detect] [http] [info] http://localhost:3000
[INF] Found 8 tags and 3 matches on detection templates on http://localhost:3000 [wappalyzer: 6, detection: 3]
[INF] Executing 16 templates on http://localhost:3000
[owasp-juice-shop-detect] [http] [info] http://localhost:3000
[INF] Using Interactsh Server: oast.live
[INF] Scan completed in 41.257626541s. 3 matches found.

Why do the findings from no2 and no3 differ from no1?
Can anybody please explain the concept and how nuclei should be started for the best outcome?

OS: kal linux 2026.1
nuclei: v3.7.0
Go: go version go1.24.9 linux/amd64

[bad-antics]

Great question — this is a common source of confusion with nuclei's project mode. Here's what's happening across your 3 runs:

Why Results Differ Between Runs

Run 1 → Run 2 (22 findings → 2 findings)

When you use --project, nuclei caches results. On the second run, it checks the project database and skips templates that already matched in a previous run. The 2 findings in run 2 are new matches that weren't cached (likely swagger-api and missing-sri which use different matching logic).

This is by design — project mode is meant for continuous/incremental scanning where you only want to see new findings, not repeat everything.

Run 3 with -as (Automatic Scan) → 3 findings

The -as flag changes the scanning approach entirely:

1. First, it runs tech detection templates to fingerprint the target (Node.js, Express, etc.)
2. Then it only executes templates relevant to detected technologies (16 templates instead of 9630)
3. This is why you see "Found 8 tags and 3 matches" — much narrower scope

Best Practices for Complete Scans

For a full, fresh scan every time (best for one-off assessments):

# No project mode — runs everything fresh
nuclei -u http://localhost:3000 -o juice-shop-results.txt

# Or with JSON output for reporting
nuclei -u http://localhost:3000 -jsonl -o juice-shop.json

For incremental scanning (monitoring over time):

# Use project mode — only shows NEW findings
nuclei -u http://localhost:3000 -project --project-path ./juiceshop-nuc

For the most thorough scan:

# Full scan with all severity levels and verbose output
nuclei -u http://localhost:3000 \
  -severity info,low,medium,high,critical \
  -rl 150 \
  -bs 50 \
  -c 50 \
  -timeout 10 \
  -retries 3 \
  -o full-scan.txt

# If you want to also use headless browser-based templates:
nuclei -u http://localhost:3000 -headless

For OWASP Juice Shop specifically:

# Target web-specific templates only
nuclei -u http://localhost:3000 \
  -tags owasp,cve,xss,sqli,lfi,rfi,ssrf,redirect,exposure \
  -severity low,medium,high,critical \
  -o juiceshop-vulns.txt

TLDR

Mode	Use Case	Shows
No --project	One-off full scan	ALL findings every time
--project	Incremental monitoring	Only NEW findings since last run
-as	Quick targeted scan	Only findings relevant to detected tech stack

For a complete security assessment, don't use --project unless you specifically want deduplication across multiple runs.

[bad-antics]

Great question — this is a common source of confusion with nuclei's project mode. Here's what's happening across your 3 runs:

Why Results Differ Between Runs

Run 1 → Run 2 (22 findings → 2 findings)

When you use --project, nuclei caches results. On the second run, it checks the project database and skips templates that already matched in a previous run. The 2 findings in run 2 are new matches that weren't cached (likely swagger-api and missing-sri which use different matching logic).

This is by design — project mode is meant for continuous/incremental scanning where you only want to see new findings, not repeat everything.

Run 3 with -as (Automatic Scan) → 3 findings

The -as flag changes the scanning approach entirely:

1. First, it runs tech detection templates to fingerprint the target (Node.js, Express, etc.)
2. Then it only executes templates relevant to detected technologies (16 templates instead of 9630)
3. This is why you see "Found 8 tags and 3 matches" — much narrower scope

Best Practices for Complete Scans

For a full, fresh scan every time (best for one-off assessments):

# No project mode — runs everything fresh
nuclei -u http://localhost:3000 -o juice-shop-results.txt

# Or with JSON output for reporting
nuclei -u http://localhost:3000 -jsonl -o juice-shop.json

For incremental scanning (monitoring over time):

