Subdomain Enumeration + Attack-Surface Monitoring: Finding the Forgotten Subdomain That Kills You

Pentestas's subdomain enumeration module continuously discovers every subdomain under your verified domains, enriches each with live-status + WAF fingerprint + open-port data, and flags the subdomain-takeover cases that turn abandoned DNS into attacker-controlled content under your brand.

Pentestas queries and merges:

• **Certificate transparency*— every TLS certificate ever issued for a subdomain under your domain is visible in public CT logs (crt.sh, Cert Spotter). This is the single densest source of historical subdomain data.
• **Passive DNS*— SecurityTrails, VirusTotal, RiskIQ PassiveTotal aggregate years of DNS resolution observations.
• **Active brute-force*— a ~120,000-entry wordlist of common subdomain labels (api, admin, staging, legacy, v1, v2, internal, vpn, mail, …) run against your DNS.
• **Wayback Machine*— historical URLs the Internet Archive crawled. Often contains references to subdomains that have since been decommissioned but whose DNS remains.
• **Google / Bing dorks*— site:acme.com SERP extraction pulls subdomains mentioned in indexed content.
• **ASN sweep*— PTR records across IP ranges your org owns (Enterprise).

Sources are deduped + scored. Each finding carries the list of sources that confirmed it so you know how high-confidence the discovery is.

For every discovered subdomain, Pentestas then:

• **DNS resolves*— AAAAA records.
• **Live-checks*— HTTP(S) probe with a realistic User-Agent; status codeserver headertitle.
• **Port-scans*— common ports (22, 80, 443, 3000, 8080, 8443) by default; full scan on request.
• **Fingerprints WAF*— Cloudflare, Akamai, AWS WAF, Imperva, F5, Sucuri.
• **Checks takeover*— does the DNS point at a deprovisioned SaaS (Heroku, S3, GitHub Pages, Azure, Netlify, Shopify, Tumblr, Fastly, Unbounce)?

The takeover check is the single most valuable signal. A dedicated rule matches each SaaS provider's "not found" fingerprint (GitHub Pages' There isn't a GitHub Pages site here. for example) and flags the subdomain as CRITICAL if the DNS still points at that provider.

When your DNS points at a deprovisioned SaaS site, anyone can claim the name on that SaaS and serve arbitrary content under your domain. Consequences:

1. Phishing at your brand. login.acme.com serving attacker HTML that looks identical to your real login. Browser's URL bar says "acme.com"; TLS cert is valid (Let's Encrypt on the SaaS's side auto-provisions); your users sign in and leak creds.

1. Cookie theft via same-site-ish relaxation. Cookies scoped to .acme.com are readable by login.acme.com via the same-origin policy. If the cookies lack the HttpOnly flag, attacker-controlled JavaScript at login.acme.com reads them.

1. SEO manipulation. Attackers place spammy / illegal content at blog.acme.com; search engines index it under your brand.

1. Business-email-compromise vector. Attackers send mail From: <legit-name>@acme.com claiming the takeover subdomain as a reply-to. Inbound replies land in the attacker's SaaS account.

Every takeover finding is CRITICAL. Every takeover finding ships with the SaaS provider name + the specific fingerprint string matched + the step-by-step reclaim instructions for that provider.

For a mid-size company (~100 engineers, a decade of web presence):

• 100–2,000 subdomains discovered in a single run.
• ~70% live (200-responding or reachable via DNS+TCP).
• ~20% forgotten (404 / DNS timeout / default-landing).
• ~5% internal-leak (should not be public; DNS points at an internal-only host).
• ~2% takeover-candidate (DNS points at a deprovisioned SaaS).
• ~3% "interesting" — staging., test., dev., beta. variants that expose pre-production environments with less security than production.

The takeover rate is the headline. A single takeover is usually a 2-hour reclaim + DNS cleanup. An unreclaimed takeover that an attacker uses is a board-level incident. Pentestas catches these typically within 24 hours of the SaaS deprovisioning.

Run once → you have a snapshot. Schedule a weekly or daily run → you have a monitor. Drift signals:

• New subdomain appeared that you didn't know about → your engineering team stood up a service without telling security.
• Existing subdomain flipped from 200 to 404 → someone deprovisioned something that was live yesterday. Start the takeover-watch clock.
• Existing subdomain flipped from 200 to takeover-candidate → the SaaS behind it just deprovisioned the site; reclaim the DNS immediately.

Settings → Scans → Schedule → daily subdomain enumeration against your verified domains. Slack alert on any new takeover-candidate. Total cost: minutes per week of human attention.

Fintech

Fintech orgs grow by M&A. Every acquired company brings a historical web footprint, often with forgotten subdomains. "SomeDefunctStartup.acme-payments.com" → decade-old blog → GitHub Pages takeover → attacker publishes "partnership announcement" claiming a fake brand. Pentestas's CT-log-driven discovery catches these in the first post-acquisition scan.

Medtech

Medtech platforms often publish patient-education or practitioner-resource subdomains on third-party CMSes. Content lifecycle is measured in years; takeovers happen when the CMS contract ends and nobody updates DNS. Continuous subdomain monitoring catches these before reputational / compliance incidents.

Legaltech

Legal firms often have per-client subdomains that linger past engagement end. clientA.legalfirm.com pointing at a deprovisioned client-specific SaaS is a brand-damaging takeover waiting to happen. Pentestas's weekly discovery + takeover check treats these as first-class findings.

Banks + insurance

Large institutions have hundreds of subdomains accumulated over decades. Takeovers here are regulator-reportable events under most breach-notification regimes (the subdomain is considered "data about the institution"). Continuous monitoring is a meaningful portion of the organisation's operational resilience programme under DORA Article 24.

SaaS companies generally

SaaS orgs that publish per-customer subdomains (customer-name.acme.com) or per-feature experiments (ai-beta.acme.com) have by-design high subdomain churn. Continuous monitoring is the only way to keep attack-surface posture current.

# Authenticated scan — goes into your tenant's history
curl -X POST "https://app.pentestas.com/api/subdomain-scan" \
     -H "X-API-Key: aa_..." \
     -d '{"domain": "acme.com"}'

# Anonymous quick-recon — rate-limited, no history
curl "https://app.pentestas.com/api/public/subdomain?domain=acme.com"

Returns a list of {subdomain, ip, alive, status, source, open_ports, takeover_candidate}.

Subdomain enumeration is the discovery layer. After discovery, the interesting subdomains typically get their own full ai pentest:

1. Discovery run flags 200 subdomains.
2. Triage filter: live + authenticated + not known-to-you = 15 subdomains.
3. Full pentest against those 15, one scan per, scheduled nightly.

Discovery gets you the attack-surface map. Pentest gets you the per-surface exploitability. Both pieces needed; Pentestas runs both from the same platform.

• Subdomain enumeration docs
• Scheduled scans — weekly / daily discovery cadence
• Cloud storage scan — the bucket-enumeration companion