🔍 Subdomain Finder

Uncover the full technical footprint of any website by extracting subdomains directly from public Certificate Transparency (CT) logs. This automated scraper queries the crt.sh database to map out complex website architectures, revealing hidden development environments, forgotten staging servers, and unlinked corporate web pages. Technical SEO specialists, system administrators, and digital marketers use this subdomain finder to build a comprehensive inventory of a domain network without needing internal server access, proprietary API credentials, or active crawling.

Running this subdomain scraper on a weekly schedule helps organizations maintain tight control over their web presence and eliminate duplicate content. By scraping certificate issuances and validity dates, you can easily identify unauthorized deployments or shadow IT that might be exposing vulnerable endpoints or diluting your crawl budget. It provides a purely passive reconnaissance method, ensuring that your data collection is both stealthy and exhaustive.

Whether you are conducting a rigorous technical SEO audit, tracking competitor brand expansions, or mapping digital assets across multiple websites, mining CT logs gives you an unfiltered view of a company's architecture. The extracted data includes exact subdomain URLs, certificate issuer records, creation timestamps, and expiration dates, giving you the exact details needed to secure and optimize your complete web infrastructure.

Store Quickstart

Start with the Quickstart template (single domain). For large asset inventories, use Enterprise Audit with up to 50 domains.

Key Features

• 🔍 Certificate Transparency logs — Uses crt.sh — the authoritative CT log database
• 📊 Full subdomain history — Active AND expired certificates both discoverable
• 🏷️ Issuer tracking — See which CA issued each certificate
• 📅 Validity dates — validFrom / validTo per certificate
• 🎯 Deduplication — Unique subdomains only, no duplicates
• 🔑 No API key needed — Free public CT log database

Use Cases

Who	Why
Penetration testers	Discover forgotten subdomains as attack surface
Asset inventory teams	Full catalog of company-wide subdomains
Bug bounty hunters	Find in-scope targets via CT logs
M&A due diligence	Audit acquired company's public infrastructure
DNS auditors	Cross-reference CT logs with DNS records to find orphaned subdomains

Input

Field	Type	Default	Description
domains	string[]	(required)	Domains to scan (max 50)
includeExpired	boolean	false	Include expired certificates
dedup	boolean	true	Deduplicate subdomain names

Input Example

{
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
}

Input Examples

Example: Single domain enumeration

{
  "domains": [
    "example.com"
  ]
}

Example: Multi-domain audit

{
  "domains": [
    "example.com",
    "example.org"
  ],
  "expandWildcards": true
}

Example: Recently-issued only

{
  "domains": [
    "example.com"
  ],
  "sinceDays": 90,
  "includeIssuer": true
}

Output

Field	Type	Description
subdomain	string	Discovered subdomain
domain	string	Root domain queried
source	string	Where it was found (crtsh, hackertarget, etc.)
ip	string	Resolved IP address (if resolveIPs enabled)
firstSeen	string	ISO date when first observed (if available)

Output Example

{
  "domain": "example.com",
  "subdomains": [
    {"name": "api.example.com", "issuer": "Let's Encrypt", "validFrom": "2026-01-01", "validTo": "2026-04-01"},
    {"name": "mail.example.com", "issuer": "DigiCert", "validFrom": "2025-06-01", "validTo": "2026-06-01"}
  ],
  "totalFound": 42
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~subdomain-finder/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["example.com", "target.org"], "includeExpired": false, "dedup": true }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/subdomain-finder").call(run_input={
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/subdomain-finder').call({
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

• Use crtsh source for the most comprehensive results — it queries Certificate Transparency logs.
• Enable resolveIPs: true to identify shared infrastructure across subdomains.
• Run monthly to catch new subdomains your team may have spun up without security review.
• Combine with DNS Propagation Checker to verify which subdomains are still live.

See also (Link analysis cluster)

• Short URL Resolver & Scraper — Resolve obfuscated short URLs that surface during subdomain / CT log enumeration.

FAQ

Will I find ALL subdomains?

Only those with valid HTTPS certificates. HTTP-only subdomains and those using wildcard certs are missed.

What about wildcard certificates?

Wildcard certs (*.example.com) appear as a single entry. Individual subdomains under them may not be listed.

Is crt.sh reliable?

Yes — it aggregates all public CT logs required by browser vendors. Very comprehensive.

Can I scan a competitor's domain?

Publicly — yes, CT logs are public by design. Always comply with your jurisdiction's laws.

Is this passive or active enumeration?

Passive only — it queries public OSINT sources (CT logs, DNS aggregators). No port scanning or brute-forcing.

Will it find subdomains behind WAFs?

Yes, as long as the subdomain has been issued an SSL cert (which CT logs index).

Related Actors

DevOps & Tech Intel cluster — explore related Apify tools:

• 🌐 DNS Propagation Checker — Check DNS propagation across 8 global resolvers (Google, Cloudflare, Quad9, OpenDNS).
• 🧹 CSV Data Cleaner — Clean CSV data: trim whitespace, remove empty rows, deduplicate by columns, sort.
• 📦 NPM Package Analyzer — Analyze npm packages: download stats, dependencies, licenses, deprecation status.
• 💬 Reddit Scraper — Scrape Reddit posts and comments from any subreddit via official JSON API.
• GitHub Release & Changelog Monitor API — Track GitHub releases, tags, release notes, and changelog drift over time with one summary-first repository row per repo.
• Docs & Changelog Drift Monitor API — Monitor release notes, changelog pages, migration guides, and key docs pages with one summary-first target row per monitored repo, SDK, or product.
• Tech Events Calendar API | Conferences + CFP — Aggregate tech conferences and CFPs across multiple sources into a deduplicated event calendar for DevRel and recruiting workflows.
• 🔒 OSS Vulnerability Monitor — Monitor open-source packages for known security vulnerabilities using OSV and GitHub Security Advisories.

Cost

Pay Per Event:

• actor-start: $0.01 (flat fee per run)
• dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.

⭐ Was this helpful?

If this actor saved you time, please leave a ★ rating on Apify Store. It takes 10 seconds, helps other developers discover it, and keeps updates free.

Bug report or feature request? Open an issue on the Issues tab of this actor.