Diagnostic suite · live

Subdomain Finder

Enumerate subdomains via public Certificate Transparency logs.

About the Subdomain Finder

The Subdomain Finder discovers subdomains for any public domain by querying Certificate Transparency (CT) logs. Every time an SSL/TLS certificate is issued for a hostname, it's recorded in public CT logs that anyone can search. This makes it possible to enumerate a domain's attack surface — including internal-sounding subdomains like `staging`, `admin`, `internal`, `vpn` or `backup` — without ever sending a packet to the target's infrastructure.

Security researchers, bug bounty hunters, penetration testers, red teams and asset-management engineers use subdomain enumeration to build a complete inventory of a target's public assets. Even blue teams run these searches against their own domain regularly, to catch shadow IT and forgotten certificates issued by former vendors. Because CT queries are passive, this technique is safe for authorized reconnaissance and doesn't tip off the target.

Not every subdomain in CT logs is still live — certificates from years ago may reference systems that were retired long ago. Combine this tool with our DNS Lookup and Domain to IP tools to verify which subdomains actually resolve today, and with SSL Checker to confirm the current certificate posture of each host.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Passive discovery via Certificate Transparency logs
  • No packets sent to the target — safe for reconnaissance
  • Surfaces staging, admin, VPN and forgotten hosts
  • Ideal for attack-surface management and bug bounty
Related searches: subdomain finder · subdomain enumeration · subdomain lookup · certificate transparency search · crt.sh alternative · asset discovery

Frequently asked questions

Certificate Transparency (CT) is a public, append-only log of every SSL/TLS certificate issued by public certificate authorities. Browsers require CAs to log every certificate they issue, which makes it possible to search for all certificates ever issued for a domain.