Pricing

$1.00 / 1,000 domain scans

Subdomain Finder & Recon Tool

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Pricing

$1.00 / 1,000 domain scans

Rating

0.0

(0)

Developer

Andok

Actor stats

Bookmarked

Total users

Monthly active users

a day ago

Last modified

Categories

Business

Developer tools

Domains

domains

Optional

Root domains to scan for subdomains (e.g. example.com). Each domain is checked against certificate transparency logs and optionally brute-forced via DNS.

Type:array

Default:

[
  "example.com"
]

Single domain

domain

Optional

Single domain to scan. Use the 'Domains' field above for bulk scanning — this field exists for backwards compatibility.

Type:string

Use certificate transparency (crt.sh)

useCertificateTransparency

Optional

Query crt.sh certificate transparency logs to discover subdomains that appear in publicly issued TLS certificates.

Type:boolean

Default:true

Use DNS bruteforce (common subdomains)

useDnsBruteforce

Optional

Check a wordlist of common subdomain names (www, api, mail, staging, etc.) by resolving DNS. Enable alongside CT for broader coverage.

Type:boolean

Default:false

Bruteforce words

bruteforceWords

Optional

Custom wordlist for DNS brute-force discovery. Only used when DNS bruteforce is enabled. The default list covers common names like www, api, mail, staging, and admin.

Type:array

Default:

[
  "www",
  "mail",
  "api",
  "dev",
  "staging",
  "test",
  "blog",
  "app",
  "portal",
  "admin",
  "cdn",
  "static",
  "m",
  "beta"
]

Timeout (seconds)

timeoutSeconds

Optional

Maximum time in seconds to wait for each DNS or crt.sh request to respond.

Type:integer

Minimum:1

Maximum:120

Default:15

Concurrency

concurrency

Optional

Number of domains to process in parallel. Higher values speed up bulk scans but increase memory usage.

Type:integer

Minimum:1

Maximum:25

Default:5

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

Subdomain Finder

automation-lab/subdomain-finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

Stas Persiianenko

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

Isaac Muendo

Holehe Email Osint

anshumanatrey/holehe-email-osint

Check if an email is registered on 120+ platforms (Instagram, Twitter, GitHub, Discord, etc.) without alerting the target. Perfect for OSINT investigations, security research, and email verification.

Anshuman Atrey

412

5.0

OSINT Scraper

epctex/osint-scraper

Harness the power of OSINT data with our advanced OSINT Scraper. Discover keywords and leaked information from platforms like Ideone, Dumpz, Github Gist, Pastebin, Pasteorg and Textbin. You can specify search terms, customize and retrieve OSINT data out of the box.

epctex

947

5.0

Organization Registered Domain & Subdomain Scraper

lofomachines/organization-registered-domain-subdomain-scraper

Discover all domains registered by any organization by company domain. Find related domains, subdomains, registration dates, expiration dates, and registrar information. Perfect for brand protection, competitive analysis, M&A due diligence, and security research.

Lofomachines

5.0

Threat Profiler

peachstudio/threat-profiler

Generate AI-powered cyber threat intelligence reports in minutes. Get threat actor profiles with MITRE ATT&CK mappings, attack surface analysis, and security recommendations. Perfect for security assessments, M&A due diligence, and vendor risk management, but also to know your target in cyber sales.