Every subdomain under any apex, in one call.
Pass an apex domain. Get back every subdomain Deepinfo has observed, sourced across passive DNS, certificate transparency, active scanning, and web crawling.
Every subdomain, across four discovery surfaces.
The Subdomain Finder API queries the indexed subdomain corpus that drives Deepinfo's own discovery pipeline. Pass an apex domain and the API returns every subdomain observed under it across passive DNS, certificate transparency, active scanning, and web crawling.
Each result is a fully qualified subdomain. Results are paginated by default; use the export flag to retrieve the full set as a downloadable file. The corpus reports approximately 2B subdomains at internet scale, deduplicated across discovery surfaces.
Use this when you need the working set of hostnames under any apex, including ones you don't own (vendor portfolios, customer-tenant apexes, acquired entities). For continuous monitoring, pair with the Daily Discovered Subdomains feed.
One endpoint, one required parameter.
Endpoint:
GET https://api.deepinfo.com/v1/discovery/subdomain-finder?domain={domain}Parameters:
Authentication is by API token in the request header. See docs.deepinfo.com for the full request reference.
See what the API returns.
Real response structure for the Every subdomain under any apex, in one call endpoint. Field coverage may vary based on query parameters and data availability.
{
"_request": {"domain": "deepinfo.com"},
"results": [
{"fqdn": "www.deepinfo.com", "first_seen": "2018-06-13", "sources": ["passive_dns", "active_scan", "ct_log"]},
{"fqdn": "api.deepinfo.com", "first_seen": "2019-02-08", "sources": ["passive_dns", "ct_log"]},
{"fqdn": "docs.deepinfo.com", "first_seen": "2019-04-22", "sources": ["passive_dns", "ct_log", "web_crawl"]},
{"fqdn": "dashboard.deepinfo.com", "first_seen": "2020-01-14", "sources": ["passive_dns", "ct_log"]},
{"fqdn": "status.deepinfo.com", "first_seen": "2021-07-30", "sources": ["passive_dns", "ct_log"]}
],
"pagination": {"page": 1, "page_size": 50, "total": 247}
}Sample response shown. Real responses depend on query parameters, data availability, and API version. Talk to us for full schema documentation.
Workflows this API plugs into directly.
Attack Surface Management
Discover the full subdomain inventory under your apex domains, including ones not in your CMDB.
Read the use caseThird-Party Risk Management
Enumerate vendor subdomains for portfolio-scope monitoring.
Read the use caseMergers and Acquisitions Due Diligence
Surface the target's full subdomain footprint without relying on the data room.
Read the use case“Subdomain enumeration during attack-surface reviews used to combine three open-source tools and a passive-DNS API. One call covering passive DNS plus certificate transparency plus active scanning consolidated all of that.”
Other discovery APIs.
Search the global domain corpus, by any field.
Filter the full domain corpus by any of 149 indexed fields and 11 query operators.
See API APIEverything Deepinfo knows about one domain, in one call.
Pass a domain.
See API APIEvery TLD permutation of a name, in one call.
Pass a domain name (without TLD).
See API APIFind every domain that looks like yours.
Pass a seed domain.
See API APIFind every domain registered to an email.
Pass an email address.
See API APIDomains registered at the same moment.
Pass a seed domain.
See APIRun a finder against your apex, or scope it to a vendor portfolio.
We'll set up token access and answer schema questions on a call.