Nuclei + ProjectDiscovery OSS → Detectify

Nuclei + ProjectDiscovery ↔ Detectify: integration to migration path.

Detectify is your production-of-record scanner, so we never cut over on a single day. The Nuclei ProjectDiscovery chain stands up alongside Detectify first, runs in shadow against the same assets, and only after it proves recall does it take over vulnerability probing in waves — putting per-template control, zero-day velocity and your own data residency in your hands. No flag day, no finding-history blackout, and every wave rolls back in minutes.

The honest exception: Detectify Surface Monitoring's continuous asset discovery and the Crowdsource feed have no OSS parity at the same SLA. Our recommended exit keeps Surface Monitoring; we only cancel both SKUs once discovery parity is proven.

Map my migration with an engineer →

The idea

Shadow to prove recall. Promote to blocking last.

The topology that makes this zero-risk is shadow-first reconciliation: Nuclei runs on a dedicated worker against Detectify's discovered asset list, both feeds normalise to SARIF and land in DefectDojo, and a weekly join on host, CWE, CVE and path measures exactly what Nuclei catches, misses or flags earlier than Detectify. Detectify keeps owning asset discovery, Crowdsource and authenticated app scanning while findings are compared on real assets. Only once recall on Critical and High findings clears threshold do we promote Nuclei to blocking — net-new services first, existing assets in waves — then cut Detectify Application Scanning while retaining Surface Monitoring. Each step independent, each reversible.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We export Detectify's full asset list, per-asset scan cadence, open findings by severity and CWE, enabled Crowdsource modules, Application Scanner auth configs and existing Jira / Slack integrations to a frozen S3 snapshot. We cross-reference your CMDB to find assets Detectify isn't discovering — those are arguments for Detectify, not against it. Read-only.

Users see: No user impact.

Rollback: N/A

Stand up Nuclei + ProjectDiscovery in shadow

Nuclei, subfinder, httpx and naabu run on a dedicated Fargate or EC2 worker with templates pinned to a SHA, seeded from Detectify's asset export. Findings post to DefectDojo only. Detectify stays system of record and nothing fails a build.

Users see: None — Nuclei findings live in DefectDojo, not Jira.

Rollback: Decommission the worker — no production system depends on it.

Side-by-side finding comparison

A weekly reconciliation job joins Detectify findings and Nuclei findings on host, CWE, CVE and path, writing a sheet AppSec reviews each release cycle. Every Critical or High finding is marked as caught, missed or flagged earlier; gaps become tickets to author a private template or tune Detectify.

Users see: None.

Rollback: Stop reconciliation; Nuclei continues as shadow.

Promote Nuclei to blocking on net-new assets

For services that didn't exist at Phase 0, High and Critical Nuclei findings start blocking deploys using a baseline-then-diff so only net-new findings fail. Gates run warn-mode at least two sprints before flipping to block. Existing services still gate on Detectify.

Users see: New services occasionally fail builds on Nuclei findings — expected, that's the point.

Rollback: Per service: flip fail-on-vulnerabilities back to false; the finding still records in DefectDojo. Under 15 minutes via PR revert.

Move existing assets to Nuclei-blocking

Previously-Detectify-monitored assets become Nuclei-blocking in waves (low to high blast radius). Per wave we import Detectify's open findings so the diff doesn't re-fire on known issues, triage net-new findings within seven days, and tune the private overlay until false positives fall below 5%.

Users see: None directly — same findings, same queues; Nuclei findings start appearing in Jira alongside Detectify's.

Rollback: Per wave: flip the wave's Nuclei stage to advisory; Detectify still gating. Under 15 minutes.

Cut Detectify Application Scanning; keep Surface Monitoring

Application Scanning is cancelled and Nuclei owns all vulnerability probing. Detectify Surface Monitoring is retained as the EASM signal — the SaaS-only feature with no honest OSS parity at the same SLA. A final export goes to S3 cold storage for at least a year.

Users see: Detectify app-scanning views go away; AppSec moves entirely into DefectDojo. Communicated at least 30 days ahead.

Rollback: During the 30-day read-only window the SKU can be reactivated. Past that, rollback means a fresh procurement cycle.

Retire Surface Monitoring (option B only)

Only if the org chose full cancellation: after at least 90 further days of proven OSS-chain discovery parity, Surface Monitoring is cancelled and the Detectify tenant is deactivated entirely. Option A keeps Surface Monitoring permanently and skips this phase.

Users see: Asset-discovery alerting moves fully onto the OSS chain's Slack / PagerDuty feed.

