Pricing

Pay per event

🔍 Subdomain Finder

Discover subdomains for any domain using Certificate Transparency logs (crt.sh). Find hidden subdomains for security audits, penetration testing, asset inventory. No API key needed.

Pricing

Pay per event

Rating

0.0

(0)

Developer

太郎山田

Actor stats

Bookmarked

Total users

Monthly active users

2 days ago

Last modified

Store Quickstart

Start with the Quickstart template (single domain). For large asset inventories, use Enterprise Audit with up to 50 domains.

Key Features

🔍 Certificate Transparency logs — Uses crt.sh — the authoritative CT log database
📊 Full subdomain history — Active AND expired certificates both discoverable
🏷️ Issuer tracking — See which CA issued each certificate
📅 Validity dates — validFrom / validTo per certificate
🎯 Deduplication — Unique subdomains only, no duplicates
🔑 No API key needed — Free public CT log database

Use Cases

Who	Why
Penetration testers	Discover forgotten subdomains as attack surface
Asset inventory teams	Full catalog of company-wide subdomains
Bug bounty hunters	Find in-scope targets via CT logs
M&A due diligence	Audit acquired company's public infrastructure
DNS auditors	Cross-reference CT logs with DNS records to find orphaned subdomains

Input

Field	Type	Default	Description
domains	string[]	(required)	Domains to scan (max 50)
includeExpired	boolean	false	Include expired certificates
dedup	boolean	true	Deduplicate subdomain names

Input Example

{
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
}

Output Example

{
  "domain": "example.com",
  "subdomains": [
    {"name": "api.example.com", "issuer": "Let's Encrypt", "validFrom": "2026-01-01", "validTo": "2026-04-01"},
    {"name": "mail.example.com", "issuer": "DigiCert", "validFrom": "2025-06-01", "validTo": "2026-06-01"}
  ],
  "totalFound": 42
}

FAQ

Will I find ALL subdomains?

Only those with valid HTTPS certificates. HTTP-only subdomains and those using wildcard certs are missed.

What about wildcard certificates?

Wildcard certs (*.example.com) appear as a single entry. Individual subdomains under them may not be listed.

Is crt.sh reliable?

Yes — it aggregates all public CT logs required by browser vendors. Very comprehensive.

Can I scan a competitor's domain?

Publicly — yes, CT logs are public by design. Always comply with your jurisdiction's laws.

DevOps & Tech Intel cluster — explore related Apify tools:

🌐 DNS Propagation Checker — Check DNS propagation across 8 global resolvers (Google, Cloudflare, Quad9, OpenDNS).
🧹 CSV Data Cleaner — Clean CSV data: trim whitespace, remove empty rows, deduplicate by columns, sort.
📦 NPM Package Analyzer — Analyze npm packages: download stats, dependencies, licenses, deprecation status.
📊 SEC EDGAR Monitor — Monitor SEC EDGAR filings for US public companies by ticker or CIK.

Cost

Pay Per Event:

actor-start: $0.01 (flat fee per run)
dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.

🌐 DNS Propagation Checker

taroyamada/dns-propagation-checker

Check DNS propagation across 8 global resolvers (Google, Cloudflare, Quad9, OpenDNS). Supports A, AAAA, MX, TXT, CNAME, NS, SOA records. Detect inconsistencies after DNS changes.

太郎山田

Free Linkedin Company Finder - LinkedIn address From Any Site

s-r/free-linkedin-company-finder---linkedin-address-from-any-site

Find LinkedIn company pages for any domain name. This powerful actor searches and extracts LinkedIn company URLs for domains, supporting international LinkedIn subdomains and bulk processing. Perfect for sales teams, recruiters, and data enrichment.

687

5.0

(1)

Website Key Pages Finder

yummy_gelato/website-key-pages-finder

Find key pages (pricing, docs, status, security, privacy, terms) on any website. Crawls start URLs and returns structured URLs with confidence scores and evidence. Great for competitor analysis, lead enrichment, and audits.

Howard

Bulk Email MX Verifier

automation-lab/email-mx-verifier

Bulk verify email addresses via DNS MX lookup, syntax validation, and disposable domain detection. No external API — pure DNS. 99% margin, $0.0008/email. Returns risk level, MX records, provider, typo suggestions.

Stas Persiianenko

TikTok Shop Data Scraper

devcake/tiktok-shop-data-scraper

Extract TikTok Shop product data instantly - prices, reviews, seller info, and categories. The essential TikTok shop scraper for e-commerce sellers and dropshippers.

devcake

Subdomain Finder & Reverse IP

canadesk/subdomain-finder-reverse-ip

Enumerate Subdomains and Reverse IPs with RapidDNS, Anubis, AlienVault and crt.sh! It's fast and costs little.

Canadesk Support

193

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. No API keys required.

One Scales

5.0

(2)

Subdomain Finder

automation-lab/subdomain-finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

Stas Persiianenko