Infrastructure 12 min read

Find Subdomains

Subdomain discovery identifies hosts under your domain that may be forgotten, misconfigured, or vulnerable. Mapping your attack surface helps prioritize security work and reduce risk from orphaned or overlooked assets.

Run Free Scan

What Is Subdomain Discovery?

Subdomain enumeration finds hosts like mail.example.com, api.example.com, dev.example.com, or staging.example.com. Each subdomain may run different applications, use different frameworks, or have weaker security than the main site. Attackers use subdomain discovery to expand their attack surface and find forgotten or misconfigured hosts. Defenders use it to build an asset inventory and prioritize hardening.

Orphaned subdomains are a common problem. A dev or staging environment created years ago may still resolve but run outdated software. Mergers and acquisitions leave behind legacy subdomains. Marketing campaigns spin up temporary subdomains that are never retired. Each of these can become an entry point if not discovered and secured.

That is the real value behind queries like `find subdomains` and `subdomain discovery`. The goal is not just to produce a long list. It is to discover which hosts still resolve, which are owned by your team, and which might represent outdated or unmanaged internet exposure. A mature subdomain enumeration process treats discovery as the front door to asset governance, not just reconnaissance.

Why It Matters

  • Attack surface: More subdomains mean more potential entry points for attackers
  • Orphaned hosts: Forgotten subdomains may be unpatched and unmonitored
  • Asset inventory: Know what you have before securing it
  • Compliance: Asset discovery supports security audits and risk assessments

Passive vs Active Discovery

Passive subdomain discovery uses public data sources: certificate transparency logs, DNS archives, search engine indices, and threat intelligence feeds. It does not send traffic to your domain and is safe for any target. Vulnify's passive subdomain discovery tool runs low-noise enumeration using these sources. Passive discovery may miss subdomains that have never appeared in public data.

Active discovery uses DNS bruteforce with wordlists (e.g. subdomains.txt, SecLists) to query common subdomain names. It generates DNS traffic to your domain and should only be used on domains you own or have permission to test. Active methods can find subdomains that passive sources miss but may trigger rate limits or monitoring alerts.

Use both methods strategically. Passive enumeration is ideal for initial inventory and low-noise monitoring. Active subdomain discovery is better when you need confidence that staging, legacy, or pattern-based names are not being missed. The important thing is to keep the outputs separate so teams understand which hosts were confirmed through public evidence and which were found through direct probing.

How to Find Subdomains

Start with passive discovery. Use Vulnify's passive subdomain discovery tool to get a baseline without generating traffic. Review certificate transparency for your domain; every TLS certificate issuance is logged and often reveals subdomains. Check DNS for common names like www, mail, api, dev, staging, admin, and test.

Document discovered assets: which team owns each, whether it is still in use, and what software it runs. Decommission or secure orphaned subdomains. For active discovery on your own domains, use wordlists and DNS enumeration tools; ensure you have authorization.

As you find subdomains, enrich the inventory immediately. Capture whether each host resolves, what service it presents, whether it is public-facing, and whether it maps to a production, staging, or abandoned workflow. This turns subdomain enumeration into something operationally useful. Without that enrichment, teams end up with long CSV exports and no clear remediation queue.

Discovery Checklist

  • Run passive subdomain discovery
  • Review certificate transparency for your domain
  • Check DNS for common subdomain names
  • Document and secure discovered assets
  • Decommission or harden orphaned hosts

What to Do After Discovery

Triage discovered subdomains: identify owners, determine if still in use, and assess risk. Orphaned subdomains should be decommissioned or locked down. Active subdomains need the same security posture as the main site: HTTPS, security headers, and regular vulnerability scanning. Use the fix orphaned subdomains guide for remediation guidance.

Prioritize internet-facing and business-critical hosts first. API, login, admin, and customer-support subdomains deserve faster review than a retired campaign microsite with no active service behind it. If a discovered host is tied to a third-party provider or legacy acquisition, verify ownership immediately. Dangling DNS and abandoned service mappings can create takeover opportunities long after the original project is forgotten.

Remediation Priority

  • Orphaned: Decommission or restrict access
  • Dev/Staging: Restrict to VPN or IP allowlist
  • Production: Apply same security as main site

Turn Subdomain Discovery Into Continuous Monitoring

One-off subdomain discovery is useful, but the strongest results come from making it repeatable. Certificates are issued, preview environments appear, vendors create new hostnames, and campaign infrastructure changes frequently. If you only run subdomain enumeration during a quarterly review, important hosts can stay unowned or unmonitored for far too long.

Use recurring passive subdomain discovery as an asset-governance control. Compare new results against the approved inventory, flag anything without an owner, and route public-facing hosts into the same scanning and hardening workflow as the main application. That is how a `find subdomains` task becomes a durable security practice rather than a one-time reconnaissance exercise.

Monitoring Workflow

  • Run passive discovery on a recurring schedule
  • Diff new results against the last approved inventory
  • Assign an owner to every newly discovered host
  • Queue internet-facing hosts for security review and scanning

Where Subdomain Discovery Data Comes From

A mature subdomain discovery workflow pulls from multiple evidence sources. Certificate transparency reveals names that have requested TLS certificates. Historical DNS datasets show older records that may still matter. Search engines, threat-intelligence feeds, and passive DNS providers expose public references to infrastructure your team may have forgotten. Each source tells you something different about the life cycle of a host.

