Back to APIs
API Details
Crawland

Subdomain Discovery API

Discover subdomains with DNS, WHOIS, reputation, vendor verdict, and pagination data.

Subdomain DiscoveryAsset VisibilityDomain Intelligence

Overview

Subdomain Discovery API helps you find known and discoverable subdomains for a target domain, making it easier to understand a domain’s external footprint.

Send a registered domain such as example.com and get discovered subdomains together with useful technical and security-related context for each result.

🎯 Subdomain visibility: Discover known and reachable subdomains linked to a target domain. 🌐 Attack surface mapping: Understand the public-facing assets connected to a domain. 🧾 Per-subdomain context: Review FQDNs, DNS records, registrar details, WHOIS data, tags, categories, and timestamps. πŸ›‘οΈ Security insight: Check reputation signals and vendor verdict statistics to identify suspicious or malicious subdomains faster. πŸ“š Easy pagination: Results can be continued using the returned cursor token.

Documentation

What you get

Every successful request returns discovered subdomains with full per-subdomain context, including DNS records, registrar, WHOIS, popularity ranks, vendor reputation stats, tags, and categories, plus an opaque cursor for the next page.

{
  "is_success": true,
  "response_code": 200,
  "message": "Success",
  "data": {
    "search_type": "domain",
    "subdomains": [
      {
        "subdomain": "botmesh-stg.tesla.com",
        "tld": "com",
        "registrar": "MarkMonitor Inc.",
        "dns_records": [{ "type": "A", "value": "209.10.208.20", "ttl": 300, "priority": 0 }],
        "security_vendor_analysis_stats": { "harmless": 0, "malicious": 0, "suspicious": 0, "undetected": 91, "timeout": 0 },
        "popularity_ranks": {},
        "tags": [],
        "categories": {},
        "modification_date": 1779649181,
        "whois": "Domain Name: TESLA.COM\nRegistrar: MarkMonitor Inc.\nCreation Date: 1992-11-04T05:00:00Z\n…"
      }
    ],
    "cursor": "eyJsaW1pdCI6IDEwLCAib2Zmc2V0IjogMTB9"
  }
}

Endpoint

EndpointUse it for
GET /scanDiscover subdomains for a registered domain and continue through results using cursor pagination.

Pagination

  1. First request: GET /scan?query=example.com β†’ returns first 10 subdomains + a cursor.
  2. Subsequent requests: GET /scan?query=example.com&cursor=<cursor> β†’ returns the next 10 + the next cursor.
  3. Stop when the response carries no cursor (or an empty one).

Cursors are tied to the query they were issued for β€” do not mix cursors across different domains.

Status code contract

To keep success-rate metrics meaningful, this API returns HTTP 200 for every authenticated, in-quota request β€” including invalid inputs and "no data found" cases. Always inspect:

  • is_success β€” boolean success flag.
  • response_code β€” 200 (success), 400 (invalid input), or 404 (no data).

4xx / 5xx HTTP status codes are reserved for authentication, rate-limit, and server-error scenarios.

Use cases

  • Attack surface management (ASM) β€” continuously enumerate an organisation's external footprint and flag staging / preproduction / forgotten subdomains.
  • Penetration testing reconnaissance β€” fast pivot from a single domain to the full subdomain inventory.
  • Subdomain takeover detection β€” surface dangling subdomains pointing at unclaimed cloud resources.
  • Brand protection β€” catch lookalike subdomains and verify ownership.
  • Bug bounty scoping β€” quickly understand what targets are in scope.