Attack surface & external recon

Scores a domain then enumerates its external footprint — subdomains (DNS+CT), nameservers, mail/SPF/DMARC, registrar, third-party SaaS/CNAME dependencies, registrant-email sibling domains, de-CDN origins, serving IPs and their ASN/TLS/threat posture, cloud region, hosting-network reputation, physical facilities and registered look-alikes.

Find Subdomains maps the full subdomain namespace of a domain — every host under the apex. It is the workhorse for attack-surface mapping, asset discovery and footprinting: enumerate what an organisation actually exposes (staging, mail, API, VPN, regional and forgotten hosts), then optionally resolve each to where it lives — its IP(s), GeoIP location and the network (ASN) announcing it. Retrieved via Cypher: the total is counted through the reverse-domain suffix index (`s.name ENDS WITH '.<domain>'`, a literal — the only form that does not time out); the names are walked from the `CHILD_OF` subtree anchored on the domain (paged in name order for a normal estate, a bounded sample for a very large one); and each name is enriched in the same page query via `RESOLVES_TO` → IPv4, `LOCATED_IN`/`HAS_COUNTRY` → GeoIP, and `ANNOUNCED_BY`→`ROUTES` → the announcing ASN (with `HAS_NAME` for the operator name).

Runs whisper.origins to discover de-CDN origin candidates (with confidence + the methods that found them), then corroborates with Certificate-Transparency observations. Ranks the true origins behind a CDN like Cloudflare.

Enumerates the subdomain estate (CHILD_OF) and resolves each to its provider/ASN/country, then grades the diversity — many small providers = fragmented shadow IT, one provider = concentration. Reuses the subdomain engine.

Reads the SEEN_IN_CT observations for a domain — every certificate (including wildcards) logged in CT, with firstSeen/lastSeen. A building block for asset discovery and takeover corroboration. CT coverage is a rolling feed, so absence is not proof of none.

Enumerates the subdomain estate (CHILD_OF) and flags subdomains whose CNAME (ALIAS_OF) points to a target that no longer resolves — the classic takeover exposure — corroborated by unexpected CT certs. Whisper is passive: confirm a candidate with an active probe. The CNAME (ALIAS_OF) layer is prod-ahead and inert today.

Enumerates the subdomain estate and filters to AI/agent-suggestive hostnames (api., mcp., ai., ml., vector., llm., agent., chat., copilot.), resolving each. This is a passive, naming-based heuristic — a signal of where to look, not a confirmed inventory.

Starts from a domain's Certificate Transparency observations and pivots to the OTHER hostnames seen in CT for the same organisation — either co-listed on the same observation node (strict SAN pivot) or sharing the registrable apex (the working co-tenant pivot on current data). Each discovered sibling is enriched with its resolving IP, owning ASN and threat verdict, and the whole set is collapsed onto its shared serving footprint, so an analyst can map connected infrastructure and tell legitimate same-org assets apart from impersonation.