Pricing

Pay per event

Subdomain Finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

Pricing

Pay per event

Rating

0.0

(0)

Developer

Stas Persiianenko

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

What does Subdomain Finder do?

Subdomain Finder discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names and counting wildcard entries separately. This passive reconnaissance technique requires no direct scanning of the target -- it only queries public certificate logs.

Use it for security assessments, asset inventory, domain monitoring, competitive intelligence, or certificate auditing. The results include a deduplicated list of all subdomains found, the total count, and wildcard certificate count for each root domain.

Use cases

Security engineers discovering the full attack surface of a domain before a penetration test or bug bounty engagement
IT asset managers building an inventory of all subdomains across the organization to identify shadow IT
DevOps teams detecting unauthorized or forgotten subdomains that may pose a security risk
Competitive analysts mapping a competitor's web infrastructure to understand their technology stack and services
Compliance auditors reviewing SSL certificate issuance history to ensure proper certificate management
Brand monitoring teams tracking whether third parties have obtained SSL certificates for subdomains of a protected brand domain

Why use Subdomain Finder?

Passive reconnaissance — no direct scanning of the target; only public certificate transparency logs are queried
Comprehensive discovery — finds subdomains from every SSL/TLS certificate ever issued, including expired ones
Wildcard detection — identifies wildcard certificates and counts them separately
Batch processing — scan multiple root domains in a single run
Fast results — leverages crt.sh API for rapid certificate log queries
Pay-per-event pricing — costs scale with actual usage, just $0.002 per domain scanned
Structured JSON output — deduplicated subdomain lists and counts ready for integration with security tools and dashboards

Input parameters

Parameter	Type	Required	Default	Description
`domains`	string[]	Yes	—	List of root domains to discover subdomains for (e.g., `example.com`).

Example input

{
    "domains": [
        "example.com",
        "github.com"
    ]
}

Output example

Each domain produces one result object with the list of discovered subdomains, counts, data source, and any errors.

Field	Description
`domain`	The root domain that was scanned
`subdomains`	Array of unique subdomain names found
`subdomainCount`	Total number of unique subdomains
`wildcardCount`	Number of wildcard certificate entries
`source`	Data source used (crt.sh)
`error`	Error message if scan failed
`checkedAt`	ISO timestamp of the scan

{
    "domain": "example.com",
    "subdomains": [
        "example.com",
        "m.example.com",
        "www.example.com"
    ],
    "subdomainCount": 3,
    "wildcardCount": 0,
    "source": "crt.sh",
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

How much does it cost?

Subdomain Finder uses Apify's pay-per-event pricing:

Event	Price	Description
Start	$0.035	One-time per run
Domain scanned	$0.002	Per domain scanned

Examples:

1 domain: $0.035 + 1 x $0.002 = $0.037
10 domains: $0.035 + 10 x $0.002 = $0.055
100 domains: $0.035 + 100 x $0.002 = $0.235

Using the Apify API

The Apify API lets you control Subdomain Finder programmatically. Schedule runs, read datasets, manage webhooks, and more. See the Apify API reference for details.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: '<YOUR_API_TOKEN>' });
const run = await client.actor('automation-lab/subdomain-finder').call({
    domains: ['example.com', 'github.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('<YOUR_API_TOKEN>')
run = client.actor('automation-lab/subdomain-finder').call(run_input={
    'domains': ['example.com', 'github.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect Subdomain Finder with other apps and services using Apify integrations. You can integrate with Make, Zapier, Slack, Google Sheets, Google Drive, n8n, and many more. Set up a webhook to receive Slack alerts when new subdomains are discovered, or push results to Google Sheets to maintain a living asset inventory for your security team.

Tips and best practices

Schedule regular scans — run weekly or monthly to detect newly issued certificates and discover subdomains as they appear
Combine with DNS Lookup — after discovering subdomains, use DNS Lookup to resolve their IP addresses and check what infrastructure they point to
Check for stale subdomains — subdomains pointing to decommissioned services (dangling DNS) are a common subdomain takeover risk
Export and filter — download results as JSON or CSV and filter by patterns (e.g., dev.*, staging.*) to focus on interesting findings
Large domains return many results — popular domains like github.com may have thousands of subdomains; this is expected and the actor handles it efficiently
Use wildcardCount for context — a high wildcard count indicates the domain uses wildcard certificates, meaning the actual number of active subdomains may differ from the subdomain list
Verify results are still active — certificate transparency logs include historical data; confirm discovered subdomains are still resolving by running DNS Lookup on the findings

FAQ

Does this actor scan the target domain directly? No. Subdomain Finder uses only public certificate transparency logs via crt.sh. It does not send any requests to the target domain itself, making it a fully passive reconnaissance tool.

Will it find subdomains without SSL certificates? No. It only discovers subdomains that have had an SSL/TLS certificate issued for them. Subdomains that have never used HTTPS will not appear in certificate transparency logs.

How current are the results? Certificate transparency logs are updated in near real-time as new certificates are issued. However, the results may include subdomains from expired certificates that are no longer active.

What is the difference between subdomainCount and wildcardCount? subdomainCount is the total number of unique, specific subdomain names found (e.g., mail.example.com). wildcardCount is the number of wildcard certificate entries (e.g., *.example.com). Wildcard certificates cover any subdomain at that level and are counted separately.

Can I discover subdomains for many domains at once? Yes. Pass multiple root domains in the domains array and each one will be scanned independently. Results are returned as separate objects in the output dataset, one per root domain.

SSL Certificate Transparency Search

ryanclinton/crt-sh-search

Search Certificate Transparency logs via crt.sh for SSL/TLS certificates. Discover subdomains, monitor cert issuance, and detect unauthorized certificates. Returns unique subdomains with first/last seen dates or individual cert records.

ryan clinton

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

Subdomain Finder & Reverse IP

canadesk/subdomain-finder-reverse-ip

Enumerate Subdomains and Reverse IPs with RapidDNS, Anubis, AlienVault and crt.sh! It's fast and costs little.

Canadesk Support

186

SSL Certificate Checker

nexgendata/ssl-certificate-checker

Check SSL/TLS certificates for any domain — expiration dates, issuer, protocol versions, and security grade. Monitor certificate health across your infrastructure.

Stephan Corbeil

SSL Certificate Checker

automation-lab/ssl-certificate-checker

SSL Certificate Checker connects to domains over TLS and inspects their SSL certificates. It returns structured data about certificate validity, expiry, issuer chain, TLS protocol version, cipher suite, and a security grade from A+ to F.

Stas Persiianenko

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

SSL Certificate Expiry Monitor

andok/ssl-certificate-monitor

Monitor SSL/TLS certificate validity and expiration dates across thousands of domains to prevent costly outages.

Andok

SSL Certificate Checker

scrappy_garden/ssl-certificate-checker

Check SSL/TLS certificates for any website: expiration date, issuer, subject, hostname match (SNI), chain/authorization status, and common HTTPS misconfigurations. Useful for SEO audits, security checks, and uptime monitoring.

Bikram Adhikari

Organization Registered Domain & Subdomain Scraper

lofomachines/organization-registered-domain-subdomain-scraper

Discover all domains registered by any organization by company domain. Find related domains, subdomains, registration dates, expiration dates, and registrar information. Perfect for brand protection, competitive analysis, M&A due diligence, and security research.