Home Tools Pricing API Docs About Sign in Get started

Subdomain Takeover Scanner

Web Security

Fingerprint dangling CNAMEs that point at unclaimed third-party services for takeover.

What is Subdomain Takeover Scanner?

Subdomain Takeover Scanner checks whether a hostname’s CNAME points to a third-party service (S3, GitHub Pages, Heroku, and many more) that is no longer claimed — a condition that can let an attacker host content on the victim’s subdomain.

It matches responses against a library of service fingerprints and tells you whether a takeover is likely possible, with the evidence behind the verdict.

What it does

CNAME analysis — identifies the third-party service a host delegates to.
Fingerprint matching — compares responses against known takeover signatures.
Verdict + evidence — likely-vulnerable / not-vulnerable with the matched indicator.
Wide service coverage — S3, GitHub, Heroku, Azure, Fastly and many more.

Where it fits in your workflow

→Turn dangling-CNAME findings from DNS recon into confirmed takeovers.
→Sweep an enumerated subdomain list for high-impact, easy wins.

Use Subdomain Takeover Scanner

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryWeb Security

RunsServer-side

Token cost 5 / run (free tier)

AccessPro

Status● Live

Frequently asked questions

A host matched a fingerprint — is it definitely takeover-able?

A match is a strong lead, but always confirm by checking the service’s claim process. Some fingerprints overlap with not-yet-provisioned but owned resources.

Explore more tools →