What are certificate transparency logs?

Certificate transparency (CT) logs are public, append-only records of every SSL/TLS certificate issued by trusted Certificate Authorities. They were created to detect misissued or fraudulent certificates. As a side effect, they contain a complete record of every hostname that has ever had a certificate issued for it.

Will this scan the target domain directly?

No. This tool uses passive reconnaissance only — it queries public CT log databases, not the target's servers. No traffic is sent to the domain you're looking up, making it safe to use without authorization.

Why are some subdomains missing?

CT logs only contain subdomains that have had SSL/TLS certificates issued for them. Internal subdomains using self-signed certificates, subdomains without HTTPS, and very new certificates that haven't been logged yet won't appear. Active techniques like DNS brute-forcing can find additional subdomains.

What does a wildcard entry mean?

A wildcard entry like *.example.com means a single certificate covers all subdomains. This is common for organizations with many subdomains. It means there could be many more subdomains than what CT logs explicitly show — you'd need active enumeration to find them.

How does this compare to a full penetration test?

Subdomain enumeration is just the first step of reconnaissance. A full penetration test from Maced would take these discovered subdomains and actively test each one for vulnerabilities including misconfigurations, exposed admin panels, outdated software, and more.

Free Subdomain Finder

Discover subdomains using certificate transparency logs

Enter any domain to discover its subdomains by querying certificate transparency (CT) logs. CT logs are public records of every SSL/TLS certificate ever issued, making them one of the most reliable sources for passive subdomain enumeration — no scanning or brute-forcing required.

Trusted by teams at

How it works

How Subdomain Finder works

Enter a domain

Type or paste any domain name. We strip protocols and paths automatically so you can paste full URLs too.

Query certificate transparency logs

We query public CT log databases for every SSL/TLS certificate ever issued for your domain, extracting all unique hostnames from the certificate common names and SANs.

Review discovered subdomains

Get a deduplicated, organized list of all subdomains found along with analysis of what the naming patterns suggest about the target's infrastructure.

Features

What Subdomain Finder checks

Passive enumeration via CT logs

Discovers subdomains by querying public certificate transparency logs — no active scanning, brute-forcing, or DNS queries against the target are needed.

Deduplicated and sorted results

Automatically removes duplicate entries and wildcard certificates, giving you a clean list of unique subdomains ready for further investigation.

Infrastructure pattern analysis

Identifies common patterns in subdomain names like staging environments, internal tools, API endpoints, and development servers that may reveal attack surface.

Wildcard certificate detection

Flags wildcard certificates (*.example.com) separately, which indicate the domain may have many more subdomains than those explicitly listed in CT logs.

Use cases

Who should use the free Subdomain Finder

Penetration Testers

Map out the full attack surface of a target during reconnaissance. Discover forgotten staging servers, internal tools, and API endpoints that may have weaker security controls.

Security Teams

Monitor your organization's subdomain footprint to identify shadow IT, unauthorized services, and forgotten assets that expand your attack surface.

Bug Bounty Hunters

Quickly enumerate all known subdomains in a bug bounty scope to find less-tested assets where vulnerabilities are more likely to exist.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free Subdomain Finder.

Go beyond Subdomain Finder

This free Subdomain Finder checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free Subdomain Finder

Discover subdomains using certificate transparency logs

How Subdomain Finder works

Enter a domain

Query certificate transparency logs

Review discovered subdomains

What Subdomain Finder checks

Passive enumeration via CT logs

Deduplicated and sorted results

Infrastructure pattern analysis

Wildcard certificate detection

Who should use the free Subdomain Finder

Penetration Testers

Security Teams

Bug Bounty Hunters

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free Subdomain Finder checks a handful of things. Maced's AI pentest checks thousands.

Free Subdomain Finderself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Discover subdomains using certificate transparency logsself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How Subdomain Finder worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter a domainself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Query certificate transparency logsself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Review discovered subdomainsself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What Subdomain Finder checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Passive enumeration via CT logsself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Deduplicated and sorted resultsself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Infrastructure pattern analysisself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Wildcard certificate detectionself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Who should use the free Subdomain Finderself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Penetration Testersself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Security Teamsself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

Bug Bounty Huntersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What are certificate transparency logs?

Will this scan the target domain directly?

Why are some subdomains missing?

What does a wildcard entry mean?

How does this compare to a full penetration test?

This free Subdomain Finder checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free Subdomain Finder

Discover subdomains using certificate transparency logs

How Subdomain Finder works

Enter a domain

Query certificate transparency logs

Review discovered subdomains

What Subdomain Finder checks

Passive enumeration via CT logs

Deduplicated and sorted results

Infrastructure pattern analysis

Wildcard certificate detection

Who should use the free Subdomain Finder

Penetration Testers

Security Teams

Bug Bounty Hunters

All free security tools

Frequently asked questions

This free Subdomain Finder checks a handful of things. Maced's AI pentest checks thousands.