Subdomain Finder

Your attack surface is bigger than your homepage. Every subdomain — the staging environment, the old marketing microsite, the internal admin panel someone exposed 'just for a demo' — is another host an attacker can find and probe. And they don't have to guess: when you (or a CDN, or a SaaS integration) request a TLS certificate, the certificate is published to public Certificate Transparency logs along with the hostname it covers. Our subdomain finder reads those logs and gives you the list in seconds.

Certificate Transparency is a public, append-only record of essentially every certificate issued by a trusted CA since 2018. Because browsers now require CT logging, almost any subdomain that has ever been served over HTTPS shows up. That makes it one of the fastest, most reliable passive-recon sources there is — no port scanning, no DNS brute-forcing, no touching the target at all. Attackers use exactly this technique to map an organisation before they probe it; running it on yourself shows you what they'd see.

We don't just dump a list — we flag the subdomains whose names suggest a softer target: dev, staging, test, qa, demo, beta, sandbox (non-production environments that are often less hardened) and admin, internal, vpn, git, jenkins, grafana, db, backup (internal or sensitive surfaces that frequently shouldn't be public at all). A forgotten `staging.yourapp.com` with debug mode on, or an `admin.` panel reachable from the internet, is a classic breach entry point.

One honest limitation: CT logs only show hosts that obtained a TLS certificate. Subdomains served over plain HTTP, behind a wildcard cert with no distinct SAN, or never issued a cert won't appear here. A full SteelSuit scan goes further — it runs active subdomain enumeration across 30+ passive sources plus DNS resolution and live-host probing, and then checks each live host for subdomain takeover and other issues. This free tool is the fast first look; the full scan is the complete map.