> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Web vulnerability assessment (Nuclei)

> Run Nuclei-based web vulnerability scans inside CoPilot and review findings with request/response detail.

CoPilot includes a web vulnerability scanning module powered by **Nuclei**.

It’s designed to give operators/admins a fast way to validate web exposure and identify common web/app misconfigurations across owned/authorized targets.

***

## Why this is a power feature

Web scanning is not required for initial SIEM bring-up, but it’s a high-leverage add-on for reducing attack surface.

Use it for:

* periodic external exposure reviews (what are we accidentally exposing?)
* validating suspected vulnerabilities during an incident
* confirming whether a customer-facing app has known weak configurations (TLS, headers, exposed endpoints)

***

## How it works in CoPilot (high level)

1. You enable the CoPilot Nuclei module
2. You submit a target host/domain (and any supported scan options)
3. CoPilot runs Nuclei in the background
4. Results are stored and displayed as a report
5. You can drill into each finding for evidence and reproduction detail

***

## Setup checklist

### 1) Enable the Nuclei module (Docker)

In the video walkthrough, Nuclei is enabled by adding the **CoPilot Nuclei module container** to your CoPilot `docker-compose.yml`, then running a compose up.

Success check:

* the Nuclei module container is running
* the **Web vulnerability assessment** entry becomes available in the UI

### 2) Confirm scanner reachability

The scanner runtime must be able to reach your targets.

Confirm:

* DNS resolution works from the scanner runtime
* egress is allowed to the target(s)
* you’re scoping to assets you own/have permission to scan

***

## Running a scan

Typical workflow (from the video):

1. Open **Web vulnerability assessment**
2. Select **Create new report** (if applicable)
3. Enter a target host/domain
   * you usually don’t need to include `http://` or `https://` if the UI accepts a host
4. Submit
5. Wait for completion, then **refresh** the page

***

## Understanding results

Once results are available, you can typically:

* see a list of findings (grouped by type)
* open a finding to review details

Per-finding detail often includes:

* description of what was detected
* affected URL
* the HTTP request/response evidence
* the **curl command** Nuclei used (useful for reproduction and follow-up testing)

This makes it easy to:

* validate the finding
* hand evidence to an app owner
* reproduce safely in a test environment

***

## Practical operator usage

A good operator loop:

1. Run a scan against a specific application
2. Identify quick wins (weak TLS/ciphers, exposed Swagger/OpenAPI, debug endpoints)
3. Create remediation tasks and validate closure by rescanning

***

## Safety / guardrails

* Only scan assets you **own** or have **explicit permission** to test.
* Scanning can trigger WAF blocks, rate limits, or availability impact.
  * start with a single target
  * schedule scans during a quiet window
  * avoid aggressive configurations by default

***

## Troubleshooting

* No results / scan never completes:
  * confirm the Nuclei module container is running
  * confirm the scanner can reach the target host
  * check CoPilot/Nuclei module logs

* False positives:
  * use the request/response + curl output to validate
  * tune templates/scan scope as needed

***

## Video context

Enablement + walkthrough:

* [https://www.youtube.com/watch?v=-SVHKuQUxlI](https://www.youtube.com/watch?v=-SVHKuQUxlI)
