Subdomain Enumeration + Attack-Surface Monitoring: Finding the Forgotten Subdomain That Kills You

Published 2026-04-21

Subdomain Enumeration + Attack-Surface Monitoring: Finding the Forgotten Subdomain That Kills You

The live + the dead + the forgotten. All three are attack-surface signals.

Your security posture is the sum of everything you've ever exposed. Most orgs have an accurate inventory of their current public services; almost none have a full inventory of their historical public services. That historical footprint — the beta-2019.acme.com you forgot to DNS-clean-up, the dev-sandbox. that points at a deprovisioned Heroku app, the blog. pointed at a GitHub Pages site that no longer exists — is the attack surface that takes you down first.

Pentestas's subdomain enumeration module continuously discovers every subdomain under your verified domains, enriches each with live-status + WAF fingerprint + open-port data, and flags the subdomain-takeover cases that turn abandoned DNS into attacker-controlled content under your brand.

The discovery sources

Pentestas queries and merges:

Certificate transparency — every TLS certificate ever issued for a subdomain under your domain is visible in public CT logs (crt.sh, Cert Spotter). This is the single densest source of historical subdomain data.
Passive DNS — SecurityTrails, VirusTotal, RiskIQ PassiveTotal aggregate years of DNS resolution observations.
Active brute-force — a ~120,000-entry wordlist of common subdomain labels (api, admin, staging, legacy, v1, v2, internal, vpn, mail, …) run against your DNS.
Wayback Machine — historical URLs the Internet Archive crawled. Often contains references to subdomains that have since been decommissioned but whose DNS remains.
Google / Bing dorks — site:acme.com SERP extraction pulls subdomains mentioned in indexed content.
ASN sweep — PTR records across IP ranges your org owns (Enterprise).

Sources are deduped + scored. Each finding carries the list of sources that confirmed it so you know how high-confidence the discovery is.

Per-subdomain enrichment

For every discovered subdomain, Pentestas then:

DNS resolves — A + AAAA records.
Live-checks — HTTP(S) probe with a realistic User-Agent; status code + server header + title.
Port-scans — common ports (22, 80, 443, 3000, 8080, 8443) by default; full scan on request.
Fingerprints WAF — Cloudflare, Akamai, AWS WAF, Imperva, F5, Sucuri.
Checks takeover — does the DNS point at a deprovisioned SaaS (Heroku, S3, GitHub Pages, Azure, Netlify, Shopify, Tumblr, Fastly, Unbounce)?

The takeover check is the single most valuable signal. A dedicated rule matches each SaaS provider's "not found" fingerprint (GitHub Pages' There isn't a GitHub Pages site here. for example) and flags the subdomain as CRITICAL if the DNS still points at that provider.

Why subdomain takeover is catastrophic

When your DNS points at a deprovisioned SaaS site, anyone can claim the name on that SaaS and serve arbitrary content under your domain. Consequences:

Phishing at your brand. login.acme.com serving attacker HTML that looks identical to your real login. Browser's URL bar says "acme.com"; TLS cert is valid (Let's Encrypt on the SaaS's side auto-provisions); your users sign in and leak creds.
Cookie theft via same-site-ish relaxation. Cookies scoped to .acme.com are readable by login.acme.com via the same-origin policy. If the cookies lack the HttpOnly flag, attacker-controlled JavaScript at login.acme.com reads them.
SEO manipulation. Attackers place spammy / illegal content at blog.acme.com; search engines index it under your brand.
Business-email-compromise vector. Attackers send mail From: <legit-name>@acme.com claiming the takeover subdomain as a reply-to. Inbound replies land in the attacker's SaaS account.

Every takeover finding is CRITICAL. Every takeover finding ships with the SaaS provider name + the specific fingerprint string matched + the step-by-step reclaim instructions for that provider.

Typical results

For a mid-size company (~100 engineers, a decade of web presence):

100–2,000 subdomains discovered in a single run.
~70% live (200-responding or reachable via DNS+TCP).
~20% forgotten (404 / DNS timeout / default-landing).
~5% internal-leak (should not be public; DNS points at an internal-only host).
~2% takeover-candidate (DNS points at a deprovisioned SaaS).
~3% "interesting" — staging., test., dev., beta. variants that expose pre-production environments with less security than production.

The takeover rate is the headline. A single takeover is usually a 2-hour reclaim + DNS cleanup. An unreclaimed takeover that an attacker uses is a board-level incident. Pentestas catches these typically within 24 hours of the SaaS deprovisioning.

Continuous monitoring

Run once → you have a snapshot. Schedule a weekly or daily run → you have a monitor. Drift signals:

New subdomain appeared that you didn't know about → your engineering team stood up a service without telling security.
Existing subdomain flipped from 200 to 404 → someone deprovisioned something that was live yesterday. Start the takeover-watch clock.
Existing subdomain flipped from 200 to takeover-candidate → the SaaS behind it just deprovisioned the site; reclaim the DNS immediately.

Settings → Scans → Schedule → daily subdomain enumeration against your verified domains. Slack alert on any new takeover-candidate. Total cost: minutes per week of human attention.

Industry fit

Fintech

Fintech orgs grow by M&A. Every acquired company brings a historical web footprint, often with forgotten subdomains. "SomeDefunctStartup.acme-payments.com" → decade-old blog → GitHub Pages takeover → attacker publishes "partnership announcement" claiming a fake brand. Pentestas's CT-log-driven discovery catches these in the first post-acquisition scan.

Medtech

Medtech platforms often publish patient-education or practitioner-resource subdomains on third-party CMSes. Content lifecycle is measured in years; takeovers happen when the CMS contract ends and nobody updates DNS. Continuous subdomain monitoring catches these before reputational / compliance incidents.

Legaltech

Legal firms often have per-client subdomains that linger past engagement end. clientA.legalfirm.com pointing at a deprovisioned client-specific SaaS is a brand-damaging takeover waiting to happen. Pentestas's weekly discovery + takeover check treats these as first-class findings.

Banks + insurance

Large institutions have hundreds of subdomains accumulated over decades. Takeovers here are regulator-reportable events under most breach-notification regimes (the subdomain is considered "data about the institution"). Continuous monitoring is a meaningful portion of the organisation's operational resilience programme under DORA Article 24.

SaaS companies generally

SaaS orgs that publish per-customer subdomains (customer-name.acme.com) or per-feature experiments (ai-beta.acme.com) have by-design high subdomain churn. Continuous monitoring is the only way to keep attack-surface posture current.

API access

bash

# Authenticated scan — goes into your tenant's history
curl -X POST "https://app.pentestas.com/api/subdomain-scan" \
     -H "X-API-Key: aa_..." \
     -d '{"domain": "acme.com"}'

# Anonymous quick-recon — rate-limited, no history
curl "https://app.pentestas.com/api/public/subdomain?domain=acme.com"

Returns a list of {subdomain, ip, alive, status, source, open_ports, takeover_candidate}.

Complementary coverage

Subdomain enumeration is the discovery layer. After discovery, the interesting subdomains typically get their own full ai pentest:

Discovery run flags 200 subdomains.
Triage filter: live + authenticated + not known-to-you = 15 subdomains.
Full pentest against those 15, one scan per, scheduled nightly.

Discovery gets you the attack-surface map. Pentest gets you the per-surface exploitability. Both pieces needed; Pentestas runs both from the same platform.

Discover every subdomain under your verified domain Free tier covers one subdomain scan per day. Anonymous probe available — no sign-up.