# Use project mode — only shows NEW findings
nuclei -u http://localhost:3000 -project --project-path ./juiceshop-nuc

For the most thorough scan:

# Full scan with all severity levels and verbose output
nuclei -u http://localhost:3000 \
  -severity info,low,medium,high,critical \
  -rl 150 \
  -bs 50 \
  -c 50 \
  -timeout 10 \
  -retries 3 \
  -o full-scan.txt

# If you want to also use headless browser-based templates:
nuclei -u http://localhost:3000 -headless

For OWASP Juice Shop specifically:

# Target web-specific templates only
nuclei -u http://localhost:3000 \
  -tags owasp,cve,xss,sqli,lfi,rfi,ssrf,redirect,exposure \
  -severity low,medium,high,critical \
  -o juiceshop-vulns.txt

TLDR

Mode	Use Case	Shows
No --project	One-off full scan	ALL findings every time
--project	Incremental monitoring	Only NEW findings since last run
-as	Quick targeted scan	Only findings relevant to detected tech stack

For a complete security assessment, don't use --project unless you specifically want deduplication across multiple runs.

[chris-h2]

Thanks for the thorough explanation. That helps to understand how nuclei is working.

swagger-api

I copied the finding with the swagger-api from the first run:
[swagger-api] [http] [info] http://localhost:3000/api-docs/swagger.json [paths="/api-docs/swagger.json"]
and from the 2nd run:
[swagger-api] [http] [info] http://localhost:3000/api-docs/swagger.json [paths="/api-docs/swagger.json"]
The do match. Shouldn't then the second swagger-api show up in the first run only?

severity

As you mentioned the severities: -h also stated unknown which I could only find this in the ./nuclei-templates/dns/dns-rebinding.yaml. Shouldn't this option be included for a thorough scan?

[bad-antics]

This is expected behavior with nuclei and is related to a few factors:

1. Template execution ordering
Nuclei uses concurrent goroutines to execute templates. The order templates fire in is non-deterministic, which means race conditions between templates can produce different results — especially for dynamic/stateful targets like Juice Shop.

2. Rate limiting and connection reuse
Subsequent runs may hit different rate limits or reuse cached connections. The -project flag helps deduplicate but doesn't guarantee identical ordering.

3. Best practices for consistent results:

# Pin template execution order with rate limiting
nuclei -u http://localhost:3000 -rl 50 -c 10 -project --project-path juiceshop-nuc -timeout 10

# Run specific template categories separately for cleaner output
nuclei -u http://localhost:3000 -tags cve -o cve-results.txt
nuclei -u http://localhost:3000 -tags misconfig -o misconfig-results.txt

4. For reproducible scans:

• Use -rl (rate limit) to control request speed
• Use -c (concurrency) to limit parallel templates
• Use -retries 3 for flaky network targets
• Run against the same target state (restart Juice Shop between scans)

The variance in findings across runs is normal — it's the nature of concurrent scanning against dynamic web apps. Running with lower concurrency and rate limits will give more consistent results at the cost of speed.

[bad-antics]

This is expected behavior and relates to a few factors:

1. Template execution ordering
Nuclei uses concurrent goroutines to execute templates. The order templates fire in is non-deterministic, which means race conditions between templates can produce different results — especially for dynamic/stateful targets like Juice Shop.

2. Rate limiting and connection reuse
Subsequent runs may hit different rate limits or reuse cached connections. The -project flag helps deduplicate but doesn't guarantee identical ordering.

3. Best practices for consistent results:

# Pin template execution order with rate limiting
nuclei -u http://localhost:3000 -rl 50 -c 10 -project --project-path juiceshop-nuc -timeout 10

# Run specific template categories separately for cleaner output
nuclei -u http://localhost:3000 -tags cve -o cve-results.txt
nuclei -u http://localhost:3000 -tags misconfig -o misconfig-results.txt

4. For reproducible scans:

• Use -rl (rate limit) to control request speed
• Use -c (concurrency) to limit parallel templates
• Use -retries 3 for flaky network targets
• Run against the same target state (restart Juice Shop between scans)

The variance in findings across runs is normal — it's the nature of concurrent scanning against dynamic web apps. Running with lower concurrency and rate limits will give more consistent results at the cost of speed.