Subdomain Finder

What does Subdomain Finder do?

Subdomain Finder discovers subdomains for any root domain by querying certificate transparency logs via crt.sh. It returns a list of all known subdomains along with the parent domain, data source, and first-seen timestamps. This actor is essential for security researchers, penetration testers, and IT administrators who need to map the full attack surface or infrastructure footprint of a domain.

Why use Subdomain Finder?

• Comprehensive discovery -- Leverages certificate transparency logs to uncover subdomains that may not be visible through standard DNS queries.
• Security reconnaissance -- Identify forgotten, staging, or internal subdomains that could represent security risks.
• Bulk domain support -- Enumerate subdomains for multiple root domains in a single run for efficient portfolio auditing.
• Clean structured output -- Results are delivered in JSON format, ready for import into security tools, spreadsheets, or databases.
• Full automation -- Schedule and trigger discovery runs via the Apify API and integrate with your security monitoring pipeline using Apify Proxy infrastructure.

How to use Subdomain Finder

1. Navigate to the Apify Store and search for Subdomain Finder.
2. Click Try for free to open the actor in the Apify Console.
3. Enter one or more root domains in the Domains field (e.g., anthropic.com, example.com).
4. Click Start to begin the subdomain enumeration.
5. When the run completes, download results from the Dataset tab in JSON, CSV, or Excel format.
6. Review the discovered subdomains and investigate any unexpected or unrecognized entries.

Input configuration

Field	Type	Description	Default
domains	Array of strings	Root domains to find subdomains for	["anthropic.com"]

Output data

Each discovered subdomain is stored as a separate record. Below is an example output:

{
  "subdomain": "api.anthropic.com",
  "domain": "anthropic.com",
  "source": "crt.sh",
  "firstSeen": "2024-03-15T00:00:00Z"
}

A single root domain can yield dozens to hundreds of subdomain records depending on the size and history of the organization's certificate issuance.

Cost of usage

Subdomain Finder uses Pay-Per-Event (PPE) pricing at the Mid tier:

Tier	Cost per 1,000 events	Free tier (approx.)
Mid	$0.75	~6,600 events/month

One event corresponds to one subdomain discovered. Enumerating a domain with 50 subdomains would cost approximately $0.038. The free tier covers roughly 6,600 subdomain records per month, which is sufficient for regular security audits of multiple domains.

Tips and advanced usage

• Continuous monitoring -- Set up scheduled runs to detect newly issued certificates and subdomains weekly, alerting you to unauthorized or unexpected infrastructure changes.
• Attack surface mapping -- Combine with DNS Record Lookup to resolve discovered subdomains and build a complete map of live infrastructure.
• Shadow IT detection -- Identify subdomains created by teams outside your central IT governance for better organizational visibility.
• Pre-engagement reconnaissance -- Use this actor as a first step in authorized penetration testing to enumerate the target's web-facing assets.
• Historical analysis -- The firstSeen field helps you understand when subdomains first appeared, useful for tracking infrastructure growth over time.

---

Built with Crawlee and Apify SDK. See more scrapers by consummate_mandala on Apify Store.