Subdomain Finder - Discover Subdomains via CT Logs
Pricing
from $3.50 / 1,000 results
Subdomain Finder - Discover Subdomains via CT Logs
Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key — export to CSV or JSON.
Pricing
from $3.50 / 1,000 results
Rating
0.0
(0)
Developer
Logiover
Maintained by CommunityActor stats
0
Bookmarked
6
Total users
3
Monthly active users
4 days ago
Last modified
Categories
Share
Subdomain Finder — Subdomain Enumeration via Certificate Transparency (crt.sh) (No API / No login)
Discover every known subdomain of any domain through public Certificate Transparency (CT) logs via crt.sh — passive subdomain enumeration that never touches the target's infrastructure. One root domain can return hundreds to thousands of unique subdomains, each as a clean row with the subdomain, root domain, ready-to-use url, a wildcard flag and certificate firstSeen / lastSeen dates. Pure HTTP, no browser, no API key, no login, no third-party account.
🏆 Why this subdomain finder?
8 fields per subdomain · hundreds to thousands of hosts per domain · passive HTTP + JSON over crt.sh (no browser, no scanning) · datacenter-proxy ready · export to JSON / CSV / Excel. The essential attack-surface mapping and subdomain discovery tool for security recon, bug bounty, OSINT and asset inventory — a genuine crt.sh / CT-log API alternative.
✨ What this Actor does / Key features
- 🛰️ Passive subdomain enumeration — pulls hostnames from Certificate Transparency logs; it never scans, probes or brute-forces the target, so there is zero direct contact with the target's infrastructure.
- 📈 High volume — a single root domain can yield hundreds to thousands of unique subdomains in one run, including forgotten shadow, staging and dev hosts.
- 🗂️ Bulk multi-domain — pass a whole list of root domains in
domainsand enumerate them all in a single run, one clean row per unique subdomain. - 🔀 Two-query coverage — for each root domain the Actor runs both
%.<domain>(wildcard) and<domain>(bare) crt.sh queries and merges the result sets for maximum coverage. - 🌿 Wildcard handling — the leading
*.on wildcard certs is always stripped and deduped; optionally keep wildcard-only names withincludeWildcards, flagged asisWildcard: true. - ✅ Optional live filter — enable
onlyResolvableto run a DNS-over-HTTPS A-record lookup on every subdomain and keep only the ones that currently resolve. - 🗓️ First / last seen dates — certificate validity dates (
not_before/not_after) come through asfirstSeenandlastSeen, perfect for spotting fresh or stale assets. - 🧹 Clean de-dup — every hostname is lowercased, wildcard-stripped and merged into a set, keeping the earliest
firstSeenand latestlastSeenper name. - 🛡️ Robust against crt.sh flakiness — long timeout, multiple retries with backoff and a fresh proxy IP per attempt; a domain crt.sh can't serve simply returns 0 rows while the run completes cleanly.
- 🔓 No API key, no browser — crt.sh is an open endpoint; pure HTTP means fast, low-cost runs with export to JSON, CSV or Excel or via the Apify API.
🚀 Quick start (3 steps)
- Configure — enter one or more Root Domains (e.g.
apify.com) with nohttp://and no paths. Optionally toggle wildcard/resolvable filters or cap results per domain. - Run — click Start. The Actor queries crt.sh for each domain, parses and deduplicates every certificate hostname, and streams subdomains into your dataset.
- Get your data — open the Output tab and export to JSON, CSV, Excel or XML, or pull it via the Apify API.
📥 Input
Give the Actor at least one root domain in domains. Everything else is optional.
