👁 Subdomain Finder - Discover Every Subdomain Of A Domain avatar

Subdomain Finder - Discover Every Subdomain Of A Domain

Pricing

from $0.70 / 1,000 results

👁 Subdomain Finder - Discover Every Subdomain Of A Domain

Subdomain Finder - Discover Every Subdomain Of A Domain

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.

Pricing

from $0.70 / 1,000 results

Rating

0.0

(0)

Developer

👁 Thirdwatch

Thirdwatch

Maintained by Community

Actor stats

Bookmarked

Total users

Monthly active users

17 days ago

Last modified

Subdomain Finder

Find every subdomain of any domain. The actor merges four independent discovery sources, deduplicates the results, and verifies each candidate with DNS resolution and a live HTTP/HTTPS probe. Each result tells you which sources found it, whether it resolves, what IPs it points to, and the HTTP status + page title behind it.

What you can do with it

Attack-surface monitoring for your own apex domains.
Pre-engagement recon for security audits and bug bounty work.
Competitive intelligence — see which services and vendors a domain exposes.
Asset inventory automation across acquired or merged companies.

How discovery works

Four sources run in parallel; one failing (quota, transient HTTP error) does not kill the run:

Certificate transparency logs — the gold standard; catches anything that has ever been issued a TLS cert.
Public hostsearch API — passive DNS data, free tier.
Passive DNS aggregator — long-tail historical resolutions.
DNS bruteforcing — built-in wordlists (small ~100 names, medium ~1000) tried against the apex domain. Catches infrastructure subdomains (k8s, vault, gitlab, metrics, etc.) that never appear in passive sources.

Each result lists exactly which sources saw it, so you can confidence-grade discoveries and spot source drift over time.

Input

{
"domains":["thirdwatch.dev"],
"sources":["crtsh","hackertarget","rapiddns","dnsbruteforce"],
"bruteforceWordlist":"small",
"verifyAlive":true,
"httpProbe":true,
"timeoutMinutes":5
}

Field	Type	Default	Description
`domains`	string[]	—	Apex domains, no scheme/subdomain.
`sources`	string[]	all 4	Subset of `crtsh`, `hackertarget`, `rapiddns`, `dnsbruteforce`.
`bruteforceWordlist`	enum	`small`	`none`, `small` (~100), `medium` (~1000).
`verifyAlive`	boolean	`true`	DNS-resolve every candidate.
`httpProbe`	boolean	`true`	HTTP+HTTPS GET to capture status + title.
`timeoutMinutes`	integer	`5`	Per-domain budget.
`proxyConfiguration`	object	none	Optional Apify proxy.

Output (one item per subdomain)

{
"apex_domain":"thirdwatch.dev",
"subdomain":"mcp.thirdwatch.dev",
"dns_resolves":true,
"ip_addresses":["104.21.10.5"],
"sources":["crtsh","hackertarget"],
"http_status":301,
"https_status":200,
"http_title":null,
"https_title":"Thirdwatch MCP",
"is_alive":true,
"discovered_at":"2026-05-04T10:00:00+00:00"
}

Please only enumerate domains you own or have authorization to test.

Limitations

Coverage depends on what each source has indexed; freshly-issued subdomains may not appear in certificate transparency logs for hours.
The HackerTarget source has a free quota (~50 queries/day per IP); when exhausted, that source returns nothing for that day and the run continues with the others.
DNS bruteforcing uses our built-in wordlists. Highly custom internal naming (e.g. project codenames) won't be found by brute alone — it will surface only through certificate transparency or passive DNS.
The HTTP probe times out after 5 seconds per host; very slow hosts may show as null status even when alive.

Last verified

2026-05

👁 Real Subdomain Finder avatar

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

👁 User avatar

One Scales

5.0

👁 Subdomain Finder - Discover Subdomains via CT Logs avatar

Subdomain Finder - Discover Subdomains via CT Logs

logiover/subdomain-finder

Discover every subdomain of any domain using Certificate Transparency logs (crt.sh). Fast bulk subdomain enumeration for security recon, attack-surface mapping, asset discovery and SEO. No API key — export to CSV or JSON.

