AcuityScan

Subdomain Finder

Discover subdomains for any domain using Certificate Transparency logs and DNS brute-forcing. Uncover forgotten assets, development servers, and the full scope of a domain's attack surface.

Certificate TransparencyDNS brute force80+ prefixesIP resolution

Searches Certificate Transparency logs (crt.sh) and brute-forces 80+ common subdomain prefixes. May take 15-30 seconds.

What you get

Here's a sample of what a subdomain scan returns for a typical domain.

Sample: example.com — 14 subdomains found
SubdomainIPSource
www.example.com93.184.216.34CT + DNS
mail.example.com93.184.216.35DNS
api.example.com93.184.216.40CT log
staging.example.com10.0.1.50CT log
dev.example.com10.0.1.51DNS
cdn.example.com104.16.132.229CT + DNS
app.example.com93.184.216.42CT log
blog.example.com76.76.21.21CT log

How it works

Certificate Transparency Logs

Queries crt.sh — a public database of every SSL certificate ever issued. When a certificate is created for staging.example.com, it gets logged permanently. We find those entries and extract every subdomain.

DNS Brute Force

Tests 80+ common subdomain prefixes (www, mail, api, dev, staging, admin, etc.) by resolving DNS records. If the subdomain resolves to an IP, it exists.

IP Resolution

Every discovered subdomain gets its A record resolved so you can see exactly which IP address it points to — useful for identifying shared hosting, CDNs, and internal servers.

Source Deduplication

Results from both methods are merged and deduplicated. Subdomains found by both CT logs and DNS brute force are tagged 'CT + DNS' so you can see which method found what.

Wildcard Detection

Filters out wildcard DNS responses that would otherwise flood results with false positives. Only genuine, individually-configured subdomains are returned.

Comprehensive Coverage

CT logs catch subdomains that DNS brute force misses (unique names like jira.example.com) and brute force catches subdomains with no SSL certificate. Together they provide the most complete picture.

Who uses subdomain discovery

Security teams

Map your full attack surface before an attacker does. Forgotten staging servers, old dev environments, and shadow IT subdomains are prime targets. If it resolves, it can be attacked.

Penetration testers

Subdomain enumeration is step one of any external assessment. CT logs reveal subdomains that aren't linked from the main site — internal tools, admin panels, and staging environments.

IT administrators

Audit your DNS footprint. Find subdomains created by other teams, identify stale records pointing to decommissioned servers, and catch DNS entries that should have been cleaned up.

Competitive researchers

See what infrastructure a competitor is running — what tools they use (jira.company.com, grafana.company.com), where they host (IP analysis), and how their infrastructure is organized.

Better than the alternatives

FeatureAcuityScancrt.shSublist3r
CT log search✓ Core feature✓ (via APIs)
DNS brute force✓ 80+ prefixes✓ (local only)
IP resolution✓ Automatic
No install needed✓ Browser-based✗ Requires Python
Wildcard filtering✗ Shows raw results
Source labeling✓ CT / DNS / BothCT onlySource listed
Full site audit✓ Part of 350+ check ✗ Certs only✗ CLI tool only
All scansFree, unlimitedFreeFree (open source)

Common questions

What are Certificate Transparency logs?
Certificate Transparency (CT) is a public framework where every SSL/TLS certificate issued by a Certificate Authority gets logged in a public, append-only database. When someone gets an SSL certificate for staging.example.com, that subdomain is recorded permanently — even if it's never linked from the main website. We query crt.sh, the largest CT log aggregator, to find these entries.
How does DNS brute force work?
We test 80+ common subdomain prefixes (www, mail, api, dev, staging, admin, app, blog, shop, portal, etc.) by making DNS queries for each one. If a query returns an IP address, the subdomain exists. This catches subdomains that don't have SSL certificates — like internal DNS entries or services behind a VPN.
Why does it take 15-30 seconds?
We're making two types of queries: a search against the crt.sh database (which can be slow under load) and 80+ DNS resolution queries. Both run in parallel, but the CT log query depends on crt.sh's response time.
Will this find ALL subdomains?
No tool can guarantee 100% coverage. CT logs only capture subdomains with SSL certificates, and brute force only tests known common prefixes. Custom or random subdomain names (like abc123.example.com) won't be found unless they have a certificate. For more thorough enumeration, combine multiple tools and techniques.
Is this legal to use?
Yes. Certificate Transparency logs are public by design — they exist specifically to be queried. DNS lookups are standard internet operations. Both data sources are freely accessible and querying them is not unauthorized access. However, always follow your organization's policies and applicable laws when conducting security assessments.
Do I need an account?
No account required. For unlimited scans, monitoring, white-label reports, and the full Site+ Scan, see our Pro and Agency plans starting at $29/month.

Related tools

DNS LookupReverse IP LookupWHOIS LookupPort Scanner

Want the full picture?

The checks DNS plus 7 other categories — email, SSL, performance, SEO, accessibility, privacy, and mobile.

Run