Network Security

Uncover Every Subdomain Hiding in Your Attack Surface

Forgotten staging servers, orphaned dev environments, and shadow IT subdomains are where breaches begin. Our Subdomain Finder combines certificate transparency logs, passive DNS intelligence, and targeted brute-forcing to map your full external footprint - so you can secure what you did not know existed.

Try Subdomain Finder Now Talk to an Expert

Try Subdomain Finder

2 free scans remaining today

How It Works

From target input to actionable findings in three straightforward steps.

01

Enter a Root Domain

Provide the target domain (e.g., example.com). The scanner accepts apex domains and will recursively discover subdomains across all depth levels.

02

Multi-Source Enumeration

The engine queries certificate transparency logs, passive DNS databases, search engine caches, and common wordlists simultaneously. Results are deduplicated and validated with live DNS resolution.

03

Review and Export Results

Browse discovered subdomains with their IP addresses, HTTP status codes, and server headers. Export the full inventory as CSV or JSON for integration with your asset management workflow.

Key Capabilities

Purpose-built scanning backed by real penetration testing expertise.

Certificate Transparency Mining

Extracts subdomains from publicly logged TLS certificates, catching domains that never appear in DNS brute-force wordlists.

Passive DNS Correlation

Queries historical DNS resolution databases to surface subdomains that were active in the past but may still resolve today.

Smart Wordlist Brute-Force

Runs a curated wordlist augmented with permutations based on discovered naming patterns, significantly increasing hit rates.

Live Validation

Every discovered subdomain is resolved in real time. Dead records are flagged separately so you can focus on live assets.

HTTP Probing

Automatically checks discovered hosts for running web servers and captures response codes, titles, and technology fingerprints.

Wildcard Detection

Identifies wildcard DNS configurations to prevent false positives from polluting your results.

Common Use Cases

Map your external attack surface before a penetration test engagement to ensure complete scope coverage
Identify forgotten staging, development, and test environments exposed to the public internet
Discover shadow IT services deployed by teams outside the central security governance process
Feed subdomain inventories into vulnerability scanners and web application firewalls for continuous protection
Verify that decommissioned services have been properly removed from DNS after infrastructure migrations
Support bug bounty reconnaissance by building a comprehensive target list before testing begins

Why Use Pentestas

Security tools built by penetration testers, not just developers.

Enterprise-Grade Accuracy

Our scanning engine is built on the same methodologies our penetration testers use in manual engagements, tuned to minimize false positives and surface genuine risk.

Fast, Actionable Results

Get findings in minutes rather than days. Every result includes severity ratings, technical evidence, and clear remediation steps your team can act on immediately.

Continuous Monitoring

Schedule recurring scans from the Pentestas platform to catch regressions before they reach production. Stay ahead of new CVEs and configuration drift.

Privacy First

Your scan data is encrypted at rest and in transit. You own your data, with full control over retention and export.

Detailed Reporting

Export findings as PDF, CSV, or JSON. Feed results directly into your SIEM, ticketing system, or CI/CD pipeline through our REST API.

Instant Setup

Run scans directly from your browser. Enter a target, click scan, and receive results. Ready in under a minute.

Start scanning with Subdomain Finder today

Create a free account and run your first scan in under a minute. Full platform access during your 14-day trial.

Launch Free Scan Request a Pentest Quote

Frequently Asked Questions

How many subdomains can it discover?
There is no fixed limit. The tool combines multiple enumeration sources and typically finds significantly more subdomains than single-method scanners. Results depend on the target domain - well-established organizations often have hundreds to thousands of subdomains.
Does it perform active brute-forcing against the target?
Yes, but the DNS queries are rate-limited and non-destructive. The brute-force component sends standard DNS resolution requests, which are indistinguishable from normal lookups. No exploitation or intrusive testing is performed.
Can I scan domains I do not own?
The tool performs passive and semi-passive reconnaissance that queries public data sources. However, you should only use it against domains you are authorized to assess. Our terms of service require explicit authorization for all scanning activity.
How often should I run subdomain discovery?
We recommend weekly scans for actively developed domains, and monthly scans for stable infrastructure. New subdomains can appear at any time as teams deploy services, so continuous monitoring catches exposures early.