Pricing

from $0.70 / 1,000 results

Subdomain Finder - Discover Every Subdomain Of A Domain

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.

Pricing

from $0.70 / 1,000 results

Rating

0.0

(0)

Developer

Thirdwatch

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

Subdomain Finder

Find every subdomain of any domain. The actor merges four independent discovery sources, deduplicates the results, and verifies each candidate with DNS resolution and a live HTTP/HTTPS probe. Each result tells you which sources found it, whether it resolves, what IPs it points to, and the HTTP status + page title behind it.

What you can do with it

Attack-surface monitoring for your own apex domains.
Pre-engagement recon for security audits and bug bounty work.
Competitive intelligence — see which services and vendors a domain exposes.
Asset inventory automation across acquired or merged companies.

How discovery works

Four sources run in parallel; one failing (quota, transient HTTP error) does not kill the run:

Certificate transparency logs — the gold standard; catches anything that has ever been issued a TLS cert.
Public hostsearch API — passive DNS data, free tier.
Passive DNS aggregator — long-tail historical resolutions.
DNS bruteforcing — built-in wordlists (small ~100 names, medium ~1000) tried against the apex domain. Catches infrastructure subdomains (k8s, vault, gitlab, metrics, etc.) that never appear in passive sources.

Each result lists exactly which sources saw it, so you can confidence-grade discoveries and spot source drift over time.

Input

{
  "domains": ["thirdwatch.dev"],
  "sources": ["crtsh", "hackertarget", "rapiddns", "dnsbruteforce"],
  "bruteforceWordlist": "small",
  "verifyAlive": true,
  "httpProbe": true,
  "timeoutMinutes": 5
}

Field	Type	Default	Description
`domains`	string[]	—	Apex domains, no scheme/subdomain.
`sources`	string[]	all 4	Subset of `crtsh`, `hackertarget`, `rapiddns`, `dnsbruteforce`.
`bruteforceWordlist`	enum	`small`	`none`, `small` (~100), `medium` (~1000).
`verifyAlive`	boolean	`true`	DNS-resolve every candidate.
`httpProbe`	boolean	`true`	HTTP+HTTPS GET to capture status + title.
`timeoutMinutes`	integer	`5`	Per-domain budget.
`proxyConfiguration`	object	none	Optional Apify proxy.

Output (one item per subdomain)

{
  "apex_domain": "thirdwatch.dev",
  "subdomain": "mcp.thirdwatch.dev",
  "dns_resolves": true,
  "ip_addresses": ["104.21.10.5"],
  "sources": ["crtsh", "hackertarget"],
  "http_status": 301,
  "https_status": 200,
  "http_title": null,
  "https_title": "Thirdwatch MCP",
  "is_alive": true,
  "discovered_at": "2026-05-04T10:00:00+00:00"
}

Please only enumerate domains you own or have authorization to test.

Limitations

Coverage depends on what each source has indexed; freshly-issued subdomains may not appear in certificate transparency logs for hours.
The HackerTarget source has a free quota (~50 queries/day per IP); when exhausted, that source returns nothing for that day and the run continues with the others.
DNS bruteforcing uses our built-in wordlists. Highly custom internal naming (e.g. project codenames) won't be found by brute alone — it will surface only through certificate transparency or passive DNS.
The HTTP probe times out after 5 seconds per host; very slow hosts may show as null status even when alive.

Last verified

2026-05

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. No API keys required.

One Scales

5.0

Subdomain Finder

automation-lab/subdomain-finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

Stas Persiianenko

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

Subdomain Finder & Reverse IP

canadesk/subdomain-finder-reverse-ip

Enumerate Subdomains and Reverse IPs with RapidDNS, Anubis, AlienVault and crt.sh! It's fast and costs little.

Canadesk Support

214

SSL Certificate Transparency Search

ryanclinton/crt-sh-search

Search Certificate Transparency (CT) logs via crt.sh to discover every SSL/TLS certificate ever issued for any domain. Enumerate subdomains, audit certificate histories, and monitor for unauthorized certificate issuance -- all through a clean JSON API on Apify with no infrastructure to manage.

Ryan Clinton

Domain WHOIS & DNS Lookup â€” Registration, DNS Records & Tech

sovereigntaylor/domain-whois-scraper

Look up WHOIS data, DNS records, SSL certificates, and tech stack for any domain. Bulk domain research for lead generation, SEO audits, domain investing, and competitive intelligence. Uses RDAP, DNS-over-HTTPS, Certificate Transparency, and web WHOIS providers.