Subdomain Discovery

What it does

• Certificate Transparency (crt.sh) — pulls every hostname ever issued a TLS certificate under the domain.
• Threat-intel feeds (AlienVault OTX) — adds hosts seen in passive DNS and indicators.
• Certificate databases (CertSpotter) — catches recently issued certs CT may have missed.
• Shodan — surfaces hosts indexed by internet-wide scanning.
• De-duplication & normalization — collapses wildcards and duplicates into a clean, sorted set.
• Export — copy or download the full list as text/CSV for piping into your next tool.

Where it fits in your workflow

• →Map an organization’s footprint before choosing where to dig deeper.
• →Feed the results into HTTP ProbeMaster to find which hosts are live.
• →Cross-check against the Subdomain Takeover Scanner for dangling CNAMEs.

Run it from your dashboard.

At a glance