Skip to main content
CoPilot includes a web vulnerability scanning module powered by Nuclei. It’s designed to give operators/admins a fast way to validate web exposure and identify common web/app misconfigurations across owned/authorized targets.

Why this is a power feature

Web scanning is not required for initial SIEM bring-up, but it’s a high-leverage add-on for reducing attack surface. Use it for:
  • periodic external exposure reviews (what are we accidentally exposing?)
  • validating suspected vulnerabilities during an incident
  • confirming whether a customer-facing app has known weak configurations (TLS, headers, exposed endpoints)

How it works in CoPilot (high level)

  1. You enable the CoPilot Nuclei module
  2. You submit a target host/domain (and any supported scan options)
  3. CoPilot runs Nuclei in the background
  4. Results are stored and displayed as a report
  5. You can drill into each finding for evidence and reproduction detail

Setup checklist

1) Enable the Nuclei module (Docker)

In the video walkthrough, Nuclei is enabled by adding the CoPilot Nuclei module container to your CoPilot docker-compose.yml, then running a compose up. Success check:
  • the Nuclei module container is running
  • the Web vulnerability assessment entry becomes available in the UI

2) Confirm scanner reachability

The scanner runtime must be able to reach your targets. Confirm:
  • DNS resolution works from the scanner runtime
  • egress is allowed to the target(s)
  • you’re scoping to assets you own/have permission to scan

Running a scan

Typical workflow (from the video):
  1. Open Web vulnerability assessment
  2. Select Create new report (if applicable)
  3. Enter a target host/domain
    • you usually don’t need to include http:// or https:// if the UI accepts a host
  4. Submit
  5. Wait for completion, then refresh the page

Understanding results

Once results are available, you can typically:
  • see a list of findings (grouped by type)
  • open a finding to review details
Per-finding detail often includes:
  • description of what was detected
  • affected URL
  • the HTTP request/response evidence
  • the curl command Nuclei used (useful for reproduction and follow-up testing)
This makes it easy to:
  • validate the finding
  • hand evidence to an app owner
  • reproduce safely in a test environment

Practical operator usage

A good operator loop:
  1. Run a scan against a specific application
  2. Identify quick wins (weak TLS/ciphers, exposed Swagger/OpenAPI, debug endpoints)
  3. Create remediation tasks and validate closure by rescanning

Safety / guardrails

  • Only scan assets you own or have explicit permission to test.
  • Scanning can trigger WAF blocks, rate limits, or availability impact.
    • start with a single target
    • schedule scans during a quiet window
    • avoid aggressive configurations by default

Troubleshooting

  • No results / scan never completes:
    • confirm the Nuclei module container is running
    • confirm the scanner can reach the target host
    • check CoPilot/Nuclei module logs
  • False positives:
    • use the request/response + curl output to validate
    • tune templates/scan scope as needed

Video context

Enablement + walkthrough: