> ## Documentation Index
> Fetch the complete documentation index at: https://docs.projectdiscovery.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Scan Exclusions
> Configure target and template exclusions for vulnerability scanning
## Overview
Scan Exclusions provide granular control over your vulnerability scanning operations by allowing you to exclude or include specific targets or templates from scans. This feature helps optimize scan performance, reduce noise, and focus scanning efforts on relevant assets and vulnerabilities.
The exclusion system operates at two levels:
* **Scan Target Exclusions**: Prevent specific targets from being scanned
* **Scan Target Inclusions**: Restrict scans to only matching targets (allowlist mode)
* **Scan Template Exclusions**: Prevent specific vulnerability templates from being executed
**Inclusion Patterns**: Target exclusions also support inclusion (allowlist) mode using a `+` prefix. When inclusion patterns are present, only targets matching those patterns will be scanned. See [Target Inclusion Patterns](#target-inclusion-patterns) for details.
**Quick Access**: Scan Exclusions are managed in [Settings → Scan Exclusions](https://cloud.projectdiscovery.io/settings/exclusions), available on the same page as Discovery Target Exclusions.
## How It Works
Scan exclusions are applied during the vulnerability scanning process, filtering targets and templates before scan execution. This ensures excluded patterns are never scanned or tested, optimizing scan performance and reducing irrelevant results.
**Global Exclusions**: Scan exclusions are applied globally across all vulnerability scanning operations. Once configured, exclusions affect all current and future scans across your organization.
## Scan Target Exclusions
### Overview
Scan Target Exclusions allow you to exclude specific targets or patterns from vulnerability scanning. These targets will be skipped during all scan operations, including automated scans, manual scans, and scheduled scans.
Exclude specific subdomains from vulnerability scanning
Exclude individual IP addresses or ranges from scans
Use wildcard patterns to exclude multiple targets
### Configuration
#### Adding Target Exclusions
1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions)
2. In the **Scan Target Exclusions** section, click **+ Add Exclusion**
3. Enter your exclusion patterns in the text area (one pattern per line)
4. Click **Add** to save your exclusions
#### Target Exclusion Examples
##### Basic Target Exclusions
```
staging.company.com
dev.company.com
test.company.com
```
##### Wildcard Patterns
```
*.staging.company.com
dev-*.company.com
test.*.internal.company.com
```
##### IP Address Exclusions
```
192.168.1.100
10.0.0.0/8
172.16.0.0/12
```
##### Production Systems
```
prod.company.com
api.company.com
*.production.company.com
```
### Target Exclusion Use Cases
Exclude development and testing environments to focus scans on production systems:
```
*.dev.company.com
*.staging.company.com
*.test.company.com
```
Exclude internal-only systems that don't require external vulnerability assessment:
```
*.internal.company.com
192.168.0.0/16
10.0.0.0/8
```
Exclude third-party managed services or customer environments:
```
*.amazonaws.com
*.azure.com
customer-*.company.com
```
## Target Inclusion Patterns
### Overview
In addition to excluding targets, you can use **inclusion patterns** to create an allowlist — restricting scans to only the targets that match your specified patterns. This is done by prefixing patterns with `+` in the `exclusions` field when creating a scan via the API.
**Allowlist Behavior**: When any inclusion pattern (prefixed with `+`) is present, the system switches to allowlist mode. Targets that do **not** match at least one inclusion pattern are automatically excluded from the scan — even if they aren't matched by any exclusion pattern.
### How Inclusion Works
When inclusion patterns are configured:
1. **Inclusion check first**: Each target is checked against all `+` patterns. If the target does not match any inclusion pattern, it is excluded.
2. **Exclusion check second**: Targets that pass the inclusion check are then checked against exclusion patterns (without `+` prefix). If a target matches an exclusion, it is still excluded.
This allows you to define a broad allowlist and then carve out specific exceptions.
**API-Only Feature**: Inclusion patterns are configured through the API's `exclusions` field when creating a scan (POST /scans) or enumeration. They use the same field as exclusion patterns — the `+` prefix distinguishes inclusions from exclusions.
### Inclusion Pattern Examples
#### Include Only Production Targets
Only scan production systems, excluding everything else:
```
+prod-*.company.com
+api.company.com
+*.production.company.com
```
#### Include Specific IP Range
Restrict scanning to a specific network segment:
```
+10.0.1.0/24
+192.168.100.0/24
```
#### Combined Inclusion and Exclusion
Include production systems but exclude a specific staging subdomain that matches the pattern:
```
+prod-*.company.com
+api.company.com
*.staging.company.com
```
In this example:
* `prod-web.company.com` → **scanned** (matches inclusion `+prod-*.company.com`)
* `api.company.com` → **scanned** (matches inclusion `+api.company.com`)
* `prod-web.staging.company.com` → **excluded** (matches inclusion, but also matches exclusion `*.staging.company.com`)
* `other.company.com` → **excluded** (does not match any inclusion pattern)
### Inclusion Use Cases
Restrict scans to production infrastructure when you have a broad target list:
```
+*.prod.company.com
+api.company.com
+payments.company.com
```
Scan only specific network segments while excluding everything else:
```
+10.0.1.0/24
+10.0.2.0/24
```
Include a broad set of targets but exclude specific subsets:
```
+*.company.com
*.internal.company.com
*.dev.company.com
```
This scans all `company.com` subdomains except internal and dev environments.
## Scan Template Exclusions
### Overview
Scan Template Exclusions allow you to exclude specific vulnerability templates or CVEs from being executed during scans. This is useful for avoiding false positives, excluding low-priority vulnerabilities, or skipping checks that are not relevant to your environment.
