Discover subdomains associated with any domain using Certificate Transparency logs. Identify shadow IT, forgotten services, and unintended exposure.
Why Subdomain Discovery Matters for Security
Every subdomain is a potential attack surface. Organizations often lose track of subdomains over time — forgotten staging servers, deprecated API endpoints, old marketing microsites, and internal tools that were never properly decommissioned. These forgotten subdomains become easy targets.
Subdomain takeover is one of the most common web security vulnerabilities. When a subdomain points to a third-party service (like Heroku, GitHub Pages, or AWS S3) that has been deprovisioned, an attacker can claim that service and serve content on your domain. This lets them bypass same-origin policies, steal cookies, and impersonate your brand.
Certificate Transparency (CT) logs provide a passive, non-intrusive way to discover subdomains. Every SSL certificate issued is logged publicly, creating a comprehensive record of subdomains that have had certificates issued for them. This method doesn't require any DNS brute-forcing or network scanning.
Frequently Asked Questions
Why does subdomain discovery matter for security?
Subdomains often host forgotten services, staging environments, or internal tools that may have weaker security than your main domain. Attackers routinely enumerate subdomains to find vulnerable entry points. Knowing all your subdomains is the first step to securing them.
How does subdomain discovery work?
GuardHound discovers subdomains by querying Certificate Transparency (CT) logs — public records of every SSL certificate ever issued. When a certificate is issued for a subdomain, it appears in CT logs. This method is passive and non-intrusive, requiring no access to your DNS infrastructure.
What should I do if I find unexpected subdomains?
Investigate each unexpected subdomain: check what service it runs, whether it has proper SSL, and whether it should still be active. Decommission any subdomains that are no longer needed. For those that must stay, ensure they have the same security standards as your main domain.
Can attackers use subdomains against me?
Yes. Subdomain takeover is a common attack where an attacker claims a dangling subdomain (one pointing to a deprovisioned service like a deleted Heroku app or S3 bucket). They can then serve malicious content on your domain, bypass same-origin protections, and impersonate your brand.
Monitor your subdomains for changes
GuardHound continuously watches for new subdomains and alerts you when unexpected ones appear.
Start Free Monitoring →
Explore More Security Tools
Learn More