Subdomain Finder

Discover subdomains via certificate transparency logs. Find all SSL certificates issued for a domain.

What does Subdomain Finder do?

Subdomain Finder discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names and counting wildcard entries separately. This passive reconnaissance technique requires no direct scanning of the target -- it only queries public certificate logs.

Use it for security assessments, asset inventory, domain monitoring, competitive intelligence, or certificate auditing. The results include a deduplicated list of all subdomains found, the total count, and wildcard certificate count for each root domain.

Who is it for?

• 🛡️ Penetration testers — discovering subdomains to map an organization's attack surface
• 🔒 Security teams — identifying forgotten or exposed subdomains that pose risks
• 🔧 System administrators — inventorying all subdomains across managed domains
• 📋 IT auditors — documenting complete subdomain structures for compliance reviews
• 🌐 DevOps engineers — tracking subdomain sprawl and identifying unused infrastructure

Use cases

• Security engineers discovering the full attack surface of a domain before a penetration test or bug bounty engagement
• IT asset managers building an inventory of all subdomains across the organization to identify shadow IT
• DevOps teams detecting unauthorized or forgotten subdomains that may pose a security risk
• Competitive analysts mapping a competitor's web infrastructure to understand their technology stack and services
• Compliance auditors reviewing SSL certificate issuance history to ensure proper certificate management
• Brand monitoring teams tracking whether third parties have obtained SSL certificates for subdomains of a protected brand domain

Why use Subdomain Finder?

• Passive reconnaissance — no direct scanning of the target; only public certificate transparency logs are queried
• Comprehensive discovery — finds subdomains from every SSL/TLS certificate ever issued, including expired ones
• Wildcard detection — identifies wildcard certificates and counts them separately
• Batch processing — scan multiple root domains in a single run
• Fast results — leverages crt.sh API for rapid certificate log queries
• Pay-per-event pricing — costs scale with actual usage, just $0.002 per domain scanned
• Structured JSON output — deduplicated subdomain lists and counts ready for integration with security tools and dashboards

Input parameters

Parameter	Type	Required	Default	Description
domains	string[]	Yes	—	List of root domains to discover subdomains for (e.g., example.com).

Example input

{
    "domains": [
        "example.com",
        "github.com"
    ]
}

Output example

Each domain produces one result object with the list of discovered subdomains, counts, data source, and any errors.

Field	Description
domain	The root domain that was scanned
subdomains	Array of unique subdomain names found
subdomainCount	Total number of unique subdomains
wildcardCount	Number of wildcard certificate entries
source	Data source used (crt.sh)
error	Error message if scan failed
checkedAt	ISO timestamp of the scan

{
    "domain": "example.com",
    "subdomains": [
        "example.com",
        "m.example.com",
        "www.example.com"
    ],
    "subdomainCount": 3,
    "wildcardCount": 0,
    "source": "crt.sh",
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How to find subdomains for a domain

1. Go to Subdomain Finder on Apify Store
2. Enter one or more root domains in the domains field (e.g., example.com, github.com)
3. Click Start to run the scan
4. Wait for results -- each domain is scanned via certificate transparency logs
5. Review the output for discovered subdomains, counts, and wildcard certificates
6. Download results as JSON, CSV, or Excel, or connect via API

How much does it cost to find subdomains?

Subdomain Finder uses Apify's pay-per-event pricing:

Event	Price	Description
Start	$0.035	One-time per run
Domain scanned	$0.002	Per domain scanned

Examples:

• 1 domain: $0.035 + 1 x $0.002 = $0.037
• 10 domains: $0.035 + 10 x $0.002 = $0.055
• 100 domains: $0.035 + 100 x $0.002 = $0.235

Using the Apify API

The Apify API lets you control Subdomain Finder programmatically. Schedule runs, read datasets, manage webhooks, and more. See the Apify API reference for details.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: '<YOUR_API_TOKEN>' });
const run = await client.actor('automation-lab/subdomain-finder').call({
    domains: ['example.com', 'github.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('<YOUR_API_TOKEN>')
run = client.actor('automation-lab/subdomain-finder').call(run_input={
    'domains': ['example.com', 'github.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

cURL

curl -X POST "https://api.apify.com/v2/acts/automation-lab~subdomain-finder/runs?token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "domains": ["example.com", "github.com"]
  }'

Use with Claude AI (MCP)

This actor is available as a tool in Claude AI through the Model Context Protocol (MCP). Add it to Claude Desktop, Cursor, Windsurf, or any MCP-compatible client.

