Find Subdomains
Searching...
Subdomains Found
0 foundDiscover All Subdomains of Any Website
Use certificate transparency logs to find subdomains for security research, SEO analysis, and reconnaissance
Subdomain enumeration is a critical step in security assessments and SEO audits. Our tool queries certificate transparency logs (crt.sh) to discover subdomains that have been issued SSL certificates. This reveals both active and historical subdomains.
Features
CT Log Search
Searches certificate transparency databases for issued certificates.
Comprehensive Results
Finds subdomains including staging, dev, API, and internal endpoints.
Deduplicated
Removes duplicate entries and sorts results alphabetically.
Fast Search
Returns results quickly by querying the crt.sh database.
Use Cases
- Security audits — discover your complete attack surface.
- SEO analysis — find all indexed subdomains of competitors.
- Migration planning — identify all active subdomains before DNS changes.
- DNS cleanup — find abandoned subdomains that should be removed.
- Bug bounty — scope reconnaissance for security testing.
Frequently Asked Questions
How does this work?
We query certificate transparency logs via crt.sh. When SSL certificates are issued, they are logged publicly. This lets us find all subdomains that have ever had an SSL certificate.
Will it find all subdomains?
It finds subdomains that have SSL certificates. Subdomains without certificates (HTTP-only, internal) may not appear. Other techniques like DNS brute-forcing can find more.
Is this legal?
Yes, querying certificate transparency logs is completely legal and is by design a public service. The data is publicly accessible.