subfinder

Subfinder is a command-line tool that discovers subdomains of a website by querying public internet sources rather than actively probing or scanning the target. For example, if you give it "example.com", it searches certificate transparency logs, DNS datasets, and other public records to build a list of subdomains like "api.example.com" or "mail.example.com" that actually exist. Because it works passively and does not send requests directly to the target, it is fast and leaves no footprint on the system being researched.

The tool is built for two main groups: security testers assessing a target with permission, and bug bounty hunters mapping the attack surface of a program they are authorized to research. Finding subdomains is typically one of the first steps in both cases, because each subdomain can be a separate service with its own vulnerabilities.

Subfinder pulls data from many different online sources at once. Some of those sources are free and need no configuration; others require an API key that you obtain yourself from third-party services and add to a config file. More sources generally means more complete results, but the tool works out of the box without any API keys for the free sources.

Results can be printed to the terminal, written to a file, or formatted as JSON, making it straightforward to feed the output into other tools in a security testing workflow. The project also ships as a Go library, so developers can call subfinder from their own programs without running it as a separate process.

The project is maintained by ProjectDiscovery and is open source. A usage disclaimer is included in the repository noting that the tool should only be used on systems you are authorized to test.