Subdomain Radar — Passive OSINT Enumeration
Pricing
from $1.00 / 1,000 results
Subdomain Radar — Passive OSINT Enumeration
Discover subdomains silently. No brute-force — pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.
Pricing
from $1.00 / 1,000 results
Rating
0.0
(0)
Developer
Saregaa
Maintained by CommunityActor stats
0
Bookmarked
3
Total users
1
Monthly active users
18 days ago
Last modified
Categories
Share
Subdomain Enumeration Toolkit | Passive Recon, DNS Validation & Takeover Detection
Discover every subdomain of any target domain — without sending a single packet to the target. This Actor collects subdomains from 5 passive OSINT sources simultaneously, validates them with live DNS resolution, probes HTTP/HTTPS endpoints, and automatically flags subdomains vulnerable to takeover by orphaned cloud services.
Built for bug bounty hunters , penetration testers , and attack surface monitoring teams who need complete subdomain coverage fast.
✅ 100% passive — no direct traffic to the target
✅ 5 OSINT sources queried in parallel (Certspotter, HackerTarget, RapidDNS, OTX, URLScan)
✅ DNS resolution + HTTP/HTTPS probing for every discovered subdomain
✅ Subdomain takeover detection across 30+ cloud services
✅ Export to JSON, CSV, or Excel via Apify datasets
✅ Full API access for automation and CI/CD integration
What Data Gets Extracted?
| Field | Description |
|---|---|
domain | The root domain that was scanned |
subdomain | The discovered subdomain hostname |
sources | Which OSINT sources returned this subdomain |
dns_resolves | Whether the subdomain has a live A record |
dns_ip | Resolved IP address |
http_status | HTTP response code (200, 301, 403, etc.) |
http_title | Page <title>text (first 120 characters) |
http_server | Serverresponse header value |
http_redirect | Final URL if the subdomain redirects |
is_live | True when the HTTP status code is below 500 |
takeover_risk | none,medium, or high |
takeover_service | Name of the cloud service at risk (e.g. "Heroku", "AWS S3") |
scanned_at | ISO 8601 timestamp of when this subdomain was scanned |
A RUN_METADATA summary record is also saved with aggregate counts: total subdomains found, live HTTP endpoints, and takeover risk counts.
Features
- 5 passive OSINT sources — Certspotter (certificate transparency), HackerTarget (passive DNS), RapidDNS (passive DNS), AlienVault OTX (threat intelligence), and URLScan.io (scan archive), all queried in one run
- Parallel DNS resolution — resolves all discovered hostnames concurrently with configurable worker count
- HTTP and HTTPS probing — tries HTTPS first, falls back to HTTP; captures status code, page title, server header, and redirect chain
- Subdomain takeover detection — checks CNAME records against 30+ known-vulnerable cloud providers and validates response bodies for telltale error strings
- Apify Proxy support — optionally routes HTTP probes through Apify's residential proxy network to avoid IP blocks
- Pay-Per-Event billing — you pay only for what you find: $0.05 per run plus $0.001 per subdomain discovered
- Export anywhere — results available as JSON, CSV, or Excel directly from the Apify dataset; integrates with Zapier, Make, and n8n
- Schedule runs — monitor your attack surface over time by running on a daily or weekly schedule
How to Run Your First Subdomain Scan
- Open the Actor in the Apify Store and click Try for free
- Enter your target domain(s) in the
domainsfield — for example,example.com - (Optional) Paste a free AlienVault OTX API key into
otxApiKeyfor significantly more results - Adjust settings if needed — DNS resolve, HTTP probe, and takeover detection are all on by default
- Click Run — results appear in the dataset as the scan progresses
- Download results as JSON, CSV, or Excel from the dataset tab, or access them via the Apify API
Input Example
