Recon Playbook · Passive
Map any domain's attack surface
Passive reconnaissance via Certificate Transparency + public DNS. No HTTP requests hit the target's servers. Free, no signup.
Running passive playbook
Querying Certificate Transparency + apex DNS — usually 5–15 seconds.
FAQ
- Is this legal to run on domains I don't own?
- Yes. The passive playbook only queries public certificate transparency logs (crt.sh) and public DNS — the same sources Google and anyone else on the internet can read. We never send a packet to the target's own infrastructure.
- Does my scan hit the target's web servers?
- No HTTP requests hit the target's servers. Public DNS resolvers do answer from the target's authoritative name servers, so a DNS query may reach that layer — but no HTTP / TLS traffic. (Signing up adds active probing that does send requests — we'll tell you before it runs.)
- How is this different from dnsdumpster or crt.sh?
- We combine certificate transparency, passive DNS, and wildcard detection in one dataset, render it as a force-directed graph, and classify each subdomain (live / dead / wildcard / takeover candidate) so you see exposure at a glance.
- Why are some subdomains missing?
- We only see what's been logged in Certificate Transparency. Internal-only subdomains (behind VPN, no public cert) won't appear. This is often a security feature, not a failure.
- What do I get by signing up?
- Per-host TLS grade, Wappalyzer tech fingerprint, common-port scan, exposed
.git/.env/ backup checks, HTTP screenshots, and continuous monitoring with delta alerts (Business plan).