Free Subdomain Finder (Certificate Transparency)
Discover a domain’s subdomains from public Certificate Transparency logs — a passive, non-intrusive way to map your attack surface. Potentially sensitive names like admin, dev, staging, vpn and git are highlighted.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this subdomain finder checks
How it works
Read-only· fully passive — never touches the target- 1We query public Certificate Transparency logs (crt.sh) for certificates issued to the domain.
- 2We extract the unique subdomains and highlight sensitive names (admin, dev, staging, vpn, git).
- 3Because the data comes from CT logs, we send no traffic to your infrastructure at all.
What it doesn’t do: CT logs are historical, so some discovered names may no longer resolve — they still map past/forgotten surface worth reviewing.
Why it matters
Forgotten dev, staging and admin subdomains are a classic way in — they are often less hardened than production yet just as exposed. Certificate Transparency makes them discoverable to anyone, so you should map them before an attacker does.
Frequently asked questions
Is the subdomain finder free?
Yes — no sign-up. It queries public Certificate Transparency logs, so it never sends traffic to the target itself.
Are all discovered subdomains live?
Not necessarily. CT logs are historical records of issued certificates, so some names may no longer resolve. They still reveal infrastructure that existed and is worth reviewing.
How do I reduce subdomain exposure?
Decommission unused hosts, keep non-production environments behind authentication or a VPN, and avoid issuing public certificates for internal-only names.