
Subdomain Discovery API
Discover subdomains with DNS, WHOIS, reputation, vendor verdict, and pagination data.
Overview
Subdomain Discovery API helps you find known and discoverable subdomains for a target domain, making it easier to understand a domainβs external footprint.
Send a registered domain such as example.com and get discovered subdomains together with useful technical and security-related context for each result.
π― Subdomain visibility: Discover known and reachable subdomains linked to a target domain. π Attack surface mapping: Understand the public-facing assets connected to a domain. π§Ύ Per-subdomain context: Review FQDNs, DNS records, registrar details, WHOIS data, tags, categories, and timestamps. π‘οΈ Security insight: Check reputation signals and vendor verdict statistics to identify suspicious or malicious subdomains faster. π Easy pagination: Results can be continued using the returned cursor token.
Documentation
What you get
Every successful request returns discovered subdomains with full per-subdomain context, including DNS records, registrar, WHOIS, popularity ranks, vendor reputation stats, tags, and categories, plus an opaque cursor for the next page.
{
"is_success": true,
"response_code": 200,
"message": "Success",
"data": {
"search_type": "domain",
"subdomains": [
{
"subdomain": "botmesh-stg.tesla.com",
"tld": "com",
"registrar": "MarkMonitor Inc.",
"dns_records": [{ "type": "A", "value": "209.10.208.20", "ttl": 300, "priority": 0 }],
"security_vendor_analysis_stats": { "harmless": 0, "malicious": 0, "suspicious": 0, "undetected": 91, "timeout": 0 },
"popularity_ranks": {},
"tags": [],
"categories": {},
"modification_date": 1779649181,
"whois": "Domain Name: TESLA.COM\nRegistrar: MarkMonitor Inc.\nCreation Date: 1992-11-04T05:00:00Z\nβ¦"
}
],
"cursor": "eyJsaW1pdCI6IDEwLCAib2Zmc2V0IjogMTB9"
}
}Endpoint
| Endpoint | Use it for |
|---|---|
GET /scan | Discover subdomains for a registered domain and continue through results using cursor pagination. |
Pagination
- First request:
GET /scan?query=example.comβ returns first 10 subdomains + acursor. - Subsequent requests:
GET /scan?query=example.com&cursor=<cursor>β returns the next 10 + the next cursor. - Stop when the response carries no
cursor(or an empty one).
Cursors are tied to the query they were issued for β do not mix cursors across different domains.
Status code contract
To keep success-rate metrics meaningful, this API returns HTTP 200 for every authenticated, in-quota request β including invalid inputs and "no data found" cases. Always inspect:
is_successβ boolean success flag.response_codeβ200(success),400(invalid input), or404(no data).
4xx / 5xx HTTP status codes are reserved for authentication, rate-limit, and server-error scenarios.
Use cases
- Attack surface management (ASM) β continuously enumerate an organisation's external footprint and flag staging / preproduction / forgotten subdomains.
- Penetration testing reconnaissance β fast pivot from a single domain to the full subdomain inventory.
- Subdomain takeover detection β surface dangling subdomains pointing at unclaimed cloud resources.
- Brand protection β catch lookalike subdomains and verify ownership.
- Bug bounty scoping β quickly understand what targets are in scope.
