whatisgithub

What is subfinder?

projectdiscovery/subfinder — explained in plain English

Analysis updated 2026-06-24

13,617GoAudience · ops devopsComplexity · 2/5Setup · easy

In one sentence

Subfinder is a fast command-line tool that discovers subdomains of a target domain by querying public internet sources like certificate logs and DNS records, without sending any traffic to the target itself.

Mindmap

mindmap
  root((subfinder))
    What It Does
      Subdomain discovery
      Passive scanning
      No target footprint
    Data Sources
      Certificate logs
      DNS datasets
      API key sources
    Output Options
      Terminal output
      File output
      JSON format
    Use Cases
      Penetration testing
      Bug bounty recon
      Security automation
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Map all subdomains of a target domain during an authorized penetration test or bug bounty assessment.

USE CASE 2

Feed a subdomain list into other security tools as the first step in a reconnaissance workflow.

USE CASE 3

Use subfinder as a Go library inside your own security automation program to enumerate subdomains without spawning a subprocess.

What is it built with?

Go

How does it compare?

projectdiscovery/subfindercasdoor/casdoorsemaphoreui/semaphore
Stars13,61713,60413,597
LanguageGoGoGo
Setup difficultyeasymoderateeasy
Complexity2/54/53/5
Audienceops devopsops devopsops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Works immediately for free public sources, optional API keys from third-party services unlock more complete subdomain data.

Open source, specific license terms are not described in the repository explanation.

So what is it?

Subfinder is a command-line tool that discovers subdomains of a website by querying public internet sources rather than actively probing or scanning the target. For example, if you give it "example.com", it searches certificate transparency logs, DNS datasets, and other public records to build a list of subdomains like "api.example.com" or "mail.example.com" that actually exist. Because it works passively and does not send requests directly to the target, it is fast and leaves no footprint on the system being researched. The tool is built for two main groups: security testers assessing a target with permission, and bug bounty hunters mapping the attack surface of a program they are authorized to research. Finding subdomains is typically one of the first steps in both cases, because each subdomain can be a separate service with its own vulnerabilities. Subfinder pulls data from many different online sources at once. Some of those sources are free and need no configuration, others require an API key that you obtain yourself from third-party services and add to a config file. More sources generally means more complete results, but the tool works out of the box without any API keys for the free sources. Results can be printed to the terminal, written to a file, or formatted as JSON, making it straightforward to feed the output into other tools in a security testing workflow. The project also ships as a Go library, so developers can call subfinder from their own programs without running it as a separate process. The project is maintained by ProjectDiscovery and is open source. A usage disclaimer is included in the repository noting that the tool should only be used on systems you are authorized to test.

Copy-paste prompts

Prompt 1
I'm doing a bug bounty on a target domain. Show me the subfinder command to enumerate all subdomains and save results to a file for further testing.
Prompt 2
Help me configure subfinder with API keys for additional data sources to get more complete subdomain results than the free sources alone.
Prompt 3
I want to pipe subfinder output directly into another recon tool. Show me the command to output JSON and use it in a pipeline.
Prompt 4
How do I use subfinder as a Go library in my own program to enumerate subdomains programmatically instead of calling it as a CLI?

Frequently asked questions

What is subfinder?

Subfinder is a fast command-line tool that discovers subdomains of a target domain by querying public internet sources like certificate logs and DNS records, without sending any traffic to the target itself.

What language is subfinder written in?

Mainly Go. The stack also includes Go.

What license does subfinder use?

Open source, specific license terms are not described in the repository explanation.

How hard is subfinder to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is subfinder for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.