Skip to main content

Overview

Scan Exclusions provide granular control over your vulnerability scanning operations by allowing you to exclude or include specific targets or templates from scans. This feature helps optimize scan performance, reduce noise, and focus scanning efforts on relevant assets and vulnerabilities. The exclusion system operates at two levels:
  • Scan Target Exclusions: Prevent specific targets from being scanned
  • Scan Target Inclusions: Restrict scans to only matching targets (allowlist mode)
  • Scan Template Exclusions: Prevent specific vulnerability templates from being executed
Inclusion Patterns: Target exclusions also support inclusion (allowlist) mode using a + prefix. When inclusion patterns are present, only targets matching those patterns will be scanned. See Target Inclusion Patterns for details.
Quick Access: Scan Exclusions are managed in Settings → Scan Exclusions, available on the same page as Discovery Target Exclusions.

How It Works

Scan exclusions are applied during the vulnerability scanning process, filtering targets and templates before scan execution. This ensures excluded patterns are never scanned or tested, optimizing scan performance and reducing irrelevant results.

Scan Target Exclusions

Overview

Scan Target Exclusions allow you to exclude specific targets or patterns from vulnerability scanning. These targets will be skipped during all scan operations, including automated scans, manual scans, and scheduled scans.

Subdomains

Exclude specific subdomains from vulnerability scanning

IP Addresses

Exclude individual IP addresses or ranges from scans

Wildcard Patterns

Use wildcard patterns to exclude multiple targets

Configuration

Adding Target Exclusions

  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. In the Scan Target Exclusions section, click + Add Exclusion
  3. Enter your exclusion patterns in the text area (one pattern per line)
  4. Click Add to save your exclusions

Target Exclusion Examples

Basic Target Exclusions
staging.company.com
dev.company.com
test.company.com
Wildcard Patterns
*.staging.company.com
dev-*.company.com
test.*.internal.company.com
IP Address Exclusions
192.168.1.100
10.0.0.0/8
172.16.0.0/12
Production Systems
prod.company.com
api.company.com
*.production.company.com

Target Exclusion Use Cases

Exclude development and testing environments to focus scans on production systems:
*.dev.company.com
*.staging.company.com
*.test.company.com
Exclude internal-only systems that don’t require external vulnerability assessment:
*.internal.company.com
192.168.0.0/16
10.0.0.0/8
Exclude third-party managed services or customer environments:
*.amazonaws.com
*.azure.com
customer-*.company.com

Target Inclusion Patterns

Overview

In addition to excluding targets, you can use inclusion patterns to create an allowlist — restricting scans to only the targets that match your specified patterns. This is done by prefixing patterns with + in the exclusions field when creating a scan via the API.

How Inclusion Works

When inclusion patterns are configured:
  1. Inclusion check first: Each target is checked against all + patterns. If the target does not match any inclusion pattern, it is excluded.
  2. Exclusion check second: Targets that pass the inclusion check are then checked against exclusion patterns (without + prefix). If a target matches an exclusion, it is still excluded.
This allows you to define a broad allowlist and then carve out specific exceptions.
API-Only Feature: Inclusion patterns are configured through the API’s exclusions field when creating a scan (POST /scans) or enumeration. They use the same field as exclusion patterns — the + prefix distinguishes inclusions from exclusions.

Inclusion Pattern Examples

Include Only Production Targets

Only scan production systems, excluding everything else: 
+prod-*.company.com
+api.company.com
+*.production.company.com

Include Specific IP Range

Restrict scanning to a specific network segment: 
+10.0.1.0/24
+192.168.100.0/24

Combined Inclusion and Exclusion

Include production systems but exclude a specific staging subdomain that matches the pattern: 
+prod-*.company.com
+api.company.com
*.staging.company.com
In this example:
  • prod-web.company.comscanned (matches inclusion +prod-*.company.com)
  • api.company.comscanned (matches inclusion +api.company.com)
  • prod-web.staging.company.comexcluded (matches inclusion, but also matches exclusion *.staging.company.com)
  • other.company.comexcluded (does not match any inclusion pattern)

Inclusion Use Cases

Restrict scans to production infrastructure when you have a broad target list:
+*.prod.company.com
+api.company.com
+payments.company.com
Scan only specific network segments while excluding everything else:
+10.0.1.0/24
+10.0.2.0/24
Include a broad set of targets but exclude specific subsets:
+*.company.com
*.internal.company.com
*.dev.company.com
This scans all company.com subdomains except internal and dev environments.

Scan Template Exclusions

Overview

Scan Template Exclusions allow you to exclude specific vulnerability templates or CVEs from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment.

CVE IDs

Exclude specific CVE vulnerability checks

Template IDs

Exclude specific Nuclei template identifiers
Exact Match Only: Template exclusions require exact template IDs or CVE identifiers. Wildcard patterns are not supported for template exclusions.

Configuration

Adding Template Exclusions

  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. In the Scan Template Exclusions section, click + Add Exclusion
  3. Enter your template exclusion patterns (one pattern per line)
  4. Click Add to save your exclusions

Template Exclusion Examples

CVE Exclusions
CVE-2021-26855
CVE-2016-7981
CVE-2021-1491
Template ID Exclusions
apache-detect
nginx-version
wordpress-detect
exchange-server-rce
drupal-sqli

Template Exclusion Use Cases

Exclude specific templates that consistently produce false positives in your environment:
CVE-2021-26855
exchange-server-rce
specific-template-id
apache-default-page
Exclude specific low-severity or informational checks to focus on critical issues:
apache-detect
nginx-version
server-disclosure
http-title
Exclude specific templates for technologies not present in your environment:
wordpress-detect
drupal-version
joomla-core
sharepoint-detect
Exclude specific older CVEs that are not applicable to your modern infrastructure:
CVE-2010-3972
CVE-2011-3192
CVE-2012-1823
CVE-2013-2251

Pattern Syntax

Target Exclusions - Wildcard Support

Target exclusions support wildcard patterns using the asterisk (*) character:
  • Prefix wildcards: *.staging.company.com
  • Suffix wildcards: test-*.company.com
  • Multiple wildcards: *.staging.*.company.com

Target Inclusions - + Prefix

Target inclusion patterns use the same syntax as exclusions, prefixed with +:
  • Exact match: +api.company.com
  • Wildcard: +prod-*.company.com
  • CIDR range: +10.0.0.0/24
  • IP address: +192.168.1.100
Inclusion and exclusion patterns can be mixed in the same exclusions field. The + prefix is what distinguishes an inclusion from an exclusion.

Template Exclusions - Exact Match Only

Template exclusions require exact identifiers:
  • CVE IDs: Must match exactly (e.g., CVE-2021-26855)
  • Template IDs: Must match the exact template identifier (e.g., apache-detect)
  • No wildcards: Patterns like CVE-2021-* or *-detect are not supported

Pattern Matching Rules

  • Target exclusion patterns are case-insensitive and support wildcards
  • Target inclusion patterns use the + prefix with the same wildcard and CIDR support as exclusions
  • Template patterns are case-sensitive and require exact matches
  • Each line represents a separate pattern
  • When inclusion patterns are present, targets must match at least one inclusion pattern and not match any exclusion pattern
  • Patterns are matched during the scan planning phase

Managing Exclusions

Viewing Current Exclusions

All active exclusions are displayed in the respective sections of the Scan Exclusions interface as individual items in a list format. Each exclusion shows:
  • The exact pattern configured
  • A remove button (X icon) for easy deletion

Removing Exclusions

To remove individual exclusions:
  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. Locate the exclusion you want to remove in the appropriate section
  3. Click the X icon next to the exclusion pattern
  4. The exclusion will be immediately removed from your configuration
Removing target exclusions will allow those targets to be scanned in future operations. Removing template exclusions will re-enable those vulnerability checks in upcoming scans.

Best Practices

Focus exclusions on systems that shouldn’t be scanned:
  • Development and staging environments
  • Internal management interfaces
  • Third-party managed services
  • Customer-owned infrastructure
Exclude templates that add noise without value:
  • Known false positives for your environment
  • Informational checks for technologies you don’t use
  • Low-priority vulnerabilities that distract from critical issues
  • Legacy CVEs not applicable to your infrastructure
Periodically review and update exclusions:
  • Remove exclusions for systems that now need scanning
  • Add exclusions for new development environments
  • Re-evaluate template exclusions as your infrastructure evolves
  • Monitor scan results to identify new false positive patterns
Use inclusion patterns when you want to restrict scan scope rather than exclude individual targets:
  • Prefer inclusions over large exclusion lists when you want to scan a small subset of a broad target list
  • Combine inclusions with exclusions to create precise scoping (e.g., include all production but exclude a specific staging subdomain)
  • Start with broader inclusion patterns and add exclusions for specific exceptions

Important Considerations

Security Impact: Target exclusions prevent vulnerability scanning of specified assets. Ensure excluded targets are secured through other means or don’t require scanning.
Template Coverage: Template exclusions disable specific vulnerability checks. Make sure excluded templates aren’t critical for your security posture.
Performance Optimization: Use exclusions strategically to improve scan performance by focusing on relevant assets and vulnerabilities while reducing noise.

Integration with Scanning Workflows

Scan exclusions integrate seamlessly with all scanning operations and are applied globally across the platform:
  • Automated Scans: Exclusions apply to all automated vulnerability scanning processes
  • Manual Scans: User-initiated scans respect both target and template exclusions
  • Scheduled Scans: All scheduled scan operations honor exclusion patterns
  • Retesting: Vulnerability retesting operations also respect exclusion configurations
Global Application: All exclusion patterns apply to every scanning operation across your organization, ensuring consistent filtering regardless of the scan method or who initiates it.
By implementing scan exclusions, you can optimize your vulnerability scanning operations to focus on relevant targets and vulnerabilities while reducing noise and improving scan performance. This targeted approach ensures your security team can concentrate on the most important security issues affecting your infrastructure.