This matters because no single source will find everything. Passive subdomain discovery is excellent for low-noise coverage, but it can miss new or intentionally obscure hosts. Active subdomain enumeration can discover pattern-based names, but only on domains you control or are authorized to test. The best approach is to combine sources and then normalize the results into one owner-aware inventory.

Discovery Sources Checklist

  • Review certificate transparency for newly issued hostnames
  • Use passive DNS or threat-intelligence history where available
  • Compare public-source discoveries with your internal asset inventory
  • Use active enumeration only on authorized domains you control

How to Prioritize Newly Discovered Subdomains

Once subdomain enumeration produces a list, the next challenge is deciding what matters first. Not every discovered host needs the same urgency. Login, API, admin, and customer-facing hosts usually deserve priority because they are more likely to expose sensitive workflows. Legacy marketing or preview hosts may still matter, but they often fall behind routes tied directly to identity, payments, or internal tooling.

That is why a strong subdomain discovery process sorts hosts by exposure, ownership, and business function before handing them to engineering. If you simply export the list and move on, the riskiest hosts can disappear into the same queue as harmless leftovers. Prioritization turns `find subdomains` from a data-collection task into a real attack-surface reduction workflow.

This prioritization step also helps when a domain has grown across multiple teams or acquisitions. Subdomain discovery findings are much easier to remediate when every host is tagged with an owner, business purpose, and exposure level. Without that metadata, even an accurate subdomain enumeration result can stall because nobody knows who should act first.

Prioritization Checklist

  • Rank public login, API, and admin hosts ahead of lower-risk microsites
  • Check whether the host belongs to an active team or legacy project
  • Queue high-exposure hosts for HTTPS, header, and vulnerability review
  • Retire or restrict hosts that no longer serve a business purpose

Turn Subdomain Discovery Into an Ownership Record

The most useful outcome of subdomain discovery is not the raw hostname list by itself. It is the ownership record you build from it. Every discovered host should be tied to a team, business purpose, lifecycle status, and expected security posture. Without that context, a subdomain enumeration report becomes a spreadsheet that is easy to export and hard to act on once the initial review is over.

This becomes critical in organizations with acquisitions, multiple product lines, or vendor-managed services. One team may assume a hostname belongs to another, and abandoned systems survive because no owner is willing to claim them. Turning `find subdomains` into an ownership exercise makes remediation faster because risky hosts are routed immediately to the team that can retire, restrict, or harden them.

Ownership Mapping Checklist

  • Assign every discovered host to an accountable team or service owner
  • Record business purpose, environment type, and exposure level
  • Flag hosts with no owner for urgent review or retirement
  • Keep inventory updates in the same workflow as vulnerability and change management

When Discovery Points to a Takeover Risk

Subdomain discovery sometimes uncovers more than stale assets. It can also reveal dangling DNS records or third-party mappings that create takeover opportunities. If a hostname still points to a deprovisioned SaaS app, abandoned cloud resource, or expired vendor integration, an attacker may be able to claim that destination and serve content from a trusted subdomain.

That is why remediation should include checking whether important hosts still resolve to infrastructure you actively control. A subdomain discovery workflow that stops at hostname enumeration may miss the most dangerous case: a host that looks inactive internally but is still delegated publicly. Ownership review, DNS validation, and service verification together make the discovery process much more valuable than a passive list alone.

Takeover Review Checklist

  • Check whether discovered hosts still point to active services you control
  • Review third-party SaaS and cloud mappings for abandoned configurations
  • Remove or repoint dangling DNS records quickly
  • Escalate public-facing orphaned hosts for takeover-risk validation

Set a Simple Review Rhythm for New Hosts

Subdomain discovery becomes more valuable when new hosts are reviewed on a predictable rhythm instead of waiting for the next incident or quarterly audit. A lightweight weekly or monthly review helps teams catch risky additions while ownership is still clear and remediation is still cheap.

Review Rhythm Checklist

  • Review newly discovered hosts on a recurring schedule
  • Tag public-facing additions for faster triage
  • Close out ownerless hosts before they become permanent drift
  • Re-scan important new hosts after they are classified

Note Which Hosts Need Immediate Escalation

A short escalation note beside each risky hostname makes subdomain discovery far easier to act on. If a host is public, unowned, sensitive, or possibly dangling, record that clearly so the next review starts with the right priorities.

Escalation Checklist

  • Mark public-facing and ownerless hosts clearly
  • Flag possible takeover candidates immediately
  • Keep remediation priority tied to the inventory record

Keep New Host Reviews Lightweight and Frequent

Even a small recurring review of newly discovered hosts can prevent subdomain sprawl from turning into permanent inventory debt.

Frequently Asked Questions

How do I find subdomains?

Use Vulnify's passive subdomain discovery tool. It uses certificate transparency and other passive sources without sending traffic to your domain.

Is passive discovery safe for any domain?

Yes. Passive discovery only queries public data sources. It does not send requests to your servers.

What is an orphaned subdomain?

A subdomain that still resolves but is no longer actively used or maintained. Often from old projects, dev environments, or acquisitions.

Curated Security Tools

SecurityTrails

Web

DNS and subdomain intelligence. Historical data and API.

Passive discovery

Amass

CLI

In-depth subdomain enumeration. Passive and active modes.

Comprehensive discovery