👁 User avatar

Logiover

👁 Subdomain Discovery API avatar

Subdomain Discovery API

crawland/subdomain-discovery-api

Paginated subdomain enumeration for any registered domain — DNS records, registrar, WHOIS, vendor reputation, and category labels per subdomain, served from the Crawland threat-intelligence backend.

👁 User avatar

Crawland

Certificate Transparency Subdomain Search (crt.sh alternative)

advx/ct-domain-lookup

Find subdomains and TLS certificates for any domain from Certificate Transparency logs. A fast, working crt.sh alternative for subdomain enumeration, recon and attack-surface mapping. Returns unique hostnames with first/last seen and issuers, or raw certificates.

👁 User avatar

Sevastian Z

👁 Subdomain Intelligence OSINT Scanner & Monitor avatar

Subdomain Intelligence OSINT Scanner & Monitor

thescrapelab/subdomain-intelligence-osint

Subdomain finder and OSINT exposure monitor for authorized domains. Discover subdomains, validate DNS, classify live/auth-gated/DNS-only assets, detect technologies and providers, monitor changes, and generate reports.

👁 User avatar

Inus Grobler

👁 Subdomain Finder avatar

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

👁 User avatar

HappiTap

👁 Subdomains Finder API - Realtime DNS Subdomain Scanner avatar

Subdomains Finder API - Realtime DNS Subdomain Scanner

dev00/subdomains-finder-api-realtime-dns-subdomain-scanner

High-performance subdomain scanner that retrieves all registered subdomains, IP addresses, and Cloudflare protection status for any given domain.

dev00

Domain Intelligence Scanner: WHOIS, DNS, SSL & Subdomains

ntriqpro/domain-intelligence-scanner

Run a full due-diligence scan on any domain in one call: WHOIS registration, DNS records, SSL certificate, subdomain discovery (crt.sh), and technology fingerprint. Built for OSINT, security recon, M&A due diligence, and lead research.

👁 User avatar

daehwan kim

👁 Domain Intelligence Scraper | $10/1K | WHOIS+DNS+SSL avatar

Domain Intelligence Scraper | $10/1K | WHOIS+DNS+SSL

apivault_labs/domain-intelligence-scraper

WHOIS + DNS + SSL + subdomain lookup for any domain. Perfect for OSINT, security audits, SEO research, lead generation.

👁 User avatar

Apivault Labs

👁 crt.sh Certificate Transparency Scraper avatar

crt.sh Certificate Transparency Scraper

parseforge/crtsh-certificate-transparency-scraper

Search the crt.sh certificate transparency logs for any domain you control and surface the hosts behind it. Each record carries the common name, every subject alternative name, the issuing authority, serial number, and validity window. Built for attack surface mapping and asset inventory.

👁 User avatar

ParseForge

URL: https://apify.com/thirdwatch/subdomain-finder

⇱ Subdomain Finder - Discover Every Subdomain Of A Domain · Apify

Subdomain Finder - Discover Every Subdomain Of A Domain

Subdomain Finder

What you can do with it

How discovery works

Input

Output (one item per subdomain)

Limitations

Last verified

You might also like

Real Subdomain Finder

Subdomain Finder - Discover Subdomains via CT Logs

Subdomain Discovery API

Certificate Transparency Subdomain Search (crt.sh alternative)

Subdomain Intelligence OSINT Scanner & Monitor

Subdomain Finder

Subdomains Finder API - Realtime DNS Subdomain Scanner

Domain Intelligence Scanner: WHOIS, DNS, SSL & Subdomains

Domain Intelligence Scraper | $10/1K | WHOIS+DNS+SSL

crt.sh Certificate Transparency Scraper