Free Subdomain Finder

Yes — fully free, no signup, no rate limits we control. Every search runs in your browser via the public crt.sh Certificate Transparency log API. We don't see what you queried and don't log anything. crt.sh itself is run by Sectigo as a free public service and is the same data source security professionals use daily.

Every TLS certificate issued by a public CA (Let's Encrypt, DigiCert, Sectigo, etc.) is logged in append-only Certificate Transparency logs. The Subject Alternative Names on the certificate — including subdomains — are public the moment the cert is issued. This tool searches CT logs via crt.sh and returns every unique hostname found in a certificate for the domain. No DNS guessing, no dictionary attacks, no port scans.

Yes — that's exactly the point. Anyone with internet access can run the same query in 5 seconds. If you have a forgotten staging server at staging-old.yourdomain.com that issued a Let's Encrypt cert two years ago, every penetration tester and bug bounty hunter can find it. CT logs are not a leak; they're a deliberate, by-design transparency mechanism. Your job is to know what's in there before attackers do.

Same starting point — CT logs are a primary data source for all of them — but those tools also combine search engine scraping, DNS brute-forcing, and other techniques to find subdomains beyond CT. This browser tool is CT-only, which is the highest-confidence data source (every subdomain returned definitely existed at one point because someone issued a real certificate for it). For the full picture, combine this tool with active DNS enumeration. For continuous monitoring of new subdomains as certificates are issued, use FortWatch.

Each certificate renewal creates a new CT log entry. A domain on Let's Encrypt with quarterly auto-renewal will produce 4+ entries per year per subdomain. This tool deduplicates so you see each unique hostname once. The 'cert entries' count in the summary shows how many raw CT records were found (one per cert), and the unique subdomain count shows how many distinct hostnames they cover.

CT logs only include hostnames that have ever appeared on a publicly-issued TLS certificate. Subdomains that exist but never had a cert (HTTP-only services, internal-only DNS, certs from a private CA) won't appear. For those you need active DNS enumeration — DNS brute-forcing or zone transfer attempts. CT-based discovery is one piece of the puzzle, not the whole picture.

When you stop using a third-party service (Heroku app, Shopify store, AWS bucket, GitHub Pages site) but leave the CNAME pointing at it, an attacker can claim the now-orphaned hostname on the platform and serve content under your subdomain. Listing every subdomain you've ever used is step one for finding these. For each result, check whether the hostname still resolves and whether the target service is still under your control.

Subdomains appear in CT logs the moment a certificate is issued — usually within minutes. FortWatch monitors CT logs continuously for every domain you own and alerts you when a new subdomain shows up, so unauthorized cert issuance (a real signal of a compromised CI/CD pipeline or registrar account) gets caught immediately. Combine that with continuous DNS monitoring for full attack surface coverage.