How does the subdomain finder work?

It searches public Certificate Transparency (CT) logs via crt.sh for certificates issued to the domain, then extracts and de-duplicates every hostname under it — a passive method that never touches the target.

Will this find every subdomain?

It finds subdomains that have appeared in a public TLS certificate. Internal hosts that never received a public certificate will not show up, so treat the list as a strong starting point rather than an exhaustive map.

Does Certificate Transparency cover every subdomain?

It covers subdomains that have appeared in a publicly trusted certificate, which is most internet-facing services. Hosts that never received a public certificate will not appear, so pair it with DNS techniques for full coverage.

Does the tool scan or attack the domain?

No. It only reads public Certificate Transparency logs, so no traffic is ever sent to the domain you enter — it is completely passive.

Why do some results include wildcard entries?

Certificates can cover *.example.com. The wildcard prefix is stripped so you see the base domain, indicating a wildcard certificate exists for that level.

Can I enumerate subdomains of any domain?

Yes, because CT logs are public. Only run follow-up active testing against domains you own or are authorized to assess.

Subdomain Finder

Enter a domain to enumerate its subdomains from Certificate Transparency logs.

Updated June 2026

Domain

Passive lookup from public Certificate Transparency logs — no scanning of the target.

How to use Subdomain Finder

The Subdomain Finder enumerates the subdomains of any domain by searching public Certificate Transparency logs. Every time a website obtains a TLS certificate, the certificate authority publishes it to append-only CT logs that anyone can search — and those certificates list the exact hostnames they cover. By querying these logs for a domain, the tool reveals subdomains like api., staging., mail., and vpn. that have appeared in a certificate, without ever sending a packet to the target. This passive approach is fast, safe, and remarkably thorough, making it a staple of reconnaissance, security audits, and attack-surface mapping.

Enter the root domain you want to enumerate, like example.com.
Click Find to search Certificate Transparency logs.
Review the de-duplicated list of discovered subdomains.
Note the total count to size the public footprint.
Feed interesting hosts into DNS or TLS checks for more detail.

How Certificate Transparency reveals subdomains

Certificate Transparency (CT) is a public auditing system: certificate authorities must log every certificate they issue to tamper-evident logs that anyone can query. Because each certificate lists the hostnames it secures in the Subject and Subject Alternative Name fields, searching the logs for a domain returns the subdomains that have ever been certified — including wildcards and short-lived hosts. This makes CT one of the richest passive sources for subdomain discovery, and unlike brute forcing it produces no traffic to the target.

What CT logs will and won’t find

CT-based enumeration finds any subdomain that has appeared in a publicly trusted TLS certificate, which today covers the vast majority of internet-facing services. It will not reveal hosts that have never been issued a public certificate — for example internal services behind a VPN, or sites using only self-signed certificates. For that reason CT discovery is best combined with DNS enumeration and other techniques when you need an exhaustive map, but as a fast first pass it is hard to beat.

Subdomain discovery methods
Method	Traffic to target	Coverage
Certificate Transparency	None (passive)	Anything ever certified
DNS brute force	High (active)	Only guessed names
Zone transfer	Active	Everything, if misconfigured

Glossary

Subdomain: A host under a domain, such as api.example.com beneath example.com.
Certificate Transparency: Public logs that record every TLS certificate a CA issues.
SAN: Subject Alternative Name — the certificate field listing covered hostnames.
Attack surface: The set of exposed hosts and services an attacker could target.
Wildcard certificate: A certificate covering all first-level subdomains, like *.example.com.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use Subdomain Finder?

Discover subdomains passively from public certificate logs
Map an organization’s public attack surface in seconds
Surface forgotten staging, dev, and admin hosts that may be exposed
Avoid noisy active scanning that can trip security alerts

Common use cases

Build a subdomain inventory before a penetration test or security audit
Find development and staging hosts that were never meant to be public
Track new subdomains an organization exposes over time
Check your own domain for forgotten hosts that widen your attack surface
Gather targets for further DNS, SSL, and HTTP investigation

Related Network & DNS

DNS Lookup Tool

Look up DNS records for any domain — A, AAAA, MX, NS, TXT, CNAME, SOA, and CAA records. Free, instant results pulled from authoritative nameservers.

SSL Certificate Checker

Free SSL checker — verify any site's SSL/TLS certificate validity, issuer, chain, and expiry date with days remaining. Catch expiring certs early.

DNS Propagation Checker

Check if your DNS changes have propagated worldwide. Test A, MX, and NS records across 8 global DNS servers to confirm updates are live everywhere.

What Is My IP Address?

Instantly find your public IP address. Shows your IPv4 address as seen by websites and servers, plus quick details about your connection.

HTTP Headers Checker

View HTTP response headers for any URL. Check status codes, security headers, caching, redirects, and server details instantly. Free and private.

Website Up or Down Checker

Check if a website is down for everyone or just you. Instantly test whether any URL is reachable and see its HTTP status code in real time.

Explore all Network & DNS.