Skip to main content

Overview

Scan Exclusions provide granular control over your vulnerability scanning operations by allowing you to exclude specific targets or templates from scans. This feature helps optimize scan performance, reduce noise, and focus scanning efforts on relevant assets and vulnerabilities. The exclusion system operates at two levels:
  • Scan Target Exclusions: Prevent specific targets from being scanned
  • Scan Template Exclusions: Prevent specific vulnerability templates from being executed
Quick Access: Scan Exclusions are managed in Settings → Scan Exclusions, available on the same page as Discovery Target Exclusions.

How It Works

Scan exclusions are applied during the vulnerability scanning process, filtering targets and templates before scan execution. This ensures excluded patterns are never scanned or tested, optimizing scan performance and reducing irrelevant results.

Scan Target Exclusions

Overview

Scan Target Exclusions allow you to exclude specific targets or patterns from vulnerability scanning. These targets will be skipped during all scan operations, including automated scans, manual scans, and scheduled scans.

Subdomains

Exclude specific subdomains from vulnerability scanning

IP Addresses

Exclude individual IP addresses or ranges from scans

Wildcard Patterns

Use wildcard patterns to exclude multiple targets

Configuration

Adding Target Exclusions

  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. In the Scan Target Exclusions section, click + Add Exclusion
  3. Enter your exclusion patterns in the text area (one pattern per line)
  4. Click Add to save your exclusions

Target Exclusion Examples

Basic Target Exclusions
staging.company.com
dev.company.com
test.company.com
Wildcard Patterns
*.staging.company.com
dev-*.company.com
test.*.internal.company.com
IP Address Exclusions
192.168.1.100
10.0.0.0/8
172.16.0.0/12
Production Systems
prod.company.com
api.company.com
*.production.company.com

Target Exclusion Use Cases

Exclude development and testing environments to focus scans on production systems:
*.dev.company.com
*.staging.company.com
*.test.company.com
Exclude internal-only systems that don’t require external vulnerability assessment:
*.internal.company.com
192.168.0.0/16
10.0.0.0/8
Exclude third-party managed services or customer environments:
*.amazonaws.com
*.azure.com
customer-*.company.com

Scan Template Exclusions

Overview

Scan Template Exclusions allow you to exclude specific vulnerability templates or CVEs from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment.

CVE IDs

Exclude specific CVE vulnerability checks

Template IDs

Exclude specific Nuclei template identifiers
Exact Match Only: Template exclusions require exact template IDs or CVE identifiers. Wildcard patterns are not supported for template exclusions.

Configuration

Adding Template Exclusions

  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. In the Scan Template Exclusions section, click + Add Exclusion
  3. Enter your template exclusion patterns (one pattern per line)
  4. Click Add to save your exclusions

Template Exclusion Examples

CVE Exclusions
CVE-2021-26855
CVE-2016-7981
CVE-2021-1491
Template ID Exclusions
apache-detect
nginx-version
wordpress-detect
exchange-server-rce
drupal-sqli

Template Exclusion Use Cases

Exclude specific templates that consistently produce false positives in your environment:
CVE-2021-26855
exchange-server-rce
specific-template-id
apache-default-page
Exclude specific low-severity or informational checks to focus on critical issues:
apache-detect
nginx-version
server-disclosure
http-title
Exclude specific templates for technologies not present in your environment:
wordpress-detect
drupal-version
joomla-core
sharepoint-detect
Exclude specific older CVEs that are not applicable to your modern infrastructure:
CVE-2010-3972
CVE-2011-3192
CVE-2012-1823
CVE-2013-2251

Pattern Syntax

Target Exclusions - Wildcard Support

Target exclusions support wildcard patterns using the asterisk (*) character:
  • Prefix wildcards: *.staging.company.com
  • Suffix wildcards: test-*.company.com
  • Multiple wildcards: *.staging.*.company.com

Template Exclusions - Exact Match Only

Template exclusions require exact identifiers:
  • CVE IDs: Must match exactly (e.g., CVE-2021-26855)
  • Template IDs: Must match the exact template identifier (e.g., apache-detect)
  • No wildcards: Patterns like CVE-2021-* or *-detect are not supported

Pattern Matching Rules

  • Target patterns are case-insensitive and support wildcards
  • Template patterns are case-sensitive and require exact matches
  • Each line represents a separate exclusion pattern
  • Patterns are matched during the scan planning phase
  • Once excluded, targets/templates will not be included in any scan operations

Managing Exclusions

Viewing Current Exclusions

All active exclusions are displayed in the respective sections of the Scan Exclusions interface as individual items in a list format. Each exclusion shows:
  • The exact pattern configured
  • A remove button (X icon) for easy deletion

Removing Exclusions

To remove individual exclusions:
  1. Navigate to Settings → Scan Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
  2. Locate the exclusion you want to remove in the appropriate section
  3. Click the X icon next to the exclusion pattern
  4. The exclusion will be immediately removed from your configuration
Removing target exclusions will allow those targets to be scanned in future operations. Removing template exclusions will re-enable those vulnerability checks in upcoming scans.

Best Practices

Focus exclusions on systems that shouldn’t be scanned:
  • Development and staging environments
  • Internal management interfaces
  • Third-party managed services
  • Customer-owned infrastructure
Exclude templates that add noise without value:
  • Known false positives for your environment
  • Informational checks for technologies you don’t use
  • Low-priority vulnerabilities that distract from critical issues
  • Legacy CVEs not applicable to your infrastructure
Periodically review and update exclusions:
  • Remove exclusions for systems that now need scanning
  • Add exclusions for new development environments
  • Re-evaluate template exclusions as your infrastructure evolves
  • Monitor scan results to identify new false positive patterns

Important Considerations

Security Impact: Target exclusions prevent vulnerability scanning of specified assets. Ensure excluded targets are secured through other means or don’t require scanning.
Template Coverage: Template exclusions disable specific vulnerability checks. Make sure excluded templates aren’t critical for your security posture.
Performance Optimization: Use exclusions strategically to improve scan performance by focusing on relevant assets and vulnerabilities while reducing noise.

Integration with Scanning Workflows

Scan exclusions integrate seamlessly with all scanning operations and are applied globally across the platform:
  • Automated Scans: Exclusions apply to all automated vulnerability scanning processes
  • Manual Scans: User-initiated scans respect both target and template exclusions
  • Scheduled Scans: All scheduled scan operations honor exclusion patterns
  • Retesting: Vulnerability retesting operations also respect exclusion configurations
Global Application: All exclusion patterns apply to every scanning operation across your organization, ensuring consistent filtering regardless of the scan method or who initiates it.
By implementing scan exclusions, you can optimize your vulnerability scanning operations to focus on relevant targets and vulnerabilities while reducing noise and improving scan performance. This targeted approach ensures your security team can concentrate on the most important security issues affecting your infrastructure.