$ Blog
Subdomain Discovery

Top 7 Subdomain Enumeration Tools

· 11 min read

Choosing the right subdomain enumeration tools can mean the difference between discovering 50 subdomains and discovering 500. Each tool takes a different approach -- some focus on speed, others on source coverage, and some combine multiple techniques into a single workflow. This comparison covers the best subdomain enumeration tools available today, with honest assessments of what each does well and where it falls short.

If you are new to subdomain discovery, read How to Find Subdomains of Any Domain first for background on the techniques these tools implement.

TL;DR

  • Subfinder is the fastest passive enumerator with 40+ sources -- ideal for quick, one-off scans.
  • Amass provides the deepest single-tool coverage with both passive and active modes, but has a steeper learning curve.
  • Metric Tower chains multiple tools into an automated pipeline with built-in vulnerability scanning and takeover detection.
  • Professional pentesters rarely use just one tool -- running Subfinder and Amass together yields 30-50% more results than either alone.
Tool Best For Key Strength Pricing
Metric Tower Automated full pipeline Chains 5+ tools with vuln scanning Free tier available
Subfinder Fast passive enumeration 40+ sources, sub-30s per domain Free (open source)
Amass Maximum single-tool depth 50+ sources, passive + active + brute-force Free (open source)
crt.sh Quick CT log lookups No installation needed, free API Free
Sublist3r Learning enumeration basics Simple Python, easy to understand Free (open source)
Chaos Instant pre-enumerated data Crowd-sourced dataset, millisecond results Free API
Findomain Fast cross-platform scans Rust binary, commercial monitoring option Free / $15/mo (commercial)
ENUMERATION APPROACHES Passive Only CT logs, DNS databases, web archives, APIs Subfinder, crt.sh, Chaos, Findomain Stealthy Incomplete Active Only DNS brute-force, zone transfers, permutation Puredns, Dnsx, Alterx, Amass (active) Thorough Noisy / slow Combined Pipeline Passive + active + permutation + validation + vuln scanning Metric Tower, Amass (full mode) Complete Automated

1. Metric Tower -- Automated Multi-Tool Pipeline

Metric Tower takes a different approach from standalone tools: instead of being a single enumeration engine, it chains Subfinder, Amass, CrtSh, Alterx, and Dnsx into an automated pipeline where each tool's output feeds the next. Subdomains discovered by passive sources are expanded via permutation, validated via DNS resolution, port-scanned with Naabu, and vulnerability-tested with Nuclei -- all from a single scan configuration.

The platform also includes TakeoverWatch for subdomain takeover detection across 30+ services, scheduled recurring scans for continuous monitoring, and a web dashboard where results from all stages are unified into a single view with deduplication.

Pros:

  • Chains 5+ tools automatically with data flowing between stages
  • Web UI with scheduling, alerting, and team collaboration
  • Includes takeover detection and vulnerability scanning in the same workflow
  • Deduplicates findings across sources and across scans over time

Cons:

  • Requires a running instance (Docker Compose or hosted) rather than a single binary
  • Less granular control over individual tool flags compared to running each tool directly from the CLI

Pricing: Free tier available. Pro and Business plans add higher scan limits and advanced features. See pricing details.

2. Subfinder (ProjectDiscovery) -- Fast Passive Enumeration

Subfinder is the workhorse of passive subdomain enumeration. It queries 40+ data sources in parallel -- CT logs, DNS aggregators, search engines, threat intelligence feeds, web archives, and more. It is written in Go, compiles to a single binary, and runs fast even on large target lists.

What makes Subfinder stand out is its source management. You configure API keys for premium sources (SecurityTrails, Censys, Shodan, Chaos, VirusTotal, etc.) in a YAML config file, and Subfinder handles rate limiting, error handling, and result deduplication across all of them.

# Basic usage
subfinder -d example.com -all -o subs.txt

# With specific sources
subfinder -d example.com -sources crtsh,securitytrails,shodan

# Multiple targets from file
subfinder -dL domains.txt -all -o all-subs.txt

Pros:

  • Fast -- typically completes in under 30 seconds per domain
  • 40+ data sources with easy API key management
  • Clean Go binary, no dependencies
  • Active development by ProjectDiscovery
  • Integrates well with other PD tools (httpx, nuclei, naabu)

Cons:

  • Passive only -- no DNS brute-force or permutation
  • Best results require API keys for premium sources (free tiers are limited)

Pricing: Open-source (MIT license). Free to use. Some data sources require their own API keys with separate pricing.

