Subdomain Radar — Passive OSINT Enumeration avatar

Subdomain Radar — Passive OSINT Enumeration

Pricing

from $1.00 / 1,000 results

Go to Apify Store
Subdomain Radar — Passive OSINT Enumeration

Subdomain Radar — Passive OSINT Enumeration

Discover subdomains silently. No brute-force — pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.

Pricing

from $1.00 / 1,000 results

Rating

0.0

(0)

Developer

Saregaa

Saregaa

Maintained by Community

Actor stats

0

Bookmarked

3

Total users

1

Monthly active users

18 days ago

Last modified

Share

Subdomain Enumeration Toolkit | Passive Recon, DNS Validation & Takeover Detection

Discover every subdomain of any target domain — without sending a single packet to the target. This Actor collects subdomains from 5 passive OSINT sources simultaneously, validates them with live DNS resolution, probes HTTP/HTTPS endpoints, and automatically flags subdomains vulnerable to takeover by orphaned cloud services.

Built for bug bounty hunters , penetration testers , and attack surface monitoring teams who need complete subdomain coverage fast.

✅ 100% passive — no direct traffic to the target

✅ 5 OSINT sources queried in parallel (Certspotter, HackerTarget, RapidDNS, OTX, URLScan)

✅ DNS resolution + HTTP/HTTPS probing for every discovered subdomain

✅ Subdomain takeover detection across 30+ cloud services

✅ Export to JSON, CSV, or Excel via Apify datasets

✅ Full API access for automation and CI/CD integration


What Data Gets Extracted?

FieldDescription
domainThe root domain that was scanned
subdomainThe discovered subdomain hostname
sourcesWhich OSINT sources returned this subdomain
dns_resolvesWhether the subdomain has a live A record
dns_ipResolved IP address
http_statusHTTP response code (200, 301, 403, etc.)
http_titlePage <title>text (first 120 characters)
http_serverServerresponse header value
http_redirectFinal URL if the subdomain redirects
is_liveTrue when the HTTP status code is below 500
takeover_risknone,medium, or high
takeover_serviceName of the cloud service at risk (e.g. "Heroku", "AWS S3")
scanned_atISO 8601 timestamp of when this subdomain was scanned

A RUN_METADATA summary record is also saved with aggregate counts: total subdomains found, live HTTP endpoints, and takeover risk counts.


Features

  • 5 passive OSINT sources — Certspotter (certificate transparency), HackerTarget (passive DNS), RapidDNS (passive DNS), AlienVault OTX (threat intelligence), and URLScan.io (scan archive), all queried in one run
  • Parallel DNS resolution — resolves all discovered hostnames concurrently with configurable worker count
  • HTTP and HTTPS probing — tries HTTPS first, falls back to HTTP; captures status code, page title, server header, and redirect chain
  • Subdomain takeover detection — checks CNAME records against 30+ known-vulnerable cloud providers and validates response bodies for telltale error strings
  • Apify Proxy support — optionally routes HTTP probes through Apify's residential proxy network to avoid IP blocks
  • Pay-Per-Event billing — you pay only for what you find: $0.05 per run plus $0.001 per subdomain discovered
  • Export anywhere — results available as JSON, CSV, or Excel directly from the Apify dataset; integrates with Zapier, Make, and n8n
  • Schedule runs — monitor your attack surface over time by running on a daily or weekly schedule

How to Run Your First Subdomain Scan

  1. Open the Actor in the Apify Store and click Try for free
  2. Enter your target domain(s) in the domains field — for example, example.com
  3. (Optional) Paste a free AlienVault OTX API key into otxApiKey for significantly more results
  4. Adjust settings if needed — DNS resolve, HTTP probe, and takeover detection are all on by default
  5. Click Run — results appear in the dataset as the scan progresses
  6. Download results as JSON, CSV, or Excel from the dataset tab, or access them via the Apify API

Input Example

{
"domains": ["example.com", "example.org"],
"otxApiKey": "your_otx_key_here",
"doResolve": true,
"doProbe": true,
"doTakeover": true,
"probeTimeoutSecs": 7,
"maxConcurrency": 30,
"useApifyProxy": false
}

