← Back to Tools

🌿 Subdomain Finder

Discover subdomains passively via Certificate Transparency logs — no active scanning, no requests sent to the target.

🔒

Results come from crt.sh — a public Certificate Transparency log database. No requests are sent to the target domain. This is entirely passive reconnaissance.

Subdomains are discovered passively via Certificate Transparency logs (crt.sh). No active scanning.

📚 Certificate Transparency & subdomain enumeration

Certificate Transparency (CT) is a Google-led initiative requiring all publicly trusted TLS certificates to be logged in public CT logs. This means every HTTPS certificate ever issued is publicly searchable.

Why security teams use this: CT logs reveal subdomains that may not be in DNS yet, forgotten dev/staging environments, and shadow IT. Finding admin.example.com or old-portal.example.com in CT logs can reveal attack surface that the team didn't know was exposed.

Subdomain takeover: If a subdomain points to an external service (Heroku, S3, GitHub Pages) that's no longer active, an attacker can claim that service and control the subdomain. Monitor your subdomains and remove dangling DNS records.