// Free tool

Subdomain finder

Enter a domain and we will list the subdomains that appear in public Certificate Transparency logs: the forgotten dev, staging, admin and old-project hosts that quietly make up your external attack surface. Runs in your browser from public records. Nothing is stored.

--

Searching…

Querying Certificate Transparency logs.

What this shows, and what it does not. These hostnames come from Certificate Transparency logs, the public, append-only record of nearly every TLS certificate ever issued. Anyone can query them, which is exactly why attackers do. A name appearing here means a certificate was issued for it at some point; it may now be inactive, internal, or run by a third party, and it is not a guarantee the host is reachable. Equally, CT will not reveal hosts that never had a public certificate, so this is a floor on your attack surface, not the whole of it. Use it on domains you own or are authorised to test. To turn a list like this into a managed, monitored and reduced external attack surface, talk to us.
// What this means for your business

Every forgotten subdomain is a door someone left open

Old staging sites, abandoned apps and shadow IT all show up in logs like these, and each one is a way in that nobody is watching. Knowing what you expose is the first step; keeping it mapped, patched and monitored is the ongoing job. That is the kind of security work we run for small Canadian businesses, as one team you can actually call.

Consulting Services Talk to us