Input Fields

FieldTypeDefaultDescription
domainsstring[]**Required.**One or more root domains to scan
otxApiKeystringAlienVault OTX API key (free, recommended)
doResolvebooleantrueResolve DNS A records
doProbebooleantrueProbe HTTP/HTTPS for each live host
doTakeoverbooleantrueCheck for subdomain takeover risks
probeTimeoutSecsinteger7Per-request timeout for HTTP probing
maxConcurrencyinteger30Parallel workers for DNS and HTTP tasks
useApifyProxybooleanfalseRoute HTTP probes through Apify residential proxies

Output Example

{
"domain": "tesla.com",
"subdomain": "api.tesla.com",
"sources": ["Certspotter", "RapidDNS"],
"dns_resolves": true,
"dns_ip": "23.62.104.69",
"http_status": 200,
"http_title": "Tesla API",
"http_server": "nginx",
"http_redirect": "",
"is_live": true,
"takeover_risk": "none",
"takeover_service": "",
"scanned_at": "2026-05-30T12:00:00+00:00"
}

Run metadata (saved separately to Key-Value Store as RUN_METADATA):

{
"total_domains": 1,
"total_subdomains": 308,
"live_http": 291,
"takeover_high": 2,
"takeover_medium": 5,
"scanned_at": "2026-05-30T12:00:00+00:00",
"domains": ["tesla.com"]
}

Use Cases

Bug Bounty Reconnaissance

Map the complete external attack surface of a target before starting an engagement. Finding forgotten staging servers, old API endpoints, or misconfigured admin panels often yields the highest-value findings.

Subdomain Takeover Hunting

Automatically detect orphaned subdomains pointing to unclaimed Heroku dynos, deleted S3 buckets, decommissioned GitHub Pages, and 27 other cloud services. High-severity takeovers can be claimed and reported immediately.

Penetration Testing

Discover dev, staging, internal, and legacy subdomains that are often overlooked in scope definitions but are accessible from the internet. These endpoints frequently run older software with known vulnerabilities.

Attack Surface Monitoring

Schedule the Actor to run weekly or monthly on your own domains. Catch newly created subdomains before attackers do, and get alerted when orphaned subdomains appear.

Competitor Infrastructure Intelligence

Understand a company's technology stack and infrastructure layout by mapping their subdomains. Identify cloud providers, CDNs, third-party services, and internal tooling exposed to the internet.

Security Auditing

Verify that decommissioned services have been properly cleaned up. Dangling DNS records are a common finding in security audits and a frequent source of data breaches.


API Access

Access all results programmatically through the Apify API:

# Fetch results from your dataset
curl "https://api.apify.com/v2/datasets/{DATASET_ID}/items?format=json" \
-H "Authorization: Bearer {YOUR_API_TOKEN}"

Use the API to:

  • Trigger scans automatically from your CI/CD pipeline or security toolchain
  • Pull results into your SIEM, vulnerability management platform, or custom dashboard
  • Integrate with Zapier, Make (Integromat), or n8n for no-code alerting workflows
  • Schedule recurring runs via the Apify scheduler and receive webhooks on completion

Pricing

This Actor uses Pay-Per-Event billing — you pay only for results found.

EventCost
Actor start$0.05 flat per run
Per discovered subdomain$0.001 each

Typical costs:

TargetEstimated subdomainsEstimated cost
Small SaaS product~50 subdomains~$0.10
Mid-size company~150 subdomains~$0.20
Large enterprise (e.g. tesla.com)~308 subdomains~$0.36
Very large domain (500+ subdomains)~500 subdomains~$0.55

Why Use This Instead of Manual Tools or a Custom Script?

