What can it do?
Discover subdomains of existing apex domains that have been added to the portal. ie., if you have added example.com, we might return portal.example.com or api.example.com.
How does it work?
Once a week, we will run an automatic scan on all your targets to check for any subdomains that have not yet been added to the tool.
Should we find any, we'll send you an email:
We'll also list them on your Targets page, on the Discovery page.
How can I manage them?
Excluding apex domains permanently
Some apex domains identified during discovery may not be relevant to your organisation, or you may not want to track them. In these cases, you can now permanently exclude an apex domain.
When you permanently exclude an apex domain:
All of its currently discovered subdomains are excluded immediately.
Future discovery scans will no longer return that apex domain or any associated subdomains.
Any subdomains you have already added as targets remain in your Targets list. Only future discovery of new subdomains beneath that apex domain stops; nothing previously added as a target will be removed.
To permanently exclude an apex domain, expand the domain group in the Subdomain Detection view and select Exclude apex domain.
Excluding individual subdomains
If you want to keep the apex domain active but remove only certain discovered subdomains, you can use the bulk‑select checkboxes and the Exclude action. This removes only the selected subdomains. Future discoveries beneath that apex domain will continue to appear.
Managing discovered subdomains
If you click on the 'subdomain detection' item, you'll be taken through to the Subdomain detection page, where you can sort by: Most subdomains; Least subdomains; Newest subdomains, and Oldest subdomains.
Clicking on them will open the list of associated subdomains:
As you can see above, some detected targets have already been added, which means they are now included in the target list and will be subject to scanning (pending license availability):
Other targets are yet to be added:
To exclude a target, check the box on the left and hit the red
Excludebutton:
To undo, click
Undo exclude:
If we have detected targets that appear to be hosted on a cloud provider such as Google Cloud, AWS or Azure, we'll also flag this on the Discovery page to allow you to integrate with the cloud platform by clicking the 'Add Integration' button, if you'd like:
And finally, if you believe a subdomain is missing from the list, let us know. Click Missing subdomain:
Add the name of the missing target and some details in the box (the more details the better, as this will help our team improve the results over time) > hit Submit or Submit and add target:
If you hit Submit and add target, your comment will be submitted, and you have the option to add the missing subdomain from this modal:
Where do I manage the emails?
You can manage them from Settings > Email notifications
FAQs
Can it find 'associated' domains?
No, unfortunately, the subdomain discovery feature itself doesn't.
However, we do have a Related Domain Discovery feature, which will enable you to find domains related to existing apex domains that have been added to the portal. ie. If you have added exampletest.com, we might return exampletester.com or exampletest.co.uk.
Are the discovered subdomains automatically added to the portal?
No, we don't automatically add them – we leave that up to you, the user.
Do we show existing targets on the Discovery page?
Yes, if a target has already been added, then this will have 'Added target' shown next to it - this means they are already included in the target list:
This feature is only available on our Enterprise and Vanguard plans (and will only be visible to admin users).