Discover subdomains using DNS enumeration, certificate transparency logs (crt.sh), and HTTP probing.
Enumerating subdomains for ...
Daily scan limit reached
Sign up free to get 10 scans/day — or upgrade for unlimited access.
Redirecting to report...
A subdomain finder is a tool that discovers the subdomains of a domain — such as mail.example.com or staging.example.com — by combining DNS enumeration, Certificate Transparency logs, and HTTP probing. Secably's subdomain finder is free, requires no signup, and returns results in seconds.
A subdomain finder discovers the hostnames that live under a domain — like mail.example.com, staging.example.com, or vpn.example.com — without you needing a list in advance. Instead of guessing, it enumerates candidate names from public sources, then confirms which ones actually resolve and respond.
Most organizations run far more subdomains than anyone keeps track of: marketing microsites, old staging servers, admin panels, forgotten cloud instances, and third-party tools bolted onto a subdomain. Each one is a separate entry point into your infrastructure.
The subdomains you've forgotten about are exactly the ones attackers find first. An unpatched staging server, an admin panel exposed on a subdomain, or a subdomain still pointing at a de-provisioned cloud service (a dangling DNS record) can hand over access your main site never would.
Mapping every subdomain is the first step of any real attack-surface review — and the first thing a penetration tester does during reconnaissance. You can't secure a host you don't know exists.
The problem keeps growing: the average organization exposes more than 300 new internet-facing services every month, and roughly 32% of those additions become new high- or critical-severity exposures (Palo Alto Unit 42, 2024). Enumerating your subdomains once isn't enough — the list changes faster than most teams review it.
Secably combines three independent discovery methods and cross-checks the results, so you catch subdomains that any single technique would miss.
Tests thousands of common subdomain names against the domain's DNS and keeps the ones that resolve. Fast, and reliable for predictable names like dev, vpn, git, mail.
Every TLS certificate issued for a subdomain is logged publicly. Searching Certificate Transparency logs surfaces subdomains that were never meant to be public but received a certificate — including internal and staging hosts.
For each candidate, Secably checks whether it actually serves a website and how it responds — so your results are live hosts, not stale DNS entries.
Wildcard DNS — where every possible subdomain resolves — is detected and filtered automatically, so you aren't flooded with false positives.
Type the root domain, for example example.com. No http:// and no path needed.
Keep Certificate Transparency and HTTP probing enabled for the most complete results, or narrow the scan down to what you need.
Each discovered subdomain is listed with its resolution status. Save or export the full list with a free account.