Under maintenance

Pricing

Pay per usage

Try for free

Go to Apify Store

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

Under maintenance

Try for free

Map a domain's external attack surface. Passive subdomain enumeration with subfinder, HTTP fingerprint with httpx: status, title, server, technology stack, TLS issuer and IP. One dataset row per responding host. For recon, asset discovery and security audits.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Sevastian Z

Actor stats

Bookmarked

Total users

Monthly active users

3 days ago

Last modified

What it does

Passive subdomain enumeration with subfinder. Queries public sources (Certificate Transparency, CommonCrawl, DNS dumps, search engines). No DNS brute force, no scraping of the target.
HTTP fingerprint with httpx. For each discovered host, follow redirects and capture: status code, page title, Server header, detected technologies (Wappalyzer-style), TLS certificate issuer and validity, IP.
One row per responding host in the dataset. Easy to filter, export or feed into a vulnerability scanner.

Input

Field	Type	Description
`domain`	string, required	Registrable domain, e.g. `example.com`

{ "domain": "example.com" }

Output

Field	Description
`host`	discovered hostname
`url`	final URL after redirects
`status_code`	HTTP status
`title`	HTML title element
`webserver`	Server response header
`tech`	detected technology stack (Wappalyzer signatures)
`ip`	resolved IP
`tls_issuer`	TLS certificate issuer organization
`tls_subject_cn`	TLS certificate subject CN
`tls_not_after`	TLS certificate expiry
`content_length`	response body length

Pricing

Free. You pay only the standard Apify platform usage (compute) for your own runs.

Use cases

External asset discovery and inventory.
Pre-engagement recon for pentesting and bug bounty.
Continuous attack-surface monitoring (run on a schedule).
Mergers / acquisitions due diligence on a target's exposed surface.

This actor maps your own surface. Attackers also register lookalike and typosquatted domains to impersonate brands. To detect those, scan with Lookalike / Typosquat Domain Scan and use the free Certificate Transparency Subdomain Search.

Notes

Probing is HTTP/S only, with rate limiting. No port scanning, no exploitation. Run against domains you are authorized to test.

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

Certificate Transparency Subdomain Search (crt.sh alternative)

advx/ct-domain-lookup

Find subdomains and TLS certificates for any domain from Certificate Transparency logs. A fast, working crt.sh alternative for subdomain enumeration, recon and attack-surface mapping. Returns unique hostnames with first/last seen and issuers, or raw certificates.

Sevastian Z

Cyber Attack Surface — DNS, SSL & CVE Exposure

ryanclinton/cyber-attack-surface-report

Comprehensive external attack surface report that maps any domain's infrastructure, vulnerabilities, and exposure using 11 sub-actors in parallel.

Ryan Clinton

Subdomain Discovery API

crawland/subdomain-discovery-api

Paginated subdomain enumeration for any registered domain — DNS records, registrar, WHOIS, vendor reputation, and category labels per subdomain, served from the Crawland threat-intelligence backend.

Crawland

Entity Attack Surface MCP Server

ryanclinton/entity-attack-surface-mcp

Corporate cyber exposure intelligence via the Model Context Protocol. This MCP server orchestrates 11 data sources to discover and score an organization's digital attack surface -- from DNS and SSL infrastructure to technology vulnerabilities and CISA Known Exploited Vulnerabilities.

Ryan Clinton

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

One Scales

5.0

Subdomain Finder - Discover Every Subdomain Of A Domain

thirdwatch/subdomain-finder

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.

Thirdwatch

LinkedIn Scraper

sabania/linkedin-scraper

All-in-one LinkedIn scraper: profiles, jobs, posts, and companies. No cookies, no login required. Rich data: experience, skills, job descriptions, salary, reactions. Chrome TLS fingerprint + residential proxy. Lightweight HTTP-only, 256MB.

Arben Sabani

BuiltIn.com Tech Companies & Tech Stack Scraper

haketa/builtin-tech-companies-scraper

Scrape Built In company profiles — name, industry, location, recent jobs, full tech stack with category labels (LANGUAGES / FRAMEWORKS / DATABASES / etc.). Unique technology-fingerprint data for B2B SaaS prospecting, recruiter intel and competitive analysis. HTTP-only.