Subdomain Finder
Discover subdomains for any domain using Certificate Transparency logs. Uncover hidden attack surface and forgotten assets.
What is subdomain enumeration?
Subdomain enumeration is the process of discovering valid subdomains for a target domain. Subdomains often host staging environments, admin panels, APIs, or legacy applications that may have weaker security controls than the main site.
What are Certificate Transparency logs?
Certificate Transparency (CT) is a framework that requires Certificate Authorities to publicly log every SSL/TLS certificate they issue. By searching these logs, security researchers can discover subdomains that have had certificates issued for them, revealing otherwise hidden infrastructure.
Why does subdomain discovery matter?
Forgotten or unmonitored subdomains are a leading cause of data breaches. Attackers look for staging servers, old APIs, and test environments that may run outdated software or lack proper access controls. Regular subdomain audits help organizations reduce their attack surface.
How to secure your subdomains
Maintain an inventory of all active subdomains and decommission unused ones. Apply the same security standards (SSL, headers, patching) to subdomains as your main domain. Use wildcard monitoring to detect unauthorized subdomain creation.
FAQ
Frequently asked questions
How does this subdomain finder work?+
This tool queries Certificate Transparency logs to find SSL/TLS certificates that have been issued for subdomains of your target domain. Any subdomain that has ever had a certificate issued will appear in the results.
Is subdomain discovery legal?+
Yes. Certificate Transparency logs are public records maintained for internet security. Querying them is legal and is standard practice in security assessments. However, always ensure you have authorization before performing any further testing on discovered subdomains.
Why is this a Pro feature?+
Subdomain discovery queries external Certificate Transparency log databases and can return large result sets. Pro subscriptions help us cover the infrastructure costs of providing this service reliably.
How many subdomains can be found?+
Results are capped at 200 unique subdomains per query. Large organizations may have thousands of subdomains in CT logs. The results are sorted alphabetically and deduplicated.
Are wildcard subdomains included?+
Wildcard entries (e.g., *.example.com) from certificates are included in the results. These indicate the domain uses wildcard certificates, which cover any subdomain under that pattern.
Subdomain Finder is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →