Subfinder
Live · Real-time passive enumeration

One domain. Every subdomain it exposes.

Subfinder is the free online subdomain discovery tool: enter a domain for passive subdomain enumeration across 40+ sources, in one report.

  • Sign in to scan
  • Private & passive

Every subdomain a domain exposes, one consolidated report.

Wherever a subdomain has been seen in public records, stitched into one report.

  1. SOURCE / 01

    Certificate transparency logs

  2. SOURCE / 02

    Passive DNS aggregators

  3. SOURCE / 03

    Search engines & web archives

  4. SOURCE / 04

    Threat-intelligence feeds

  5. SOURCE / 05

    Other passive sources

$ only subdomains that already appear in public passive sources. No brute force, no scanning of the target's servers.

Subfinder online: the free subdomain discovery and enumeration tool

Subfinder is a free subdomain discovery tool that runs entirely online, no install, no API key, no command line. Paste any domain and Subfinder performs live passive subdomain enumeration across 40+ sources, then returns one report of every subdomain the domain exposes. It is the browser version of the open-source Subfinder project from ProjectDiscovery on GitHub, rebuilt as an online recon tool you can run from any device.

Whether you need subdomain discovery, attack-surface mapping, bug-bounty recon or a quick way to list the subdomains of a domain, it is the same engine in one place. Every query reads only public passive sources, so Subfinder can enumerate a domain's subdomains without ever touching its servers.

  • Subdomain finder

    Run subdomain discovery from a single domain and find every subdomain attached to it, the modern subdomain finder security teams actually use.

  • Passive enumeration

    A full passive subdomain enumeration in your browser: query a domain across 40+ sources and read a report broken down by source, with zero traffic to the target.

  • Attack-surface mapping

    Map an attack surface in seconds. Subfinder is a free subdomain lookup that surfaces the hosts attached to a domain across the sources that matter.

  • DNS reconnaissance

    Use Subfinder for DNS reconnaissance: enumerate a domain or any organization to see which subdomains are exposed and which currently resolve.

  • Search by domain

    Search by domain to map a digital footprint, an asset-discovery primitive that returns hosts, not paywalls. See where a domain's infrastructure leads next.

  • Enumerate without scanning

    Enumerate subdomains without scanning the target. Subfinder only reads public passive sources, so the lookup stays silent and the owner is never alerted.

Explore more subdomain discovery and recon guides

Subfinder sits at the centre of a full set of online recon tools. Dive deeper into each technique:

From domain to subdomain map in three steps.

Nothing to install, no setup. Drop a domain and see every subdomain it exposes.

  1. STEP / 01

    Drop a domain

    input

    Paste any root domain. The engine knows which 40+ passive sources to query, no configuration required.

  2. STEP / 02

    Query every source

    process

    Subfinder asks each supported passive source which subdomains it has seen and stitches the responses into one consolidated report.

  3. STEP / 03

    Read the result

    output

    Every result is broken down into clear sections: which subdomains were found, which are live, and which source each one came from.

Built for people who already know what they're looking for.

Three audiences keep coming back. Different goals, same primitive: a domain in, a map of every subdomain it exposes out.

  • 01

    Red teams & pentesters

    Map the external attack surface of a target in seconds. See which subdomains resolve, then pivot to forgotten hosts, staging environments and exposed panels.

    • Map the attack surface
    • Spot staging & dev hosts
    • Pre-engagement recon
  • 02

    Bug bounty hunters

    Expand a program's scope fast: enumerate every subdomain of an in-scope domain to find the assets other hunters miss and get to a bug first.

    • Scope expansion
    • Asset discovery
    • Continuous monitoring
  • 03

    Security & asset teams

    Keep an inventory of your own exposed subdomains: catch shadow IT, expiring hosts and takeover-prone records before an attacker does.

    • Attack-surface inventory
    • Shadow-IT discovery
    • Takeover prevention

Why Subfinder

A single console for the kind of recon that usually requires juggling half a dozen scripts and API keys.

40+ sources in one pass
A single domain is queried against 40+ passive sources across certificate transparency, passive DNS, search engines and threat-intel feeds. See every subdomain without leaving the console.
Passive by design
Every query only reads public passive sources. No brute force, no port scanning, and no traffic sent to the target's own infrastructure.
Credits, not subscriptions
Pay only for what you run: each scan spends credits from your wallet, with no monthly plan. Top up once and enumerate whenever you need.
For authorized use
Pentests, bug bounty, attack-surface management. Reading these results implies you accept the responsibility that goes with them.

Frequently asked questions

What the recon community asks most often before paying attention.