Example — enumerate a single domain (defaults)
{"domains": ["apify.com"],"includeWildcards": false,"onlyResolvable": false,"maxResults": 0,"proxyConfiguration": { "useApifyProxy": true }}
Example — bulk recon across several targets
{"domains": ["apify.com", "google.com", "cloudflare.com"],"includeWildcards": true,"maxResults": 5000,"proxyConfiguration": { "useApifyProxy": true }}
Example — only currently-live subdomains
{"domains": ["example.com"],"onlyResolvable": true,"proxyConfiguration": { "useApifyProxy": true }}
| Field | Type | Description |
|---|---|---|
domains | array | Root domains to enumerate (e.g. apify.com, google.com). Do not include http:// or paths. Required. |
includeWildcards | boolean | Keep names that only ever appeared as a wildcard cert (*.x), flagged isWildcard: true. The leading *. is stripped regardless. Default false. |
onlyResolvable | boolean | If true, each subdomain is checked with a DNS-over-HTTPS A-record lookup and only currently-live hosts are kept. Much slower — off by default. |
maxResults | integer | Maximum unique subdomains to return per root domain. 0 = no limit. |
proxyConfiguration | object | Apify Proxy settings used to reach crt.sh. Datacenter proxy is fine (crt.sh is an open endpoint). |
How to enter a domain: use the bare registrable domain only —
apify.com, nothttps://apify.com/orwww.apify.com/blog. Sub-subdomains found under it (e.g.dev.api.apify.com) are still returned automatically.
📤 Output
One row per unique subdomain — 8 fields, exportable to JSON, CSV, Excel or XML. Here is a sample record:
{"subdomain": "affiliate.apify.com","domain": "apify.com","url": "https://affiliate.apify.com","isWildcard": false,"resolvable": null,"firstSeen": "2025-06-03T07:47:43","lastSeen": "2026-09-07T01:14:59","discoveredAt": "2026-07-06T12:00:00.000Z"}
💡 Use cases
- Security recon & penetration testing — map an organization's full external attack surface before an authorized test, without ever probing the target.
- Bug bounty & OSINT — enumerate in-scope assets for a target using passive reconnaissance with zero direct contact, then feed the list into your fuzzing pipeline.
- Attack-surface management — discover forgotten, shadow, staging or dev subdomains your team may have lost track of.
- Asset discovery & inventory — build and enrich a complete subdomain inventory for any domain you own or monitor.
- SEO & site migration — find every subdomain that may host indexable content before or after a redesign or migration.
- Brand & threat monitoring — track which subdomains appear over time via
firstSeenand catch new or unexpected hostnames.
👥 Who uses it
Penetration testers & red teams · bug bounty hunters & OSINT researchers · attack-surface & security operations teams · SRE / infrastructure inventory owners · SEO specialists & site-migration engineers · brand-protection & threat-intel analysts.
💰 Pricing
This Actor runs on a simple pay-per-result model — you pay for the subdomains you extract, with no separate Apify platform fees to calculate. Try it on the free tier first, then scale up. See the Pricing tab on this page for the current rate.
❓ Frequently Asked Questions
Is it legal to enumerate subdomains via Certificate Transparency? The Actor only reads hostnames that organizations already published to public Certificate Transparency logs — no target infrastructure is contacted. You are responsible for using the data in compliance with crt.sh's terms and applicable laws, and for only enumerating domains you own or are authorized to assess.
Does crt.sh have a public API? Is this a CT-log / crt.sh API alternative? crt.sh exposes a lightweight JSON endpoint but no stable, documented, key-authenticated API, and it frequently rate-limits or times out under load. This Actor works as a reliable crt.sh / CT-log API alternative — it queries CT logs, parses and deduplicates every certificate hostname, retries through flakiness, and returns clean structured rows with no API key.
Can I find subdomains without an API key or login? Yes. crt.sh is an open Certificate Transparency endpoint, so this Actor needs no API key, no login and no third-party credentials — only an Apify account. It pulls publicly published hostnames over direct HTTP.
How do I export subdomains to CSV or JSON? Every result is one row in an Apify dataset, so you can export the full subdomain list to CSV, JSON, Excel or XML from the Apify console or via the Apify API — ready to drop into a spreadsheet or recon pipeline.
How much data can I get?
It depends entirely on the target. Small sites may return a handful of names; large organizations return hundreds or thousands of unique subdomains. There's no hard cap unless you set Max Results Per Domain (maxResults).
How is this different from a DNS brute-force tool?
