🔍 Subdomain Finder

Discover subdomains for any domain using Certificate Transparency logs (crt.sh). Essential for security audits, penetration testing, asset inventory.

Store Quickstart

Start with the Quickstart template (single domain). For large asset inventories, use Enterprise Audit with up to 50 domains.

Key Features

• 🔍 Certificate Transparency logs — Uses crt.sh — the authoritative CT log database
• 📊 Full subdomain history — Active AND expired certificates both discoverable
• 🏷️ Issuer tracking — See which CA issued each certificate
• 📅 Validity dates — validFrom / validTo per certificate
• 🎯 Deduplication — Unique subdomains only, no duplicates
• 🔑 No API key needed — Free public CT log database

Use Cases

Who	Why
Penetration testers	Discover forgotten subdomains as attack surface
Asset inventory teams	Full catalog of company-wide subdomains
Bug bounty hunters	Find in-scope targets via CT logs
M&A due diligence	Audit acquired company's public infrastructure
DNS auditors	Cross-reference CT logs with DNS records to find orphaned subdomains

Input

Field	Type	Default	Description
domains	string[]	(required)	Domains to scan (max 50)
includeExpired	boolean	false	Include expired certificates
dedup	boolean	true	Deduplicate subdomain names

Input Example

{
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
}

Output

Field	Type	Description
subdomain	string	Discovered subdomain
domain	string	Root domain queried
source	string	Where it was found (crtsh, hackertarget, etc.)
ip	string	Resolved IP address (if resolveIPs enabled)
firstSeen	string	ISO date when first observed (if available)

Output Example

{
  "domain": "example.com",
  "subdomains": [
    {"name": "api.example.com", "issuer": "Let's Encrypt", "validFrom": "2026-01-01", "validTo": "2026-04-01"},
    {"name": "mail.example.com", "issuer": "DigiCert", "validFrom": "2025-06-01", "validTo": "2026-06-01"}
  ],
  "totalFound": 42
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~subdomain-finder/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domains": ["example.com", "target.org"], "includeExpired": false, "dedup": true }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/subdomain-finder").call(run_input={
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/subdomain-finder').call({
  "domains": ["example.com", "target.org"],
  "includeExpired": false,
  "dedup": true
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

• Use crtsh source for the most comprehensive results — it queries Certificate Transparency logs.
• Enable resolveIPs: true to identify shared infrastructure across subdomains.
• Run monthly to catch new subdomains your team may have spun up without security review.
• Combine with DNS Propagation Checker to verify which subdomains are still live.

FAQ

Will I find ALL subdomains?

Only those with valid HTTPS certificates. HTTP-only subdomains and those using wildcard certs are missed.

What about wildcard certificates?

Wildcard certs (*.example.com) appear as a single entry. Individual subdomains under them may not be listed.

Is crt.sh reliable?

Yes — it aggregates all public CT logs required by browser vendors. Very comprehensive.

Can I scan a competitor's domain?

Publicly — yes, CT logs are public by design. Always comply with your jurisdiction's laws.

Is this passive or active enumeration?

Passive only — it queries public OSINT sources (CT logs, DNS aggregators). No port scanning or brute-forcing.

Will it find subdomains behind WAFs?

Yes, as long as the subdomain has been issued an SSL cert (which CT logs index).

Related Actors

DevOps & Tech Intel cluster — explore related Apify tools:

• 🌐 DNS Propagation Checker — Check DNS propagation across 8 global resolvers (Google, Cloudflare, Quad9, OpenDNS).
• 🧹 CSV Data Cleaner — Clean CSV data: trim whitespace, remove empty rows, deduplicate by columns, sort.
• 📦 NPM Package Analyzer — Analyze npm packages: download stats, dependencies, licenses, deprecation status.
• 💬 Reddit Scraper — Scrape Reddit posts and comments from any subreddit via official JSON API.
• GitHub Release & Changelog Monitor API — Track GitHub releases, tags, release notes, and changelog drift over time with one summary-first repository row per repo.
• Docs & Changelog Drift Monitor API — Monitor release notes, changelog pages, migration guides, and key docs pages with one summary-first target row per monitored repo, SDK, or product.
• Tech Events Calendar API | Conferences + CFP — Aggregate tech conferences and CFPs across multiple sources into a deduplicated event calendar for DevRel and recruiting workflows.
• 🔒 OSS Vulnerability Monitor — Monitor open-source packages for known security vulnerabilities using OSV and GitHub Security Advisories.

Cost

Pay Per Event:

• actor-start: $0.01 (flat fee per run)
• dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.