Subdomain Finder
Discover subdomains for any domain from public Certificate Transparency logs - including forgotten staging, dev, admin and API hosts. Free, no signup.
CT-log discovery
Pulls every hostname ever issued a certificate from public transparency logs.
SAN extraction
Expands Subject Alternative Names and wildcards into the full host list.
Risk flags
Highlights suspicious or unexpected subdomains and unusual issuing CAs.
Passive & safe
Uses public logs only - no brute-forcing or traffic to your servers.
FAQ
How does Certificate Transparency find subdomains?
Every TLS certificate issued by a public CA is logged to append-only Certificate Transparency logs. Because certificates name the hosts they cover, those logs reveal subdomains - even ones not linked anywhere public.
Will this find every subdomain?
It finds every subdomain that was ever issued a publicly-trusted certificate. Hosts behind internal CAs or with no certificate won't appear - but CT logs catch the vast majority of internet-facing subdomains.
Why do forgotten subdomains matter?
Stale staging., dev. or old. hosts often run outdated software or point at de-provisioned cloud resources, making them prime targets for takeover. Discovering them is the first step to securing them.
That's Just the Beginning
FREEThis Subdomain Finder scan caught some issues. Run a Full Security Scan to uncover hidden threats like exposed secrets, malicious scripts, and supply chain attacks this quick check missed.