Exclude specific CVE vulnerability checks
Exclude specific Nuclei template identifiers
**Exact Match Only**: Template exclusions require exact template IDs or CVE identifiers. Wildcard patterns are not supported for template exclusions.
### Configuration
#### Adding Template Exclusions
1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions)
2. In the **Scan Template Exclusions** section, click **+ Add Exclusion**
3. Enter your template exclusion patterns (one pattern per line)
4. Click **Add** to save your exclusions
#### Template Exclusion Examples
##### CVE Exclusions
```
CVE-2021-26855
CVE-2016-7981
CVE-2021-1491
```
##### Template ID Exclusions
```
apache-detect
nginx-version
wordpress-detect
exchange-server-rce
drupal-sqli
```
### Template Exclusion Use Cases
Exclude specific templates that consistently produce false positives in your environment:
```
CVE-2021-26855
exchange-server-rce
specific-template-id
apache-default-page
```
Exclude specific low-severity or informational checks to focus on critical issues:
```
apache-detect
nginx-version
server-disclosure
http-title
```
Exclude specific templates for technologies not present in your environment:
```
wordpress-detect
drupal-version
joomla-core
sharepoint-detect
```
Exclude specific older CVEs that are not applicable to your modern infrastructure:
```
CVE-2010-3972
CVE-2011-3192
CVE-2012-1823
CVE-2013-2251
```
## Pattern Syntax
### Target Exclusions - Wildcard Support
Target exclusions support wildcard patterns using the asterisk (`*`) character:
* **Prefix wildcards**: `*.staging.company.com`
* **Suffix wildcards**: `test-*.company.com`
* **Multiple wildcards**: `*.staging.*.company.com`
### Target Inclusions - `+` Prefix
Target inclusion patterns use the same syntax as exclusions, prefixed with `+`:
* **Exact match**: `+api.company.com`
* **Wildcard**: `+prod-*.company.com`
* **CIDR range**: `+10.0.0.0/24`
* **IP address**: `+192.168.1.100`
Inclusion and exclusion patterns can be mixed in the same `exclusions` field. The `+` prefix is what distinguishes an inclusion from an exclusion.
### Template Exclusions - Exact Match Only
Template exclusions require exact identifiers:
* **CVE IDs**: Must match exactly (e.g., `CVE-2021-26855`)
* **Template IDs**: Must match the exact template identifier (e.g., `apache-detect`)
* **No wildcards**: Patterns like `CVE-2021-*` or `*-detect` are not supported
### Pattern Matching Rules
* **Target exclusion patterns** are case-insensitive and support wildcards
* **Target inclusion patterns** use the `+` prefix with the same wildcard and CIDR support as exclusions
* **Template patterns** are case-sensitive and require exact matches
* Each line represents a separate pattern
* When inclusion patterns are present, targets must match at least one inclusion pattern **and** not match any exclusion pattern
* Patterns are matched during the scan planning phase
## Managing Exclusions
### Viewing Current Exclusions
All active exclusions are displayed in the respective sections of the [Scan Exclusions](https://cloud.projectdiscovery.io/settings/exclusions) interface as individual items in a list format. Each exclusion shows:
* The exact pattern configured
* A remove button (X icon) for easy deletion
### Removing Exclusions
To remove individual exclusions:
1. Navigate to **Settings → Scan Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions)
2. Locate the exclusion you want to remove in the appropriate section
3. Click the **X** icon next to the exclusion pattern
4. The exclusion will be immediately removed from your configuration
Removing target exclusions will allow those targets to be scanned in future operations. Removing template exclusions will re-enable those vulnerability checks in upcoming scans.
## Best Practices
Focus exclusions on systems that shouldn't be scanned:
* Development and staging environments
* Internal management interfaces
* Third-party managed services
* Customer-owned infrastructure
Exclude templates that add noise without value:
* Known false positives for your environment
* Informational checks for technologies you don't use
* Low-priority vulnerabilities that distract from critical issues
* Legacy CVEs not applicable to your infrastructure
Periodically review and update exclusions:
* Remove exclusions for systems that now need scanning
* Add exclusions for new development environments
* Re-evaluate template exclusions as your infrastructure evolves
* Monitor scan results to identify new false positive patterns
Use inclusion patterns when you want to restrict scan scope rather than exclude individual targets:
* Prefer inclusions over large exclusion lists when you want to scan a small subset of a broad target list
* Combine inclusions with exclusions to create precise scoping (e.g., include all production but exclude a specific staging subdomain)
* Start with broader inclusion patterns and add exclusions for specific exceptions
## Important Considerations
**Security Impact**: Target exclusions prevent vulnerability scanning of specified assets. Ensure excluded targets are secured through other means or don't require scanning.
**Template Coverage**: Template exclusions disable specific vulnerability checks. Make sure excluded templates aren't critical for your security posture.
**Performance Optimization**: Use exclusions strategically to improve scan performance by focusing on relevant assets and vulnerabilities while reducing noise.
## Integration with Scanning Workflows
Scan exclusions integrate seamlessly with all scanning operations and are applied globally across the platform:
* **Automated Scans**: Exclusions apply to all automated vulnerability scanning processes
* **Manual Scans**: User-initiated scans respect both target and template exclusions
* **Scheduled Scans**: All scheduled scan operations honor exclusion patterns
* **Retesting**: Vulnerability retesting operations also respect exclusion configurations
**Global Application**: All exclusion patterns apply to every scanning operation across your organization, ensuring consistent filtering regardless of the scan method or who initiates it.
***
By implementing scan exclusions, you can optimize your vulnerability scanning operations to focus on relevant targets and vulnerabilities while reducing noise and improving scan performance. This targeted approach ensures your security team can concentrate on the most important security issues affecting your infrastructure.