FeatureThis ActorManual tools (subfinder, amass, etc.)
Setup timeZero — runs in browserRequires local install and config
OSINT sources5 sources in one runVaries by tool; usually requires multiple
Cloud infrastructureRuns on Apify, no local resourcesUses your own CPU and network
SchedulingBuilt-in schedulerRequires cron + own server
Export formatsJSON, CSV, Excel via APIManual file handling
IntegrationsZapier, Make, n8n, Apify APICustom scripting required
Proxy supportOne-click Apify residential proxiesManual proxy configuration
Takeover detectionIncluded, 30+ servicesSeparate tool (nuclei, subjack)
BillingPay only for results foundFree but requires your own infrastructure

Subdomain Takeover Detection: Covered Services

The Actor checks CNAME records and HTTP response bodies for signs of unclaimed resources across 30+ providers:

GitHub Pages · Heroku · AWS S3 · AWS S3 Website · AWS CloudFront · Azure Web Apps · Azure API · Azure Blob · Azure Traffic Manager · Shopify · Fastly · Unbounce · WP Engine · Zendesk · Freshdesk · HelpScout · Ghost · Webflow · Netlify · Surge · Bitbucket · GitBook · ReadMe · LaunchRock · Cargo · FeedPress · Tumblr · Strikingly


FAQ

Is subdomain enumeration legal? Use this tool only on domains you own or have explicit written permission to test. Passive OSINT collection is generally legal, but laws vary by jurisdiction. Always obtain written authorization before scanning any domain you don't control.

Does this Actor send traffic to the target domain? No. All subdomain collection is done through third-party OSINT sources (Certspotter, HackerTarget, RapidDNS, OTX, URLScan). DNS resolution and HTTP probing contact the subdomains directly, not the target's web servers. The doResolve and doProbe options can be disabled for a fully passive run.

Do I need an OTX API key? No, but it's strongly recommended. OTX (AlienVault) significantly increases subdomain coverage — in testing it added 100+ unique results on top of the other four sources. The key is free at otx.alienvault.com.

Can I scan multiple domains in one run? Yes. Pass a list of domains in the domains input field and the Actor scans each one sequentially.

Can I schedule scans to run automatically? Yes. Use the Apify scheduler to run the Actor on any recurring interval and configure webhooks to notify you when new subdomains or takeover risks are found.

Can I export results to CSV or Excel? Yes. The Apify dataset viewer lets you download results as JSON, CSV, XML, or Excel with one click. You can also fetch any format via the API.

How many subdomains can this find? Coverage depends on the target domain and how many sources have indexed it. For large, well-known domains, expect 100–500+ subdomains. For smaller or newer domains, coverage will be lower. Adding an OTX API key maximizes results.

How do takeover risk levels work? high means the subdomain has a CNAME pointing to a cloud provider with no IP address — the resource is likely unclaimed and takeable. medium means the subdomain resolves to an IP but its CNAME still points to a cloud service — lower risk but worth investigating. none means no takeover indicators were found.

What memory should I allocate? 512 MB is sufficient for most single-domain scans. Use 1024 MB for 10+ domains or very large domains with 500+ expected subdomains.

Does it work through a proxy? Yes. Enable useApifyProxy to route all HTTP probes through Apify's residential proxy network. This is useful if target subdomains block datacenter IPs or if you want to avoid exposing the Apify IP range during probing.

How long does a scan take? A typical single-domain scan with DNS resolve, HTTP probing, and takeover detection completes in 2–10 minutes depending on subdomain count and the maxConcurrency setting.


How to Get an OTX API Key

  1. Register for free at otx.alienvault.com
  2. Go to Settings → API Key
  3. Copy the key and paste it into the otxApiKey input field

Free tier allows 10,000 requests per hour.


Local Testing

# Install dependencies
pip install -r requirements.txt
# Create input
mkdir -p storage/key_value_stores/default
cat > storage/key_value_stores/default/INPUT.json << 'JSON'
{
"domains": ["example.com"],
"otxApiKey": "your_key_here",
"doProbe": true,
"doTakeover": true
}
JSON
# Run
python src/main.py

Results are saved to storage/datasets/default/.


Support

If you run into issues or have questions, open a discussion on the Actor's Apify Store page. Include the run ID from your failed run and a description of the input you used — this helps diagnose problems quickly.

For feature requests (new OSINT sources, additional takeover signatures, output format changes), use the issue tracker or reach out via the store page.