Skip to main content

Wordlists for passwords, exposed subdomains, forgotten backups, & shadow APIs

Lean, tested wordlists that surface real risks – not noise. 

Most security pros know the classic wordlists: rockyou.txt is now a household name, and GitHub Repositories, like SecList, have become a go-to resource for many teams. However, community lists like these are often bloated, outdated, or too broad to be truly effective.

A Pentest-Tools.com wordlist leaves out the junk and keeps only the entries that matter, including weak credentials, exposed subdomains, forgotten backups, and shadow APIs.

Compare pricing

Why generic wordlists slow you down and miss real risks

Wordlists are an essential tool in any penetration tester’s kit. 

These structured sets of potential values – including usernames, passwords, directories, or API endpoints – tell a tool exactly what to test. They help testers, for example, check hidden folders, brute-force logins, or probe APIs. 

But without the right wordlist, teams waste time on junk guesses and miss real risks.

Pentest-Tools.com’s wordlists are different: precise, relevant, and always actionable.

Junk guesses waste analyst time

Community lists like rockyou.txt and GitHub repositories like SecList are overly broad, outdated, and often packed with useless entries. They waste cycles and leave real exposures unchecked. Pentest-Tools.com wordlists are field tested, trimmed to reduce useless noise, and constantly updated to reflect real naming trends and attack patterns.

Missed weak points leave the door open for attackers

Hidden APIs, stale subdomains, forgotten backups, and weak credentials often slip through generic scans. Those blind spots are exactly what attackers look for. We’ve purpose-built our wordlists to surface hidden weak points before someone else does.

How Pentest-Tools.com wordlists cut noise and reveal real risks

We provide ready-to-use wordlists built for your everyday penetration testing needs.

Subdomain wordlists

Pinpoint assets other scanners miss.Our curated subdomain wordlists surface forgotten dev sites, staging environments, and unlisted subdomains that quietly expand your attack surface.

We vet every wordlist subdomain entry in live testing, validate against real attack surface scans, and update them as naming trends shift. We even cut stale entries to ensure the list you run today reflects how companies name and expose their assets right now – not five years ago. Use our subdomain wordlists to ensure every scan gives you answers you can act on.

Password wordlists

Stop guessing and validate credentials with purpose. Our Password Auditor works with focused password wordlists packed with the patterns attackers try first, plus vendor defaults. You prove password policy compliance quickly, find weak spots before attacks do, and harden your authentication layer – one of the most targeted entry points in any environment.

Directory and file discovery wordlists

Uncover what scanners overlook. The URL Fuzzer works with targeted lists that call out backup files, misconfigured directories, old login pages, and sensitive file types. 

Combined with our ML Classifier, you get hits that matter and cut away the junk. 

Every plan includes these curated, ready-to-use wordlists. But for custom uploads, API wordlists, or automation at scale, you’ll need to upgrade to a paid plan.

Customizable wordlists for your workflow

Every environment is unique. That's why we make it easy to adapt wordlists to your needs.

Upload your own

Drop in any custom wordlist and use it instantly across the Password Auditor, URL Fuzzer, and more.

Build targeted wordlists

Build lists that mirror your apps, projects, and naming conventions. Create API endpoint wordlists to test login flows and cover versioned routes.

Automate with our API

Use it all through our REST API. Fetch available wordlists and content - or delete them. These wordlist API endpoints let you plug wordlists into CI/CD pipelines, SIEM tools, or Pentest Robots so your workflows always run with the right inputs.

  • API wordlists for testing your targets

    Use API wordlists with the URL Fuzzer to map hidden routes and uncover exposed API paths. Combine these with endpoint wordlists to hit versioned routes, and fuzzing wordlists to probe parameters and input handling. This workflow helps you reveal the hidden APIs attackers look for - before they do.

  • check

    Numeric payloads for hidden resources

    Define your own ranges to generate number-based wordlists on the fly. The URL Fuzzer creates requests so you can uncover IDORs, exposed records, or unprotected API objects.

From bloated lists to faster, actionable scans

Cut the filler, cut the dead weight. Use lean, tested wordlists forged in the field and primed to punch holes in real targets.

Noise-free wordlists

Trimmed to only what works in real attacks.

Faster scans

No wasted cycles, just high-value results.

Seamless integrations

Directly connected to scanners and APIs.

Custom targeting

Build lists to zero in on your exact needs.

Lean, flexible wordlists for discovery, fuzzing, and password audits

Password audits at scale

Stop guessing passwords.

Use the Password Auditor with built-in or custom wordlists to hammer logins with weak patterns and vendor defaults. Instantly prove which accounts break your password policy. It even outperformed Hydra in a test across 26 web applications. All plans include curated lists. Upgrade to get support for custom wordlists and advanced reporting so you can enforce password policies at scale.

Hidden directories and files

Shine a light where admins forgot to clean up.

Using a URL fuzzing wordlist, our URL Fuzzer exposes old backups, outdated login pages, and hidden admin areas. Our ML Classifier filters out false positives, so you only get real, useful results. With our more comprehensive pricing plans, you can expand this with custom URL fuzzing wordlists and automate scans via our REST API.

API mapping and fuzzing

Say goodbye to shadow APIs.

Use API wordlists to discover hidden routes, API endpoint wordlists to check version paths, and API fuzzing wordlists to test how inputs are handled. Add numeric sequences to reveal predictable IDs. 

Upgrade to run these workflows programmatically and plug them directly into CI/CD pipelines.

Subdomain discovery

Expand your view of the attack surface.

Curated subdomain wordlists help you uncover development servers, staging sites, and other assets that aren’t obvious. We test and update each wordlist subdomain entry so you don’t waste time chasing dead ends. 

Paid plans also let you share wordlists across teams, keeping consultants and internal teams aligned.

Ready to cut the noise and run smarter scans?

Compare plans to see which tier unlocks the wordlists and integrations you need.

Compare pricing plans

Wordlists FAQs

What is a wordlist?

A wordlist is just a text file with entries like usernames, passwords, directories, common subdomain names, or API routes. Tools use it to know what to test.

What is an API wordlist and how do I use it?

An API wordlist is a list of possible API routes or parameters. Use it with the URL Fuzzer or with our REST API to automatically test for hidden endpoints or weak inputs.

How do subdomain wordlists help in penetration testing?

They reveal subdomains that aren’t obvious, like forgotten dev or staging sites. This expands your view of the attack surface.

Can I upload a custom wordlist?

Yes. You can upload any text-based wordlist up to 50000 words (where each word is up to 200 characters long). Just make sure the total size is less than 16 MB.

Can I manage wordlists through the API?

Yes. Our REST API lets you fetch and delete wordlists so teams can work from the same up-to-date inputs.