Best Practice

Configure API keys for premium sources like SecurityTrails, Censys, and Shodan in Subfinder's config file. Free-tier API keys from these services dramatically increase discovery coverage at no cost.

3. Amass (OWASP) -- Deep Passive and Active Enumeration

Amass is the most comprehensive single-tool option for subdomain enumeration. It supports both passive and active modes, with 50+ data sources for passive collection, DNS brute-force, permutation scanning, zone transfers, NSEC walking, and even certificate scraping. Its graph database tracks relationships between discovered assets across runs.

The trade-off is complexity. Amass has a steep learning curve, a large configuration surface, and longer execution times. A full active enumeration with brute-force can run for hours on large scopes.

# Passive enumeration only
amass enum -passive -d example.com -o subs.txt

# Active mode with brute-force
amass enum -active -brute -d example.com -o subs.txt

# Using the database for tracking across runs
amass db -names -d example.com

Pros:

  • Most comprehensive single tool -- passive, active, brute-force, permutation in one package
  • 50+ passive data sources
  • Asset tracking via built-in graph database
  • OWASP project -- well-established and community-maintained
  • Advanced features like NSEC walking and zone transfer attempts

Cons:

  • Significant learning curve and complex configuration
  • Active mode can be very slow on large scopes (hours)
  • Resource-heavy compared to lighter alternatives
  • Configuration file format can be confusing

Pricing: Open-source (Apache 2.0 license). Free to use.

4. crt.sh -- Certificate Transparency Web Search

crt.sh is a free web interface (and API) for searching Certificate Transparency logs. Operated by Sectigo, it indexes certificates from all major CT logs and lets you search by domain, issuer, or certificate fingerprint. It is not a tool you install -- it is a web service you query.

Because CT logs record every publicly-issued TLS certificate, crt.sh often surfaces subdomains that no other source knows about: internal services that obtained public certificates, short-lived subdomains used during testing, or wildcard certificate SANs.

# Query via API (JSON output)
curl -s "https://crt.sh/?q=%25.example.com&output=json" \
  | jq -r '.[].name_value' | sort -u

# Search for wildcard certificates
curl -s "https://crt.sh/?q=%25.example.com&exclude=expired&output=json"

Pros:

  • Free, no API key needed
  • Comprehensive CT log coverage
  • JSON API for easy scripting
  • Finds subdomains not present in any other source
  • No installation -- works from any browser or curl

Cons:

  • Only finds subdomains that have had TLS certificates issued
  • Can be slow during peak usage
  • No active scanning, permutation, or brute-force
  • Returns expired and historical certificates by default (requires filtering)

Pricing: Free.

CAPABILITY MATRIX Passive Active Permute Validate Takeover Vuln Scan Web UI Schedule Metric Tower Subfinder Amass crt.sh Sublist3r ~ Chaos Findomain ~ Supported Partial Not supported

5. Sublist3r -- Simple Python Enumerator

Sublist3r is a straightforward Python script that queries search engines (Google, Bing, Yahoo, Baidu), Netcraft, VirusTotal, ThreatCrowd, and DNSdumpster. It has an optional integration with Subbrute for DNS brute-forcing. It was one of the first popular subdomain tools and remains a good entry point for beginners.

However, Sublist3r has not kept pace with newer tools. Its source list is smaller, it lacks support for modern data sources like SecurityTrails or Censys, and several of its search engine scraping methods are unreliable due to anti-bot measures. For professional use, Subfinder or Amass are strictly better choices.

Common Mistake

Relying on a single enumeration tool. No tool has complete source coverage. Running Subfinder and Amass together typically yields 30-50% more unique subdomains than either tool alone.

# Basic usage
python sublist3r.py -d example.com -o subs.txt

# With brute-force enabled
python sublist3r.py -d example.com -b -o subs.txt

Pros:

  • Easy to understand and use -- good for learning
  • Pure Python with minimal dependencies
  • Optional DNS brute-force via Subbrute integration

Cons:

  • Fewer sources than Subfinder or Amass
  • Search engine scraping is unreliable (frequent blocks)
  • Less actively maintained than alternatives
  • No API key management for premium data sources

Pricing: Open-source (free).