Rollback: Re-procurement only — there is no sub-15-minute path once the tenant is deactivated.

Feature parity

Where the Nuclei chain matches Detectify, and where it doesn't.

Capability	Nuclei + ProjectDiscovery OSS	Detectify	Parity
Scan type (EASM discovery)	subfinder + assetfinder + amass + crt.sh poll + cron-diff state	Surface Monitoring (managed SLA plus alerting)	Partial
Scan type (vuln probing)	Nuclei templates over httpx-confirmed hosts	Application Scanning	At parity
Authenticated app scan	katana headless crawl plus Nuclei auth-replay (tuning-heavy)	Application Scanning authenticated crawl	Partial
Crowdsourced check feed	Public nuclei-templates PR cadence	Crowdsource researcher feed	Partial
Finding format (SARIF)	Nuclei sarif-export / json / jsonl	API / webhook JSON; no native SARIF	Partial
Rule authoring	YAML templates (matchers, extractors, payloads) plus private overlay	Vendor black-box checks; no customer-supplied checks	OSS only
CVE / exploit prioritisation	EPSS plus CISA KEV wired into DefectDojo	Vendor internal exploit-in-the-wild model	Partial
Severity / CWE mapping	info.classification cwe-id / cvss-metrics / cve-id native	Findings carry CVSS plus CWE (vendor mapping)	At parity
Dashboards / reporting	DefectDojo	Detectify UI plus auditor PDF / CSV pack	Partial
SPA / JS coverage	katana headless (no full DOM render)	Vendor browser-based scan	Partial
Deployment model	Self-hosted worker fleet (Fargate / EC2 plus Postgres state)	SaaS vendor-hosted	OSS only
Cost model	Compute plus cron plus DefectDojo ops	Per-domain / per-asset SaaS	OSS only
Compliance / data residency	Scan data stays in your region	Vendor cloud; region options	Partial
Vendor support	Community plus your team	24/7 vendor support SLA	SaaS only

What we're honest about

The caveats most vendors leave out.

Detectify Surface Monitoring's continuous discovery has no OSS parity at SLA

The OSS chain — subfinder, assetfinder, amass and a crt.sh poller — enumerates well, but the state machine, net-new-asset alerting and the SLA around continuous discovery are a real part of the SaaS lift. Our recommended exit keeps Surface Monitoring; we only cancel both SKUs after a sub-phase proves discovery parity for at least 30 days.

Crowdsource has no OSS parity at SLA

Detectify's Crowdsource feed is a continuous, vendor-curated firehose of community-researcher checks. The public nuclei-templates repo is genuinely good but research-effort-asymmetric. We retain Application Scanning and Crowdsource through Phase 4 and only cancel once Nuclei plus a private overlay has reproduced at least 95% of Crowdsource-attributable findings across two release cycles.

Authenticated and SPA coverage is a tuning-heavy gap

Detectify Application Scanning logs into the app and probes authenticated routes; Nuclei is HTTP-template and does not render a DOM. katana headless crawl plus Nuclei auth-replay covers SPAs but the login replay is work you own. Where authenticated coverage matters — the flagship app — we keep Detectify longer or pair with ZAP, and document the gap rather than fake it.

Self-hosting means you own discovery cost, ranking and reports

You inherit CT-log polling and active-scan compute, EPSS plus CISA KEV instead of Detectify's internal exploit-in-the-wild model, and DefectDojo report packs instead of vendor-templated auditor PDFs. There's no 24/7 number to call when a CVE is missed. That is why we run it — pinned templates, code-reviewed overlays, an on-call path and an audit cycle of overlap before any SKU is cancelled.

Why this beats a flag day

Reversible per wave, soaked before you cancel.

Every promotion to blocking rolls back in under 15 minutes by flipping the wave's Nuclei stage to advisory while Detectify still gates, so a noisy template is a config-only PR, not an incident. And we never cancel a Detectify SKU on a hunch: Nuclei must hold at least 95% recall on Critical and High findings across two release cycles, then run at least 30 consecutive days at sub-5% false positives, with Detectify held read-only for a 30-day evidence window before Application Scanning is cancelled. Surface Monitoring stays until discovery parity is proven. You are never betting your attack surface on one big cutover.

See whether the Nuclei chain reproduces what Detectify catches.

A call with a senior offensive-security engineer. We inventory your assets and authenticated-scan scope, separate the vulnerability probing Nuclei reproduces from the discovery and Crowdsource signal that stays on Detectify, and tell you honestly whether this is full retirement or a SKU reduction.

Map my migration →