Subdomain Finder

Scan type
  • Light scan

Find the subdomains of an internet domain and determine the attack surface of an organization.

This subdomain scanner combines multiple discovery methods and returns only valid results to help you perform extensive reconnaissance.

Discover more subdomains and maximize your chances of finding critical vulnerabilities with the built-in discovery methods available through paid plans These also give you access to 20+ security testing tools and features.

Create free account

No credit card required

Subdomain Finder

About our Subdomain Finder

3rd most popular free tool

This tool combines passive and active discovery methods to help you research the subdomains of your target domain for all types of security testing engagements.

Each scan delivers a list of subdomains that is validated, so you don’t have to waste time with old or invalid subdomains. Scan results also include helpful recon information such as IP address, WHOIS details, location (country), OS and server information, the technology running on the server, web platform, and page title. You can even use it to find out if any of the subdomains are sitting behind firewalls (e.g. Cloudflare, Sucuri, etc.).

Especially helpful for wide scope engagements, subdomain enumeration is crucial in the reconnaissance phase. This preconfigured Subdomain Finder helps you bring to light hidden entry points that are worth pursuing and prioritizing for vulnerability scanning and ethical exploitation.

Free subdomain searches employ the Light scan version, which focuses on extracting subdomains from DNS records (NS, MX, TXT, AXFR) and Enumeration using a built-in wordlist. The Deep scan provides access to all the options of our subdomain scanner and produces a list of easy to filter results with rich details. What’s more, you can calibrate Deep scans to match your needs.

A ready-to-use subdomains search engine like this removes the need for custom scripts, maintenance, and sifting through duplicate results. Offload repetitive work to our Subdomain Finder and free up your time to apply and develop your strongest penetration testing skills.

Want to see the full specifications?


Sample Subdomain Finder report

Here is a sample report from our Subdomain Finder that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Includes discovered subdomains and their IP addresses

  • Delivers WHOIS information – netname and country

  • Discloses web server software and the web platform on it (where applicable)

  • Includes page title for each subdomain (where applicable)

  • Subdomain name includes a direct link to the HTTP server (where applicable)

Subdomain Finder Report Sample

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting. offers faster pentest reporting and better vulnerability discovery.

Use cases

How security pros use the Subdomain Finder

Get all subdomains of a domain with a tool built by and for penetration testers. Map the attack surface of your target domain and find exposed, outdated, and forgotten systems an adversary would leverage in their attack.

  • Extensive Reconnaissance

    Subdomain enumeration is an essential part of the reconnaissance phase, enabling penetration testers and other security and IT professionals to understand how far the attack surface spreads. Subdomain tools like this one ensure the process is both fast and comprehensive.

  • Attack Surface Mapping and Monitoring

    Discover subdomains used for development, testing, and backup that make easy targets for attackers. Combine these potential entry points in a clear attack surface view to prioritize follow-up vulnerability and exploitation tests. This subdomain enumerator also helps you check clean-up and remmediation during re-tests. through a ready-to-use VPN and start your work in minutes.

  • Critical Vulnerability Discovery

    A subdomain is a potential goldmine for penetration testers because it can host applications with unpatched, critical vulnerabilities, such as Log4Shell. Since the same high-risk vulnerability can often be present on multiple domains, subdomains, and applications, a meticulous subdomain scan can help you get to these valuable findings much faster.

  • Asset Inventory

    Our subdomain finder online is a helpful tool for independent asset inventory. Use it to check if the known list of systems exposed to the Internet matches reality. The subdomain list in the report makes it easy to update internal documentation and to decommission or upgrade legacy systems.

  • Real-Time Subdomain Discovery

    Our Subdomain Finder does not use a caching mechanism, so it always gives you real-time results and up-to-date findings. The tool also performs the DNS resolution of subdomains instantaneously and you only see valid results.

  • Automated Follow-Up Scans

    Speed through various recon tasks with the built-in scheduler that lets you repeat scans periodically. Combine it with our notification system and get results automatically via email, Slack, or webhooks. Also, pentest robots and scan templates help you automate deep port scanning and service discovery after a subdomain scan and findings automatically populate the unified Attack Surface view.

Try a free scan now!

The Subdomain Finder dialog in the logged in area of

Worth it!

Pentest-Tools helped me scan my home servers to identify security concerns with my deployments. Their continued development and growth has been great to watch.

They have an entire suite of tools to test my home environment. Some of my most used features were their Website and Network scanners, Sniper: Auto Exploiter, various login page tests, and their Subdomain finder to help me with subdomains I had forgotten about.

Subdomain Finder

Technical details

What is a Subdomain Finder?

A Subdomain Finder is a subdomain enumeration tool that helps you discover subdomain hosts (aka subdomain FQDNs) which serve specific functions for your target (e.g. hosting public websites, private subdomains for testing web apps, URLs where you can find backups, etc.).

Manual methods involve a lot of time and effort to retrieve subdomain information, taking away precious resources from completing your time-limited engagements.

Since finding subdomains is an important step in the information gathering stage of a penetration test, we built a Subdomain Finder to maximize your chances of finding vulnerabilities worth pursuing.

For an ethical hacker, subdomains are interesting because they point to various (less-known) applications and indicate various external network ranges the target company uses.

For instance, a subdomain finder report might show you that points to IP and points to IP Now you know two different IP addresses your target organization might own and you can extend the attack surface while still operating in the scope of the engagement.

