Why attackers scan your subdomains first
When an attacker targets your organisation, subdomain enumeration is often their first step. They're looking for:
dev.company.com
Development environments with weaker auth, debug modes enabled, or internal tools exposed to the internet.
staging.company.com
Staging servers often run older software versions, have default credentials, or skip security hardening.
admin.company.com
Admin panels exposed to the public internet instead of being restricted to VPN or IP allowlist.
old.company.com
Forgotten legacy apps with unpatched vulnerabilities, still reachable and still in DNS.
api2.company.com
Old API versions that are no longer maintained but still accept requests and return live data.
jenkins.company.com
CI/CD tools like Jenkins, GitLab, or TeamCity exposed publicly — often with weak credentials or unpatched CVEs.
What are certificate transparency logs?
Certificate transparency (CT) is a public framework that logs every TLS certificate issued by trusted certificate authorities. Because SSL certificates are issued per subdomain, CT logs reveal the existence of subdomains — even ones that were never publicly announced or linked to from the main site.
Tools like Shodan, Censys, and security researchers routinely query CT logs. Attackers do too. This scanner uses the same data source so you can see exactly what's visible before attackers do.
What is a subdomain takeover?
A subdomain takeover occurs when a DNS record (usually a CNAME) still points to an external service that no longer exists or has expired — a "dangling DNS record." An attacker can claim the abandoned resource and serve content from your subdomain:
- An old
app.company.com CNAME company.herokuapp.com — Heroku app deleted, but DNS never cleaned up. Attacker claims the Heroku app name and now controls app.company.com.
- A deleted S3 bucket still in DNS — attacker creates a bucket with the same name and serves phishing content from your subdomain.
- An expired GitHub Pages site — DNS still points there, attacker forks and publishes a page from that username.
The resulting content passes browser origin checks, appears as your domain in the address bar, and can steal session cookies, serve phishing, or host malware attributed to your organization.
Frequently asked questions
What is subdomain enumeration?
Subdomain enumeration is the process of discovering all subdomains associated with a root domain. Security teams use it to map their own attack surface. Attackers use the same techniques to find forgotten, unprotected, or vulnerable entry points that aren't visible from the main website.
How do you find subdomains using certificate transparency?
Every time a TLS certificate is issued for a domain or subdomain, it's logged in public Certificate Transparency logs. By querying these logs (e.g., via crt.sh), you can see every subdomain that has ever had a certificate issued — even ones that are no longer actively used but may still be in DNS.
What is a subdomain takeover attack?
A subdomain takeover happens when a DNS record points to an external service (S3 bucket, GitHub Pages, Heroku app, etc.) that the owner has since deleted. An attacker can claim the deleted service, and the DNS record will now point to attacker-controlled content — served from your subdomain, bypassing browser security checks.
How do I prevent subdomain takeovers?
Audit your DNS regularly and delete records pointing to decommissioned services. When you remove an external service (a Heroku app, S3 bucket, GitHub Pages site, etc.), immediately remove the corresponding DNS record. Pulse Pro monitors your subdomains weekly and flags dangling CNAME records before attackers can exploit them.
Why does the scanner only show 10 results?
The first 10 subdomains are shown free to give you a clear picture of your exposure. For a complete list, plus weekly monitoring that alerts you to new subdomains as they appear, Pulse Pro includes full subdomain enumeration and continuous monitoring.
Is it legal to scan subdomains of a domain I don't own?
Querying publicly available certificate transparency logs is legal — the data is intentionally public. This scanner uses the same data source that security researchers, Shodan, and Censys use. If you're scanning a domain you don't own, use the information only for defensive research, responsible disclosure, or educational purposes.