Every subdomain is a separate entry point to a website's infrastructure. Security researchers enumerate subdomains to find forgotten staging environments, exposed internal tools and unpatched legacy services. SEO professionals map subdomains to understand a competitor's infrastructure. DevOps teams audit subdomains to maintain visibility over their own assets.
Our free Subdomain Finder does all of this in seconds using Certificate Transparency logs — no installation, no API key, no command line required.
The Fastest Free Method: Certificate Transparency Logs
Certificate Transparency (CT) logs are public, append-only records of every SSL/TLS certificate ever issued by trusted Certificate Authorities. They are mandated by RFC 6962 and browser security policies — every certificate must be logged before browsers will trust it.
Since HTTPS is now near-universal, CT logs capture 90–95% of all active subdomains. Querying crt.sh (the largest public CT log aggregator) gives you a comprehensive list of every subdomain that has ever had an SSL certificate issued for it — including the date ranges when certificates were active.
The query is simple: https://crt.sh/?q=%.example.com&output=json returns all certificates matching that wildcard domain in JSON format. Our tool does this automatically and deduplicates the results.
What the Results Tell You
Active subdomains — ones that still resolve in DNS are live services. These are current infrastructure: APIs, portals, staging environments, CDN endpoints.
Inactive subdomains — ones with certificates in CT logs but no current DNS record are historical. These reveal what used to exist: old apps, former product names, decommissioned services. Historically, many major security vulnerabilities have been found on forgotten subdomains.
First and last seen dates — the certificate validity dates show when a subdomain was first deployed and most recently renewed. A subdomain last seen years ago is likely abandoned.
What CT Logs Miss
Subdomains that have never had an SSL certificate will not appear in CT logs. This includes HTTP-only subdomains (increasingly rare) and internal services using self-signed certificates. For comprehensive enumeration, combine CT log results with DNS brute-forcing — trying common subdomain names (www, mail, api, dev, staging, admin) against the domain's DNS.
Use Cases
Security auditing: Find every externally-facing entry point to your infrastructure. Forgotten subdomains pointing to decommissioned services are a primary source of subdomain takeover vulnerabilities.
Bug bounty hunting: CT log enumeration is standard practice in the recon phase. Discovering subdomains not in scope documentation often reveals high-value targets.
Competitive research: Understanding a competitor's subdomain structure reveals product lines, infrastructure choices, geographic deployments and third-party services.
Try It Now
Our free Subdomain Finder queries CT logs directly from your browser, checks live DNS resolution for each result, and shows first/last seen dates — all with copy buttons and CSV export. No signup required.