Subdomains sometimes host applications for internal use (e.g. test, development, backup, restricted) that are usually less secure than public/official applications, which makes them attractive targets for cybercriminals.

Our automatic subdomain enumeration helps you retrieve not just subdomains, but also their IP address, WHOIS information (netname and country), OS, server and its technology, plus the web platform running on them and the page title – all in scope of the security assessment you’re tasked with performing.

What makes our Subdomain Finder different

The effectiveness of any pentesting tool depends on the ecosystem it’s part of. Because we know much work it takes to connect different tools and ensure you can follow your workflow without interruptions, we built with this in mind.

Instead of offering a Subdomain Scanner as a standalone tool, we chose to offer the ability to chain the results with our other tools from the start. As a result, our platform provides an entire ecosystem of tools and features you can even combine into automated testing sequences.

To make it easy for you to find all subdomains and identify low hanging fruit as well as less obvious potential entry points, we combined almost a dozen search methods with various enumeration wordlist options, and even the ability to include unresolved subdomains.

On top of the ability to use your own wordlists for enumeration and fuzzing, you can also use our Subdomain Finder to get extra information about the subdomains it finds, including IP address, WHOIS, and web server and web technologies information built-in (if applicable). Plus, you can easily filter results to surface the most useful findings you need to move forward.

How our Subdomain Finder works

If you’re looking for domain checker tools that are free to use, you can try our Subdomain Finder for free with the Light scan version. This searches DNS records (NS, MX, TXT, AXFR) and performs subdomain enumeration using a built-in wordlist.

The Deep scan version delivers speed, accuracy and extensiveness, all together, along with access to all the pentesting tools and features on the platform. The Deep scan uses multiple techniques to find subdomains fast and effectively:

  • DNS records (NS, MX, TXT, AXFR)
  • Enumeration using built-in wordlists, plus the option to use your own
  • External APIs search
  • Public search engine queries (Google search, Bing)
  • Word mutation techniques
  • Searching in SSL certificates
  • Parsing HTML links
  • Reverse DNS on target IP ranges
  • Generates permutations and alterations of the subdomain names found so far in the scan
  • Searching in CNAME records

On top of the subdomains list, you can customize the output to include:

  • Unresolved domains
  • IP addresses of the found subdomains
  • WHOIS information
  • Operating system information
  • Web server and web technologies.
Customize the output of the Subdomain Finder

Subdomain Finder is a comprehensive tool, so scan duration varies depending on the target. For an average domain, a subdomain scan takes just a few minutes. For instance, it can return up to 500 results in under 10 minutes.

For domains with thousands or tens of thousands of subdomains, such as websites in the government, educational, medical, etc. sectors, subdomain scans can take up to a few hours. To slightly increase scanning speed, deactivate the “Detect web technologies” option.

Scanning parameters for paying customers

When you choose a paid plan and log into your account, you get eight additional detections methods and can select and combine the following subdomain scanning parameters to customize the output:

Include IP informationCheck this to instruct the tool to do WHOIS queries in order to determine the network owners and country for each IP address.
Detect web technologies Use this option to have the tool try to find more details about each extracted subdomain, such as: OS, Server, Technology, Web Platform and Page Title.
Include unresolved subdomainsGives you the option of keeping unresolved subdomains in the list of results, but without an IP address.

What to do next

Besides the Subdomain Finder, you have other domain checker tools on, along with a full arsenal of vulnerability scanners and exploitation tools.

Our solution for finding domains, our free Google Hacking tool, and Find Virtual Hosts provide breadth by extending your attack surface. Enhance your reconnaissance work with complementary tools such as the Port Scanner, the UDP Port Scanner, and the Website Recon tool which provide you with in-depth information about a specific target.

Our Subdomain Finder is also closely connected to all other tools on the platform, which allows you to get much more information about subdomains and act on it with precision and speed.

Web vulnerability scanners, web CMS scanners, and network vulnerability scanners are all available from your online account, along with powerful offensive tools (e.g. URL Fuzzer, Subdomain Takeover, Sniper Auto-Exploiter, and more).

We make it easy to access the one that is relevant to your next steps from the list of subdomain results to remove as much repetitive work from your day as possible.

Scan with other tools when viewing discovered subdomains

Automation features also help you expedite entire testing sequences. For instance, Recon Robot, one of our pentest robots, automatically discovers all subdomains of any given domain, does full port scanning and service discovery, and gathers technologies and takes screenshots for each web port it finds. It also delivers all the data it aggregates in the unified Attack Surface view. All without you having to wait for scans to finish to start follow-up scans with different tools and other work that disrupts your flow.

Use this Subdomain Finder with other features in our cloud platform to further boost its capabilities:

Plus, the entire arsenal on gets updates on a regular basis, consistently growing stronger with new features.

Tools to use after running the Subdomain Finder

Great Tool!

I tested and used a lot of features from the beginning when was launched.

I used a lot the Subdomain Scanner, Website Recon and the SSL/TLS scanner - helped me find juicy information for my work. I used them as a security engineer- freelancer - and they helped me a lot.


Common questions about the Subdomain Finder

A website subdomain is a domain subordinated to another domain. If you are pentesting websites, it’s important to know which subdomains are exposed to potential malicious hackers through vulnerabilities, misconfigurations, and business logic security issues.

Knowing which specific needs subdomains serve helps you prioritize business-critical assets for further investigation.