Subdomain Finder
Every publicly-trusted certificate is logged in Certificate Transparency, so CT is a passive, reliable way to map a domain’s subdomains — and to catch forgotten dev, staging or admin hosts you may not realise are discoverable.
Why it matters
Attackers enumerate subdomains first — CT logs hand them a free map. Anything you can see here, they can too. Make sure every non-public host is behind authentication or a VPN, and decommission old ones. Certificates for internal names leak your architecture.
Passive & polite
This reads public CT logs only — we never scan or brute-force the target. Results include hosts that once had a certificate, so some may no longer resolve.
Related
Frequently asked questions
▸ ▾ How does subdomain discovery work?
It reads public Certificate Transparency logs (crt.sh), where every publicly-trusted certificate is recorded — a passive way to map subdomains without scanning the target.
▸ ▾ Why are some subdomains flagged?
Names like dev, staging, admin or internal hint at non-public systems. CT logs are public, so make sure each is meant to be reachable and is behind authentication.