Automated tools such as Nuclei, Burp Suite’s Intruder, Ffuf, etc. tend to send a very large number of requests per second. Some companies (running a bug bounty program) might demand that you are rate-limiting the requests going out to put less stress on the web server.

Watch this quick video on the importance of rate-limiting (or read the individual instructions below):

Rate-limit Nuclei:

Add the parameter -rate-limit to throttle your requests (e.g. -rate-limit 1 in order to send one request per second)

For more information read: https://nuclei.projectdiscovery.io/nuclei/get-started/#rate-limits

Rate-limit Burp Suite’s Intruder:

In the “Intruder” tab, go to “Resource Pool” and click on “Create new resource pool”. Set “Maximum concurrent requests” to 1 and “Delay between requests” to 1000 milliseconds.

For more information read: https://portswigger.net/burp/documentation/desktop/tools/intruder/intruder-resource-pool

Rate-limit Ffuf:

Add the parameter -rate to throttle your requests (e.g. -rate 1 in order to send one request per second)

For more information read: https://github.com/ffuf/ffuf#usage

Rate-limit other tools:

If you are running other tools that send a big number of requests per second (e.g., brute-forcing tools), make sure to read the manual, README, or help page to find out how to apply rate-limiting.


Please always read the bug bounty brief carefully and check if the program needs you to rate-limit the number of requests you are allowed to send. Otherwise, you risk getting suspended!

Also, keep in mind that disrespecting rate-limits will give you less chance of receiving invites to private and new programs.

Did this answer your question?