{"domains": ["example.com", "example.org"],"otxApiKey": "your_otx_key_here","doResolve": true,"doProbe": true,"doTakeover": true,"probeTimeoutSecs": 7,"maxConcurrency": 30,"useApifyProxy": false}
Input Fields
| Field | Type | Default | Description |
|---|---|---|---|
domains | string[] | — | **Required.**One or more root domains to scan |
otxApiKey | string | — | AlienVault OTX API key (free, recommended) |
doResolve | boolean | true | Resolve DNS A records |
doProbe | boolean | true | Probe HTTP/HTTPS for each live host |
doTakeover | boolean | true | Check for subdomain takeover risks |
probeTimeoutSecs | integer | 7 | Per-request timeout for HTTP probing |
maxConcurrency | integer | 30 | Parallel workers for DNS and HTTP tasks |
useApifyProxy | boolean | false | Route HTTP probes through Apify residential proxies |
Output Example
{"domain": "tesla.com","subdomain": "api.tesla.com","sources": ["Certspotter", "RapidDNS"],"dns_resolves": true,"dns_ip": "23.62.104.69","http_status": 200,"http_title": "Tesla API","http_server": "nginx","http_redirect": "","is_live": true,"takeover_risk": "none","takeover_service": "","scanned_at": "2026-05-30T12:00:00+00:00"}
Run metadata (saved separately to Key-Value Store as RUN_METADATA):
{"total_domains": 1,"total_subdomains": 308,"live_http": 291,"takeover_high": 2,"takeover_medium": 5,"scanned_at": "2026-05-30T12:00:00+00:00","domains": ["tesla.com"]}
Use Cases
Bug Bounty Reconnaissance
Map the complete external attack surface of a target before starting an engagement. Finding forgotten staging servers, old API endpoints, or misconfigured admin panels often yields the highest-value findings.
Subdomain Takeover Hunting
Automatically detect orphaned subdomains pointing to unclaimed Heroku dynos, deleted S3 buckets, decommissioned GitHub Pages, and 27 other cloud services. High-severity takeovers can be claimed and reported immediately.
Penetration Testing
Discover dev, staging, internal, and legacy subdomains that are often overlooked in scope definitions but are accessible from the internet. These endpoints frequently run older software with known vulnerabilities.
Attack Surface Monitoring
Schedule the Actor to run weekly or monthly on your own domains. Catch newly created subdomains before attackers do, and get alerted when orphaned subdomains appear.
Competitor Infrastructure Intelligence
Understand a company's technology stack and infrastructure layout by mapping their subdomains. Identify cloud providers, CDNs, third-party services, and internal tooling exposed to the internet.
Security Auditing
Verify that decommissioned services have been properly cleaned up. Dangling DNS records are a common finding in security audits and a frequent source of data breaches.
API Access
Access all results programmatically through the Apify API:
# Fetch results from your datasetcurl "https://api.apify.com/v2/datasets/{DATASET_ID}/items?format=json" \-H "Authorization: Bearer {YOUR_API_TOKEN}"
Use the API to:
- Trigger scans automatically from your CI/CD pipeline or security toolchain
- Pull results into your SIEM, vulnerability management platform, or custom dashboard
- Integrate with Zapier, Make (Integromat), or n8n for no-code alerting workflows
- Schedule recurring runs via the Apify scheduler and receive webhooks on completion
Pricing
This Actor uses Pay-Per-Event billing — you pay only for results found.
| Event | Cost |
|---|---|
| Actor start | $0.05 flat per run |
| Per discovered subdomain | $0.001 each |
Typical costs:
| Target | Estimated subdomains | Estimated cost |
|---|---|---|
| Small SaaS product | ~50 subdomains | ~$0.10 |
| Mid-size company | ~150 subdomains | ~$0.20 |
| Large enterprise (e.g. tesla.com) | ~308 subdomains | ~$0.36 |
| Very large domain (500+ subdomains) | ~500 subdomains | ~$0.55 |
Why Use This Instead of Manual Tools or a Custom Script?