6. Chaos (ProjectDiscovery) -- Crowd-Sourced Subdomain Data

Chaos is a different kind of subdomain tool. Instead of actively querying sources, it provides access to ProjectDiscovery's crowd-sourced subdomain dataset. This dataset is built from the combined output of Subfinder, Amass, and other tools run across the internet by the security community. You query it for pre-enumerated results.

The advantage is speed: results are instant because the enumeration has already been done. The limitation is scope: only domains in the dataset are covered, and results may be hours or days old. Chaos works best as a supplement to real-time enumeration, not a replacement for it.

# Query the Chaos dataset
chaos -d example.com -o subs.txt

# Check if a domain is in the dataset
chaos -d example.com -count

Pros:

  • Instant results -- no scanning required
  • Covers popular and bug bounty program domains extensively
  • Free API with generous rate limits
  • Part of the ProjectDiscovery ecosystem

Cons:

  • Only covers domains already in the dataset (coverage gaps for less-popular targets)
  • Results can be stale -- not real-time
  • Cannot discover subdomains on domains not yet indexed
  • Requires a free API key from ProjectDiscovery Cloud

Pricing: Free API access. Part of ProjectDiscovery Cloud (paid tiers add more features).

7. Findomain -- Fast Cross-Platform Enumerator

Findomain is a cross-platform binary written in Rust that focuses on fast passive subdomain enumeration. It queries sources including crt.sh, VirusTotal, Sublist3r API, Facebook CT, and others. Its commercial version adds monitoring features (scheduled checks, alerts on new subdomains, webhooks).

Findomain's selling point is performance and simplicity. The binary is small, fast, and requires no runtime dependencies. The open-source version handles basic enumeration well. The commercial monitoring feature makes it one of the few tools that supports automated subdomain tracking out of the box, though the source list is smaller than Subfinder's.

# Basic enumeration
findomain -t example.com -o

# Multiple targets
findomain -f domains.txt -o

# With specific output file
findomain -t example.com -u subs.txt

Pros:

  • Very fast execution (Rust binary)
  • Cross-platform (Linux, macOS, Windows, ARM)
  • No dependencies -- single binary
  • Commercial version includes monitoring and alerting

Cons:

  • Fewer sources than Subfinder or Amass
  • No active scanning (passive only)
  • Monitoring features require paid license
  • Less community adoption than ProjectDiscovery tools

Pricing: Open-source version is free. Commercial version with monitoring starts at $15/month (as of early 2026).

Choosing the Right Subdomain Enumeration Tool

The right choice depends on what you need:

Quick one-off enumeration: Subfinder. It is the fastest passive enumerator with the best source coverage for no cost.

Maximum depth from a single tool: Amass in active mode. It will take longer but covers more ground than anything else.

Free, instant, no installation: crt.sh. Open a browser, enter a domain, and get results. Or use the JSON API from a terminal.

Learning subdomain enumeration: Sublist3r. Its code is readable and the concepts are easy to follow.

Pre-built data for popular targets: Chaos. If the domain is in their dataset, you get results in milliseconds.

Automated pipeline with vulnerability scanning: Metric Tower. If you want the full chain from discovery through exploitation testing without scripting it yourself, this is the integrated option.

Continuous monitoring: Findomain (commercial) for a standalone solution, or Metric Tower for monitoring bundled with scanning.

In practice, professional pentesters rarely use just one tool. The standard approach is to run Subfinder and Amass together, merge and deduplicate the results, then feed them into Dnsx for validation and Nuclei for vulnerability scanning. If you want that pipeline without the scripting overhead, Metric Tower automates the entire chain.

Key Takeaways

  1. 1 For speed and broad passive coverage, Subfinder is the best starting point -- fast, lightweight, and queries 40+ sources with a single command.
  2. 2 For maximum depth from a single tool, Amass in active mode covers passive, active, brute-force, and permutation enumeration in one package.
  3. 3 For an automated end-to-end pipeline that includes vulnerability scanning, Metric Tower chains tools together so each stage feeds the next automatically.
  4. 4 Always merge results from multiple tools and validate with DNS resolution before proceeding to downstream scanning.
WHICH TOOL SHOULD YOU USE? Need full pipeline with vuln scanning? Yes Metric Tower No Need active brute-force? Yes Amass No Subfinder Best results come from running multiple tools and merging output

Related articles