projectdiscovery/subfinder

★ 13,617GoAudience · ops devopsComplexity · 2/5Setup · easy

Mindmap

mindmap
  root((subfinder))
    What It Does
      Subdomain discovery
      Passive scanning
      No target footprint
    Data Sources
      Certificate logs
      DNS datasets
      API key sources
    Output Options
      Terminal output
      File output
      JSON format
    Use Cases
      Penetration testing
      Bug bounty recon
      Security automation

mindmap root((subfinder)) What It Does Subdomain discovery Passive scanning No target footprint Data Sources Certificate logs DNS datasets API key sources Output Options Terminal output File output JSON format Use Cases Penetration testing Bug bounty recon Security automation

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Map all subdomains of a target domain during an authorized penetration test or bug bounty assessment.

USE CASE 2

Feed a subdomain list into other security tools as the first step in a reconnaissance workflow.

USE CASE 3

Use subfinder as a Go library inside your own security automation program to enumerate subdomains without spawning a subprocess.

Tech stack

Getting it running

Difficulty · easy Time to first run · 5min

Works immediately for free public sources, optional API keys from third-party services unlock more complete subdomain data.

Open source, specific license terms are not described in the repository explanation.

In plain English

Subfinder is a command-line tool that discovers subdomains of a website by querying public internet sources rather than actively probing or scanning the target. For example, if you give it "example.com", it searches certificate transparency logs, DNS datasets, and other public records to build a list of subdomains like "api.example.com" or "mail.example.com" that actually exist. Because it works passively and does not send requests directly to the target, it is fast and leaves no footprint on the system being researched. The tool is built for two main groups: security testers assessing a target with permission, and bug bounty hunters mapping the attack surface of a program they are authorized to research. Finding subdomains is typically one of the first steps in both cases, because each subdomain can be a separate service with its own vulnerabilities. Subfinder pulls data from many different online sources at once. Some of those sources are free and need no configuration, others require an API key that you obtain yourself from third-party services and add to a config file. More sources generally means more complete results, but the tool works out of the box without any API keys for the free sources. Results can be printed to the terminal, written to a file, or formatted as JSON, making it straightforward to feed the output into other tools in a security testing workflow. The project also ships as a Go library, so developers can call subfinder from their own programs without running it as a separate process. The project is maintained by ProjectDiscovery and is open source. A usage disclaimer is included in the repository noting that the tool should only be used on systems you are authorized to test.

Copy-paste prompts

Prompt 1

I'm doing a bug bounty on a target domain. Show me the subfinder command to enumerate all subdomains and save results to a file for further testing.

Prompt 2

Help me configure subfinder with API keys for additional data sources to get more complete subdomain results than the free sources alone.

Prompt 3

I want to pipe subfinder output directly into another recon tool. Show me the command to output JSON and use it in a pipeline.

Prompt 4

How do I use subfinder as a Go library in my own program to enumerate subdomains programmatically instead of calling it as a CLI?

Open on GitHub → Explain another repo

← projectdiscovery on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.