From Bug Report to Security Test in 60 Seconds: Inside Nuclei AI's Template Generation Pipeline
Hook
A security researcher disclosed a critical SSRF vulnerability on HackerOne. Within 60 seconds, an AI-powered browser extension converted that 2,000-word report into a working Nuclei template, ready to scan for the same flaw across thousands of targets.
Context
Nuclei, ProjectDiscovery's vulnerability scanner, has become the de facto standard for security automation. With over 5,000 community-contributed templates, it can detect everything from misconfigurations to critical exploits. But there's a temporal gap problem: when a new vulnerability drops on HackerOne, ExploitDB, or GitHub Security Advisories, someone needs to manually translate that prose description into Nuclei's YAML-based template language. This process requires understanding both the vulnerability mechanics and Nuclei's DSL (Domain Specific Language), which includes matchers, extractors, and request chaining logic.
The Nuclei AI Extension attempts to collapse this timeline from hours or days down to seconds. Rather than having security engineers manually parse HTTP requests from disclosure reports and hand-craft YAML templates, the extension intercepts vulnerability content directly in your browser, ships it to ProjectDiscovery's cloud AI service, and returns a functional template. It's part of a broader trend toward "security-as-code" automation, where the barrier between discovering a vulnerability pattern and testing for it system-wide becomes nearly invisible. The architecture choice here is particularly interesting: instead of bundling an LLM into the extension or requiring local API keys, ProjectDiscovery created a tightly integrated cloud service that handles the AI heavy lifting.
Technical Insight
The extension's architecture reveals several smart design decisions about when to process data client-side versus server-side. At its core, the extension uses Chrome's content script injection to monitor specific vulnerability disclosure platforms. When you navigate to a HackerOne report or ExploitDB entry, platform-specific extractors scrape structured data from the DOM. For HackerOne, it targets elements like .report-title, .vulnerability-description, and embedded HTTP request/response pairs. For ExploitDB, it focuses on exploit code blocks and CVE metadata.
Here's a simplified view of how the extraction layer works for HackerOne reports:
function extractHackerOneReport() {
const report = {
title: document.querySelector('.spec-report-header h1')?.textContent,
severity: document.querySelector('.severity-rating')?.textContent,
weaknessType: document.querySelector('.weakness-type')?.textContent,
description: '',
requests: []
};
// Extract HTTP requests from code blocks
document.querySelectorAll('pre.http-request').forEach(block => {
const requestText = block.textContent;
report.requests.push({
method: requestText.match(/^(GET|POST|PUT|DELETE)/)?.[1],
url: requestText.match(/\s(\/[^\s]+)/)?.[1],
headers: extractHeaders(requestText),
body: extractBody(requestText)
});
});
return report;
}
This structured extraction is crucial. Instead of dumping raw HTML or the entire page text to the AI, the extension provides context-rich JSON that includes vulnerability classification, actual HTTP traffic, and severity metadata. The AI service receives a pre-processed payload that distinguishes between vulnerability description (used for template metadata) and technical proof-of-concept (used for request generation).
Authentication happens through ProjectDiscovery's cloud platform using OAuth-style token exchange. When you first install the extension, it opens a browser tab to cloud.projectdiscovery.io/auth where you authenticate. The platform generates a time-limited JWT token that the extension stores in Chrome's secure storage API. Every subsequent API request includes this token in the Authorization header:
const generateTemplate = async (extractedData) => {
const token = await chrome.storage.sync.get('pdToken');
const response = await fetch('https://cloud.projectdiscovery.io/api/v1/nuclei/generate', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token.pdToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
source: 'hackerone',
vulnerability: extractedData,
preferences: {
severity: 'auto',
includeMatchers: true,
chainRequests: false
}
})
});
return await response.json();
};
The cloud API returns a complete Nuclei template in YAML format, which the extension displays in an overlay editor. This is where the keyboard shortcut (Ctrl+Shift+O) comes in—it toggles a modal that shows the generated template with syntax highlighting. You can edit it directly before saving to your ProjectDiscovery account or copying to your local template directory.
One architectural choice that stands out is the automatic archival system. Every generated template is stored server-side in your ProjectDiscovery account with metadata about the source (which HackerOne report, timestamp, original URL). This creates an audit trail and personal template library without requiring local file management. The trade-off is clear: convenience and cross-device sync in exchange for vendor dependency and potential data privacy concerns about what vulnerability information passes through their infrastructure.
The context menu integration is worth examining too. The extension registers a listener that adds a "Generate Nuclei Template" option when you right-click on selected text. This allows for quick template generation from arbitrary content—blog posts, GitHub issues, or custom vulnerability notes:
chrome.contextMenus.create({
id: 'nuclei-ai-generate',
title: 'Generate Nuclei Template',
contexts: ['selection']
});
chrome.contextMenus.onClicked.addListener((info, tab) => {
if (info.menuItemId === 'nuclei-ai-generate') {
const selectedText = info.selectionText;
// Send to content script for processing
chrome.tabs.sendMessage(tab.id, {
action: 'generateFromText',
text: selectedText
});
}
});
This flexibility transforms the extension from a platform-specific tool into a general-purpose vulnerability-to-template converter. The AI service attempts to identify vulnerability patterns even in unstructured text, though success rates vary significantly based on how clearly the technical details are described.
Gotcha
The cloud dependency is both the extension's strength and its Achilles' heel. Because all AI processing happens on ProjectDiscovery's infrastructure, you're sending vulnerability details—potentially sensitive, potentially from private bug bounty programs—to a third-party service. The documentation doesn't specify data retention policies or whether submitted vulnerability reports are used to train future models. For security teams working under NDA or compliance frameworks like HIPAA or FedRAMP, this could be a dealbreaker. There's no offline mode or option to point the extension at a self-hosted API endpoint.
Template quality is another significant limitation that the project openly acknowledges. Complex vulnerabilities involving multi-step authentication flows, race conditions, or stateful exploitation often produce templates that need substantial manual refinement. The AI excels at straightforward cases—SQL injection with clear payloads, SSRF with obvious markers, XSS with predictable patterns. But for nuanced vulnerabilities involving business logic flaws or time-sensitive conditions, the generated templates are starting points rather than production-ready artifacts. You'll frequently need to adjust matchers, add extractors for dynamic tokens, or restructure request chains. The extension currently lacks a feedback mechanism to improve the AI based on your manual corrections, though this would be a logical next feature.
Verdict
Use if you're already embedded in the ProjectDiscovery ecosystem (running Nuclei scans regularly, comfortable with their cloud platform) and you frequently encounter vulnerability disclosures that need rapid operationalization. This extension is particularly valuable for bug bounty hunters who monitor HackerOne/Bugcrowd for new patterns, red teams building custom test suites, and security researchers maintaining private template collections. The time savings on straightforward vulnerabilities is substantial—what took 20-30 minutes of manual YAML crafting now happens in seconds. Skip if you operate in air-gapped environments, have strict data sovereignty requirements that prohibit sending vulnerability details to third-party APIs, or need guaranteed template accuracy without manual review. Also skip if you're not a Nuclei user—the extension only makes sense within that workflow context. Teams using Burp Suite, ZAP, or custom scanning infrastructure won't find value here, and privacy-conscious researchers should consider the data exposure implications carefully before sending sensitive vulnerability information through ProjectDiscovery's cloud.