What is Certificate Transparency subdomain discovery?

Certificate Transparency (CT) logs are public records of every SSL/TLS certificate issued by trusted Certificate Authorities. When a certificate is issued for a subdomain, it gets logged. By querying these logs, we can discover all subdomains that have ever had a certificate issued — revealing staging servers, internal tools, API endpoints, and forgotten services.

Is this subdomain finder free?

Yes, completely free with no signup required. The tool queries public Certificate Transparency logs via crt.sh, which is an open-source CT log search engine.

Will this find all subdomains?

This tool finds subdomains that have had SSL/TLS certificates issued for them. Subdomains without certificates (HTTP-only services, internal DNS records not tied to certificates) won't appear. For most modern domains, CT logs cover the majority of active subdomains since HTTPS adoption is widespread.

How is this different from DNS brute-forcing?

DNS brute-forcing tries thousands of common subdomain names and checks if they resolve. CT-based discovery is passive — it reads public certificate logs without sending any traffic to the target domain. CT discovery finds actual subdomains that exist (or existed) regardless of naming convention, while brute-forcing only finds subdomains that match its wordlist.

What does 'First Seen' and 'Last Seen' mean?

First Seen is the earliest certificate validity start date (not_before) found for that subdomain. Last Seen is the latest certificate expiry date (not_after). These dates show the time range during which certificates were active for the subdomain, helping you identify recently created or long-lived services.

Can I use this for bug bounty or penetration testing?

Yes. CT-based subdomain enumeration is a standard reconnaissance technique used in authorized security testing. The data is entirely public — anyone can query CT logs. Always ensure you have proper authorization before testing any discovered subdomains.

Subdomain Finder

Discover every subdomain for any domain using Certificate Transparency logs. Find staging servers, API endpoints, and forgotten services.

Certificate Transparency Discovery

Every SSL/TLS certificate issued by a trusted CA gets logged in public Certificate Transparency logs. We query these logs to find every subdomain that has ever had a certificate.

Queries crt.sh public CT log database
Passive reconnaissance — no traffic sent to target
Finds subdomains that brute-forcing misses
Certificate history with first/last seen dates

🔍

CT Log Query

Search certificate transparency logs

🔗

SAN Extraction

Parse Subject Alternative Names

📈

Deduplication

Unique subdomains with cert counts

📅

Timeline Tracking

First seen and last seen dates

Attack Surface Mapping

Forgotten subdomains are one of the most common attack vectors. Staging servers, old API versions, and internal tools left exposed create openings for attackers.

Discover forgotten staging and dev environments
Find internal services exposed to the internet
Identify old API endpoints and legacy services
Map your complete external footprint

Example Discovery

$ subdomain-finder example.com

47 subdomains found

api.example.com
app.example.com
auth.example.com
blog.example.com
cdn.example.com
dashboard.example.com
dev.example.com
docs.example.com
mail.example.com
staging.example.com
test.example.com
internal.example.com
...

Export & Analysis

Copy the full subdomain list to your clipboard or export as CSV for further analysis. Filter and search through results to find exactly what you need.

One-click copy all subdomains
Export results as CSV with full metadata
Filter by subdomain name in real time
Sort by name, date, or certificate count

Export Formats

Copy to Clipboard One per line

CSV Export Full metadata

Search & Filter Real-time

Column Sorting Name / Date / Certs

Subdomain Scan: —

Subdomains Found: 0

Certificates Analyzed: 0

Date Range: —

Subdomain	First Seen	Last Seen	Certs

What Is Subdomain Enumeration?

Subdomain enumeration is the process of finding all subdomains that belong to a domain. Every subdomain — staging.example.com, api-v2.example.com, jenkins.internal.example.com — is a potential entry point. Attackers use subdomain discovery as the first step of reconnaissance because forgotten or misconfigured subdomains are one of the easiest things to exploit.

A free subdomain finder online automates this process. Instead of guessing subdomain names, it queries public data sources that already know which subdomains exist. The most reliable source is Certificate Transparency logs — public records of every SSL/TLS certificate issued by trusted Certificate Authorities.

How Certificate Transparency Subdomain Discovery Works

Since 2018, every certificate issued by a publicly trusted CA must be logged to at least two CT logs before browsers accept it (RFC 9162). This creates a complete, searchable record of every subdomain that has ever had a certificate.

When you enter a domain into this subdomain finder, it queries the crt.sh database — which aggregates logs from Google Argon, Cloudflare Nimbus, DigiCert Yeti, and others. For each certificate, it extracts the Subject Alternative Names (SANs) — the actual subdomain entries. After deduplication, you get a clean list of every subdomain with certificate history.

This is passive reconnaissance. No traffic is sent to the target domain. The data is entirely public. That's why CT-based enumeration is the standard first step in both authorized penetration testing and bug bounty programs.

5 Methods for Finding Subdomains

CT log queries are the most reliable method, but security professionals combine multiple techniques:

Method	How It Works	Pros	Cons
CT Log Query	Searches public certificate records	Passive, finds real subdomains	Misses HTTP-only services
DNS Brute Force	Tries common names (admin, staging, dev)	Finds non-HTTPS subdomains	Noisy, limited by wordlist
Search Engine Dorking	`site:*.example.com` in Google	Finds indexed pages	Incomplete, rate-limited
DNS Zone Transfer	Requests full zone file from nameserver	Gets everything if allowed	Rarely works (properly configured servers block it)
Web Archives	Checks Wayback Machine for historical subdomains	Finds deleted subdomains	Historical data, may be stale

This tool uses the CT log method. For deeper enumeration, tools like subfinder and Sublist3r combine multiple data sources in a single scan.

Using Subdomain Findings for Bug Bounty

Subdomain discovery is the most common first step in bug bounty recon. Here's what to look for once you have a subdomain list:

Subdomain takeover — A subdomain points to a service (Heroku, S3, Azure) that's been deprovisioned. If you can claim that service, you control the subdomain. Check for CNAME records pointing to unclaimed resources.
Exposed admin panels — Subdomains like admin.*, jenkins.*, grafana.*, or kibana.* often have weaker access controls than the main application.
Staging and development servers — staging.*, dev.*, test.* environments frequently run with debug mode enabled, default credentials, or outdated software.
API endpoints — api-v1.*, api-internal.* may expose deprecated or undocumented API versions without proper authentication.
Forgotten services — Subdomains with old "Last Seen" dates in CT logs may be running unpatched software that nobody monitors.

Always ensure you have explicit authorization before testing discovered subdomains. CT log data is public, but interacting with the services requires permission.

What Is Subdomain Takeover?

Subdomain takeover happens when a subdomain's DNS record (usually a CNAME) points to an external service that no longer exists. If an attacker registers that service, they control the subdomain.

Common takeover targets include AWS S3 buckets, GitHub Pages, Heroku apps, Azure Blob Storage, and Shopify stores. The subdomain blog.example.com might CNAME to example.herokuapp.com — if that Heroku app was deleted but the DNS record wasn't removed, anyone can create a new Heroku app with that name and serve content under blog.example.com.

After running a subdomain scan, check each discovered subdomain's DNS records for dangling CNAMEs. Tools like subjack and can-i-take-over-xyz automate this check.

Check Your Other Security Layers Too

Subdomain discovery is one step. Check your SSL/TLS certificates, DNS security configuration, and HTTP security headers for a complete security picture.

Check SSL/TLS Check DNS Security Check Headers