Skip to main content
Subdomain discovery

If you've got an attack surface that can't be mapped, this is the feature for you.

Updated over 2 weeks ago

What can it do?

Discover subdomains of existing apex domains that have been added to the portal. ie. if you have added example.com, we might return portal.example.com or api.example.com.

How does it work?

Once a week, we will run an automatic scan on all your targets to check for any subdomains that have not yet been added to the tool.

Should we find any, we'll send you an email:

and list them on your Targets page, under the discovery tab.

How can I manage them?

If you click on the 'subdomain detection' area above, you'll be taken through to the Subdomain detection page, where you can sort by: Most subdomains; Least subdomains; Newest subdomains and Oldest subdomains.

Clicking on them, will open out the list of associated subdomains:

  • As you can see above, some detected targets have already been added, which means they are now included in the target list and will be subject to scanning (pending license availability):

  • Other targets are yet to be added:

  • And one has already been excluded – though this can be undone if you want to – simply hit Undo exclude.
    (To exclude a target, all you need to do is select the target(s) using the checkbox on the left and hit the red Exclude button at the top).

If we have detected targets that appear to be hosted on a cloud provider such as GCP, AWS or Azure, we'll also flag this on the Discovery tab to allow you to integrate with the cloud platform by clicking the 'Add Integration' button, if you'd like:

And finally, if you believe a subdomain is missing from the list – let us know. Click Missing subdomain:

Add the name of the missing target and some details in the box (the more details the better as this will help our team improve the results over time) > hit Submit or Submit and add target:

If you hit Submit and add target, your comment will be submitted and you have the option to add the missing subdomain from this modal:

Where do I manage the *emails?

You can manage them from Settings > Email notifications


FAQs

Can it find 'associated' domains?

No, unfortunately, the subdomain discovery feature itself doesn't.

However, we do have a Related Domain Discovery feature which will enable you to find domains related to existing apex domains that have been added to the portal. ie. If you have added exampletest.com, we might return exampletester.com or exampletest.co.uk.

Are the discovered subdomains automatically added to the portal?

No, we don't automatically add them – we leave that up to you, the user.

Do we show existing targets on the Discovery Tab?

Yes, if a target has already been added then this will have 'Added target' shown next to it - this means they are already included in the target list:

This feature is only available on Premium and Vanguard (and will only be visible to admin users).

Did this answer your question?