Subdomain Finder
Enumerate subdomains via public Certificate Transparency logs.
About the Subdomain Finder
The Subdomain Finder discovers subdomains for any public domain by querying Certificate Transparency (CT) logs. Every time an SSL/TLS certificate is issued for a hostname, it's recorded in public CT logs that anyone can search. This makes it possible to enumerate a domain's attack surface — including internal-sounding subdomains like `staging`, `admin`, `internal`, `vpn` or `backup` — without ever sending a packet to the target's infrastructure.
Security researchers, bug bounty hunters, penetration testers, red teams and asset-management engineers use subdomain enumeration to build a complete inventory of a target's public assets. Even blue teams run these searches against their own domain regularly, to catch shadow IT and forgotten certificates issued by former vendors. Because CT queries are passive, this technique is safe for authorized reconnaissance and doesn't tip off the target.
Not every subdomain in CT logs is still live — certificates from years ago may reference systems that were retired long ago. Combine this tool with our DNS Lookup and Domain to IP tools to verify which subdomains actually resolve today, and with SSL Checker to confirm the current certificate posture of each host.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- Passive discovery via Certificate Transparency logs
- No packets sent to the target — safe for reconnaissance
- Surfaces staging, admin, VPN and forgotten hosts
- Ideal for attack-surface management and bug bounty