A brute-force tool guesses subdomain names against a wordlist and actively queries the target's DNS. This Actor is passive: it reads hostnames organizations already published to public CT logs, so it never touches the target's infrastructure — and it often surfaces names no wordlist would guess. For complete coverage, pair passive CT enumeration with an active tool.
Does it find sub-subdomains and wildcard domains?
Yes. Any depth of hostname that appears in a certificate (e.g. dev.api.example.com) is returned. Wildcard certs (*.example.com) always have the leading *. stripped; enable Include Wildcard Entries (includeWildcards) to also keep names that only ever appeared as a wildcard, flagged with isWildcard: true.
Why are some subdomains not live?
CT logs are historical — a certificate may have been issued for a host that no longer resolves. Enable Only Resolvable (onlyResolvable) to run a DNS-over-HTTPS A-record check and keep only subdomains that currently resolve, reported in the resolvable field.
How do I enumerate subdomains for a bug bounty target?
Enter the in-scope root domain and the Actor pulls every hostname from Certificate Transparency logs passively, giving you an asset list without touching the target. Then feed the url column into a status checker or tech-stack detector to prioritize live hosts.
🔗 More security & recon scrapers by logiover
Building a full recon and attack-surface pipeline? Pair Subdomain Finder with the rest of the logiover security & website-intelligence suite:
| Tool | What it does |
|---|---|
| Certificate Transparency Monitor | Track newly issued TLS certificates for a domain over time |
| Bulk DNS Records Lookup | Resolve A, AAAA, MX, TXT, NS and more for any list of domains |
| Bulk WHOIS / RDAP Lookup | Pull WHOIS/RDAP registration data for domains in bulk |
| Bulk SSL Certificate Checker | Inspect SSL/TLS certs, issuers and expiry for many hosts |
| Bulk HTTP Security Headers | Audit HSTS, CSP and other security headers across URLs |
| Bulk URL Status Checker | Check HTTP status codes and redirects for any list of URLs |
| Website Tech Stack Detector | Detect frameworks, CMS, analytics and servers a site runs on |
| Broken Link Checker | Crawl a site and flag every dead internal and external link |
| Website Link Graph Crawler | Map the internal link graph and structure of a website |
| Sitemap to URL Crawler | Expand sitemaps into a full, deduplicated list of page URLs |
| Wayback Machine URL Extractor | Pull historical URLs for a domain from the Internet Archive |
| Website SEO Audit Crawler | Crawl a site and surface on-page SEO and technical issues |
👉 Browse all logiover scrapers on Apify Store — 180+ actors across real estate, jobs, crypto, social media & B2B data.
⏰ Scheduling & integration
Schedule this Actor on Apify to re-enumerate your domains daily or weekly and catch new subdomains as certificates are issued. Export results to JSON, CSV or Excel, sync to Google Sheets, or push to your database, BI tools and webhooks through the Apify API. Connect it to Make, n8n or Zapier to feed fresh subdomain inventories straight into your recon or asset-management workflows.
⭐ Support & feedback
Found a bug or need an extra field? Open an issue on the Issues tab — response is usually fast. If this Actor saves you time, a ★★★★★ review on the Store page genuinely helps and is hugely appreciated. 🙏
⚖️ Legal
This Actor extracts only publicly available Certificate Transparency data and is intended for legitimate security research, asset inventory and authorized reconnaissance. You are responsible for complying with crt.sh's terms of service, applicable local laws, and for only enumerating domains you own or are authorized to assess.
📝 Changelog
2026-07-06
- ✨ README overhaul: richer output sample, ready-to-run example scenarios, cross-suite links, and clearer quick-start.
2026-07-01
- Maintenance pass: re-verified end-to-end on live data and confirmed successful runs within the 5-minute quality window on the default input.
- Sharpened Store metadata (SEO title & description) and expanded the FAQ with high-intent, long-tail questions for easier discovery in Google and Apify Store search.
- Added ready-to-run example tasks that cover common real-world use cases.
2026-06-15
- Initial release — subdomain discovery via Certificate Transparency logs, CSV/JSON export, no API key.