Setup for Claude Code

$claude mcp add --transport http apify "https://mcp.apify.com?tools=automation-lab/subdomain-finder"

Setup for Claude Desktop, Cursor, or VS Code

Add this to your MCP config file:

{
    "mcpServers": {
        "apify": {
            "url": "https://mcp.apify.com?tools=automation-lab/subdomain-finder"
        }
    }
}

Example prompts

• "Find all subdomains of example.com"
• "Discover subdomains for these competitor domains: stripe.com, shopify.com"
• "How many subdomains does github.com have?"

Learn more in the Apify MCP documentation.

Integrations

Connect Subdomain Finder with other apps and services using Apify integrations. You can integrate with Make, Zapier, Slack, Google Sheets, Google Drive, n8n, and many more. Set up a webhook to receive Slack alerts when new subdomains are discovered, or push results to Google Sheets to maintain a living asset inventory for your security team.

Tips and best practices

• Schedule regular scans — run weekly or monthly to detect newly issued certificates and discover subdomains as they appear
• Combine with DNS Lookup — after discovering subdomains, use DNS Lookup to resolve their IP addresses and check what infrastructure they point to
• Check for stale subdomains — subdomains pointing to decommissioned services (dangling DNS) are a common subdomain takeover risk
• Export and filter — download results as JSON or CSV and filter by patterns (e.g., dev.*, staging.*) to focus on interesting findings
• Large domains return many results — popular domains like github.com may have thousands of subdomains; this is expected and the actor handles it efficiently
• Use wildcardCount for context — a high wildcard count indicates the domain uses wildcard certificates, meaning the actual number of active subdomains may differ from the subdomain list
• Verify results are still active — certificate transparency logs include historical data; confirm discovered subdomains are still resolving by running DNS Lookup on the findings

Legality

This tool analyzes publicly accessible web content. Automated analysis of public web resources is standard practice in SEO and web development. Always respect robots.txt directives and rate limits when analyzing third-party websites. For personal data processing, ensure compliance with applicable privacy regulations.

FAQ

Does this actor scan the target domain directly? No. Subdomain Finder uses only public certificate transparency logs via crt.sh. It does not send any requests to the target domain itself, making it a fully passive reconnaissance tool.

Will it find subdomains without SSL certificates? No. It only discovers subdomains that have had an SSL/TLS certificate issued for them. Subdomains that have never used HTTPS will not appear in certificate transparency logs.

How current are the results? Certificate transparency logs are updated in near real-time as new certificates are issued. However, the results may include subdomains from expired certificates that are no longer active.

What is the difference between subdomainCount and wildcardCount? subdomainCount is the total number of unique, specific subdomain names found (e.g., mail.example.com). wildcardCount is the number of wildcard certificate entries (e.g., *.example.com). Wildcard certificates cover any subdomain at that level and are counted separately.

Can I discover subdomains for many domains at once? Yes. Pass multiple root domains in the domains array and each one will be scanned independently. Results are returned as separate objects in the output dataset, one per root domain.

The actor returns an error or zero subdomains. What went wrong? The actor queries crt.sh (certificate transparency logs). If crt.sh is temporarily down or rate-limiting, the scan may fail. Retry after a few minutes. Also, domains that have never had an SSL certificate issued will return zero results -- this is expected behavior, not an error.

I see subdomains in the results that no longer exist. Is this normal? Yes. Certificate transparency logs are historical records. They include every subdomain that ever had an SSL certificate issued, even if the certificate or subdomain is now expired or decommissioned. Use a DNS lookup tool to verify which discovered subdomains are still active.

Other SEO and domain tools

• Domain Availability Checker -- Check if domain names are available for registration
• Domain Age Checker -- Check domain registration age
• WHOIS Lookup -- Domain registration and ownership data
• SSL Certificate Checker -- Check SSL/TLS certificate validity and expiry
• DNS Lookup -- General DNS record lookup
• Structured Data Extractor -- Extract JSON-LD, Microdata, and RDFa from web pages
• OG Meta Extractor -- Extract Open Graph meta tags from web pages