Crawlsonar

Subdomain Finder

Every publicly-trusted certificate is logged in Certificate Transparency, so CT is a passive, reliable way to map a domain’s subdomains — and to catch forgotten dev, staging or admin hosts you may not realise are discoverable.

Why it matters

Attackers enumerate subdomains first — CT logs hand them a free map. Anything you can see here, they can too. Make sure every non-public host is behind authentication or a VPN, and decommission old ones. Certificates for internal names leak your architecture.

Passive & polite

This reads public CT logs only — we never scan or brute-force the target. Results include hosts that once had a certificate, so some may no longer resolve.

Related

Frequently asked questions

How does subdomain discovery work?

It reads public Certificate Transparency logs (crt.sh), where every publicly-trusted certificate is recorded — a passive way to map subdomains without scanning the target.

Why are some subdomains flagged?

Names like dev, staging, admin or internal hint at non-public systems. CT logs are public, so make sure each is meant to be reachable and is behind authentication.