| Feature | This Actor | Manual tools (subfinder, amass, etc.) |
|---|---|---|
| Setup time | Zero — runs in browser | Requires local install and config |
| OSINT sources | 5 sources in one run | Varies by tool; usually requires multiple |
| Cloud infrastructure | Runs on Apify, no local resources | Uses your own CPU and network |
| Scheduling | Built-in scheduler | Requires cron + own server |
| Export formats | JSON, CSV, Excel via API | Manual file handling |
| Integrations | Zapier, Make, n8n, Apify API | Custom scripting required |
| Proxy support | One-click Apify residential proxies | Manual proxy configuration |
| Takeover detection | Included, 30+ services | Separate tool (nuclei, subjack) |
| Billing | Pay only for results found | Free but requires your own infrastructure |
Subdomain Takeover Detection: Covered Services
The Actor checks CNAME records and HTTP response bodies for signs of unclaimed resources across 30+ providers:
GitHub Pages · Heroku · AWS S3 · AWS S3 Website · AWS CloudFront · Azure Web Apps · Azure API · Azure Blob · Azure Traffic Manager · Shopify · Fastly · Unbounce · WP Engine · Zendesk · Freshdesk · HelpScout · Ghost · Webflow · Netlify · Surge · Bitbucket · GitBook · ReadMe · LaunchRock · Cargo · FeedPress · Tumblr · Strikingly
FAQ
Is subdomain enumeration legal? Use this tool only on domains you own or have explicit written permission to test. Passive OSINT collection is generally legal, but laws vary by jurisdiction. Always obtain written authorization before scanning any domain you don't control.
Does this Actor send traffic to the target domain?
No. All subdomain collection is done through third-party OSINT sources (Certspotter, HackerTarget, RapidDNS, OTX, URLScan). DNS resolution and HTTP probing contact the subdomains directly, not the target's web servers. The doResolve and doProbe options can be disabled for a fully passive run.
Do I need an OTX API key? No, but it's strongly recommended. OTX (AlienVault) significantly increases subdomain coverage — in testing it added 100+ unique results on top of the other four sources. The key is free at otx.alienvault.com.
Can I scan multiple domains in one run?
Yes. Pass a list of domains in the domains input field and the Actor scans each one sequentially.
Can I schedule scans to run automatically? Yes. Use the Apify scheduler to run the Actor on any recurring interval and configure webhooks to notify you when new subdomains or takeover risks are found.
Can I export results to CSV or Excel? Yes. The Apify dataset viewer lets you download results as JSON, CSV, XML, or Excel with one click. You can also fetch any format via the API.
How many subdomains can this find? Coverage depends on the target domain and how many sources have indexed it. For large, well-known domains, expect 100–500+ subdomains. For smaller or newer domains, coverage will be lower. Adding an OTX API key maximizes results.
How do takeover risk levels work?
high means the subdomain has a CNAME pointing to a cloud provider with no IP address — the resource is likely unclaimed and takeable. medium means the subdomain resolves to an IP but its CNAME still points to a cloud service — lower risk but worth investigating. none means no takeover indicators were found.
What memory should I allocate? 512 MB is sufficient for most single-domain scans. Use 1024 MB for 10+ domains or very large domains with 500+ expected subdomains.
Does it work through a proxy?
Yes. Enable useApifyProxy to route all HTTP probes through Apify's residential proxy network. This is useful if target subdomains block datacenter IPs or if you want to avoid exposing the Apify IP range during probing.
How long does a scan take?
A typical single-domain scan with DNS resolve, HTTP probing, and takeover detection completes in 2–10 minutes depending on subdomain count and the maxConcurrency setting.
How to Get an OTX API Key
- Register for free at otx.alienvault.com
- Go to Settings → API Key
- Copy the key and paste it into the
otxApiKeyinput field
Free tier allows 10,000 requests per hour.
Local Testing
# Install dependenciespip install -r requirements.txt# Create inputmkdir -p storage/key_value_stores/defaultcat > storage/key_value_stores/default/INPUT.json << 'JSON'{"domains": ["example.com"],"otxApiKey": "your_key_here","doProbe": true,"doTakeover": true}JSON# Runpython src/main.py
Results are saved to storage/datasets/default/.
Support
If you run into issues or have questions, open a discussion on the Actor's Apify Store page. Include the run ID from your failed run and a description of the input you used — this helps diagnose problems quickly.
For feature requests (new OSINT sources, additional takeover signatures, output format changes), use the issue tracker or reach out via the store page.