Skip to content
NEW: auto-exploit Apache Arbitrary File Read & gain RCE with SNIPER

Find Domains Owned by a Company

Discover the domain names owned by a company and map its attack surface.

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our Find Domains Owned by a Company! Compare pricing plans and discover more tools and features.

Sample Report

Here is a Find Domains Owned by a Company sample report:

  • Contains the domain names associated with the target domain
  • Includes additional information such as: company name, contact email addresses
  • Each result has a certainty value which indicates its correctness

Download Sample Report

Sample report

Find Domains Owned by a Company - Use Cases

Allows you to discover domains associated with a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.

Discover Attack Surface

The domain names owned by an organization are the starting point for discovering its attack surface. Development, test, backup or less-known applications are usually hosted on different domain names of the organization and they can be easy targets for attackers

Asset Inventory

This tool can help you to perform an inventory of your domain names, including the resources that you have currently exposed to the Internet. Such an inventory could help you decomission unused resources and decrease your workload.

Real-Time Discovery

The results of Find Domains are obtained in real-time and no caching mechanism is used. Even though this is a slower approach, the results are very accurate and up to date.

Technical Details


Domain names are Internet resources assigned to various companies around the world. A company can own multiple domain names which can be used for various purposes of the business (ex. for the main website, for clients portal, for supplier applications, etc).

Finding all the domain names owned by a company is an important step in the information gathering phase of a penetration test or during bug bounty activities. This is because these associated domains could expose resources of the company which are less secure than the ones sitting on the main domain.

For example, some of the associated domains for are:
As a result, exploring the attack surface from the additional domains could be a fruitful path during pentesting or bug bounty.


Parameter Description
Domain Name Is the target domain name (ex.,, etc) that will be searched for associated domains
SSL Certificates Searches Certificate Transparency Logs for certificates having the target domain as alt name
BuiltWith Searches BuiltWith relationships (e.g. Google Analytics Tags) for potentially related domains
Reverse Whois Finds the company and contact email of the target domain with a Whois lookup and then does a reverse lookup on them
Include zero weight results Also show the results with very low weight (e.g. domains found only in expired certificates)

How it works

The tool assigns a certain weight to each result to validate its correctness. The validation is performed using these factors:
  • The organization name found in the SSL certificate, as well and the number of certificates linking the two compared domains
  • The number of BuiltWith relationships and duration of those relationships
  • Matching Whois records (companies, emails)
  • Domain name similarity (e.g.
  • Redirect history: checks if the found domain redirects to the base domain or vice versa (e.g. ->