Pricing

from $1.00 / 1,000 results

Subdomain Radar — Passive OSINT Enumeration

Discover subdomains silently. No brute-force — pure OSINT from 5 passive sources with DNS resolve, HTTP probing & takeover detection.

Pricing

from $1.00 / 1,000 results

Rating

0.0

(0)

Developer

Saregaa

Actor stats

Bookmarked

Total users

Monthly active users

13 days ago

Last modified

🔍 Subdomain Enumeration Toolkit

Passive subdomain discovery with DNS validation, HTTP probing, and takeover detection.

Built for security researchers, bug bounty hunters, and penetration testers who need fast, reliable subdomain enumeration without noisy brute-force traffic.

✨ What it does

For each target domain the Actor:

Collects subdomains from 5 passive OSINT sources simultaneously
Resolves DNS — finds the live IP address for each subdomain
Probes HTTP/HTTPS — checks status code, page title, server header, and redirects
Detects takeover risks — flags subdomains pointing to unclaimed cloud services

🗂️ Sources

Source	Type	API key needed
Certspotter	Certificate Transparency logs	No
HackerTarget	Passive DNS archive	No
RapidDNS	Passive DNS archive	No
AlienVault OTX	Threat intelligence	Free (optional)
URLScan.io	Internet scan archive	No

All sources are passive — no direct scanning, no brute-force, no traffic to the target.

🛡️ Takeover detection

Automatically checks 30+ services for dangling CNAME records:

GitHub Pages · Heroku · AWS S3 · AWS CloudFront · Azure Web Apps · Azure Blob · Netlify · Webflow · Shopify · Fastly · Zendesk · Ghost · GitBook · WP Engine · Surge · Bitbucket · Tumblr · and more.

Each finding is labeled as high (dangling — no IP) or medium (resolves but CNAME points to a cloud service).

⚙️ Input

Field	Type	Default	Description
`domains`	string[]	—	Required. Target domains, e.g. `example.com`
`otxApiKey`	string	—	OTX API key for extra results.Get free key →
`doResolve`	boolean	`true`	Resolve DNS A records
`doProbe`	boolean	`true`	HTTP/HTTPS probe per live host
`doTakeover`	boolean	`true`	Subdomain takeover detection
`probeTimeoutSecs`	integer	`7`	Timeout per HTTP probe request
`maxConcurrency`	integer	`30`	Parallel DNS/HTTP workers
`useApifyProxy`	boolean	`false`	Route probes through Apify residential proxies

📦 Output

Each subdomain is saved as one row in the dataset:

{
  "domain": "tesla.com",
  "subdomain": "api.tesla.com",
  "sources": ["Certspotter", "RapidDNS"],
  "dns_resolves": true,
  "dns_ip": "23.62.104.69",
  "http_status": 200,
  "http_title": "Tesla API",
  "http_server": "nginx",
  "http_redirect": "",
  "is_live": true,
  "takeover_risk": "none",
  "takeover_service": "",
  "scanned_at": "2026-05-30T12:00:00+00:00"
}

takeover_risk values: none / medium / high

A RUN_METADATA record is also saved to the Key-Value Store:

{
  "total_domains": 1,
  "total_subdomains": 308,
  "live_http": 291,
  "takeover_high": 2,
  "takeover_medium": 5,
  "scanned_at": "2026-05-30T12:00:00+00:00"
}

💡 Example use cases

Bug bounty recon — map the full attack surface before starting an engagement
Penetration testing — discover forgotten staging, dev, and internal subdomains
Takeover hunting — find orphaned subdomains pointing to unclaimed Heroku apps, S3 buckets, GitHub Pages
Competitor intelligence — understand a company's infrastructure layout
Attack surface monitoring — run on a schedule to catch newly created subdomains

💰 Pricing

This Actor uses Pay-Per-Event billing:

Event	Cost
Actor start	$0.05 flat per run
Per discovered subdomain	$0.001 per subdomain

Example: scanning tesla.com and finding 308 subdomains costs $0.05 + 308 × $0.001 = $0.358.

🔑 OTX API key (recommended)

AlienVault OTX significantly increases subdomain coverage — in tests it added 100+ unique subdomains on top of other sources.

Register free at otx.alienvault.com
Go to Settings → API Key
Paste the key into the otxApiKey input field

Free tier: 10,000 requests/hour.

🖥️ Local testing

# Install dependencies
pip install -r requirements.txt

# Create input
mkdir -p storage/key_value_stores/default
cat > storage/key_value_stores/default/INPUT.json << 'JSON'
{
  "domains": ["example.com"],
  "otxApiKey": "your_key_here",
  "doProbe": true,
  "doTakeover": true
}
JSON

# Run
python src/main.py

Results are saved to storage/datasets/default/.

📋 Memory requirements

512 MB — sufficient for most single-domain runs
1024 MB — recommended for 10+ domains or large domains with 500+ subdomains

⚠️ Legal notice

Use only on domains you own or have explicit written permission to test. The author is not responsible for misuse. This tool performs passive reconnaissance only — it does not send any traffic directly to the target.

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

One Scales

5.0

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

theHarvester Cloud - Email + Subdomain OSINT | 54 Sources Bulk

anshumanatrey/theharvester-osint

Cloud-hosted theHarvester OSINT tool. Harvest emails, subdomains, IPs, URLs and ASNs from 54+ public sources (Shodan, Censys, crt.sh, VirusTotal, SecurityTrails, GitHub, hunter.io). Full CLI feature parity — DNS brute force, subdomain takeover, screenshots. $0.003 per record harvested.

Anshuman Atrey

Subdomain Intelligence OSINT Scanner & Monitor

thescrapelab/subdomain-intelligence-osint

Subdomain finder and OSINT exposure monitor for authorized domains. Discover subdomains, validate DNS, classify live/auth-gated/DNS-only assets, detect technologies and providers, monitor changes, and generate reports.

Inus Grobler

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

OSINT Scraper

epctex/osint-scraper

Harness the power of OSINT data with our advanced OSINT Scraper. Discover keywords and leaked information from platforms like Ideone, Dumpz, Github Gist, Pastebin, Pasteorg and Textbin. You can specify search terms, customize and retrieve OSINT data out of the box.

epctex

1.1K

5.0

Subdomains Finder API - Realtime DNS Subdomain Scanner

dev00/subdomains-finder-api-realtime-dns-subdomain-scanner

High-performance subdomain scanner that retrieves all registered subdomains, IP addresses, and Cloudflare protection status for any given domain.

dev00

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

advx/attack-surface-recon

Map a domain's external attack surface. Passive subdomain enumeration with subfinder, HTTP fingerprint with httpx: status, title, server, technology stack, TLS issuer and IP. One dataset row per responding host. For recon, asset discovery and security audits.

Sevastian Z

Subdomain Discovery API

crawland/subdomain-discovery-api

Paginated subdomain enumeration for any registered domain — DNS records, registrar, WHOIS, vendor reputation, and category labels per subdomain, served from the Crawland threat-intelligence backend.

Crawland

Subdomain Finder - Discover Every Subdomain Of A Domain

thirdwatch/subdomain-finder

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.