LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  SUBDOMAIN FINDER

Subdomain Finder

Passive enumeration via certificate transparency logs (crt.sh). No port scanning, no DNS brute-force — only public certificate data. Safe to run against any third-party domain.

    What it does

    Certificate transparency logs are public records of every SSL/TLS certificate issued by a CA. Because most subdomains end up with a certificate at some point, querying these logs reveals subdomains that traditional reconnaissance (DNS brute-force, port scanning) might miss — and does so without sending a single packet to the target. Our finder queries crt.sh, deduplicates the results, and returns the full unique list. Safe to run against any target domain because nothing reaches the target itself.

    How to use it

    1. Enter a domain (e.g. example.com) — apex only, no protocol.
    2. Click "Find subdomains" — crt.sh queries take 10–25 seconds depending on result count.
    3. Browse the list — sorted alphabetically.
    4. Click "Copy all to clipboard" for bulk export.
    5. Cross-reference results with our HTTP Headers Checker or SSL Inspector to deep-dive specific subdomains.

    Common use cases

    Attack-surface mapping For authorized pentests, certificate transparency reveals subdomains that aren’t in DNS wordlists (custom internal names, dev environments).
    Bug-bounty recon Most modern bug-bounty methodologies start with passive enum — crt.sh is the canonical source.
    Vendor third-party risk See what subdomains a vendor has — sometimes reveals related products or internal codenames.
    Acquisition due-diligence Pre-acquisition, mapping an acquiree’s subdomain footprint reveals tech-stack details and forgotten infrastructure.

    Frequently asked questions

    Is this legal against any domain? +
    Yes — certificate transparency logs are public records. You’re not scanning the target; you’re reading a public ledger that crt.sh aggregates.
    Will I miss subdomains that never had a cert? +
    Yes. Some subdomains never get issued an HTTPS cert (internal-only, HTTP-only). Combine with DNS brute-force tools like amass for full coverage.
    Are wildcards expanded? +
    No. *.example.com appears as a single entry meaning “a wildcard cert exists,” not the discovery of every subdomain it covers.
    Why does the query take 25 seconds sometimes? +
    crt.sh queries large TLDs and large CT log volumes. They have rate limits and occasional slow database responses. Retry if it times out.
    How fresh are results? +
    Within minutes of CA issuance — every CA logs to multiple CT logs in near real-time per the browser-vendor requirements.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/subdomain-finder/ — bookmark or share.

    Scroll to Top