Get started
Tools / Security HTTPx / Use Cases / Enumerate Subdomains

Enumerate Subdomains

Discover all subdomains of a domain to map the full attack surface and find forgotten or hidden services.

Tool
Security HTTPx icon
Security HTTPx

Subdomains are one of the most overlooked parts of an organization's attack surface. While the main website gets regular security attention, subdomains like staging.company.com, old-api.company.com, or test-admin.company.com often run outdated software with known vulnerabilities. Attackers know this and routinely enumerate subdomains as the first step in targeting an organization.

Subdomain enumeration discovers all subdomains associated with a domain by probing DNS records, certificate transparency logs, and live host responses. The probe_hosts skill identifies which discovered subdomains have live HTTP services and what technologies they are running.

This is fundamental to any security assessment. You cannot protect subdomains you do not know about. Regular enumeration helps security teams maintain an accurate inventory, identify shadow IT, discover forgotten services, and ensure every subdomain meets the organization's security baseline. It is also the foundation for targeted vulnerability scanning -- once you know all your subdomains, you can test each one systematically.

Agent Guides

Claude

  1. Connect ToolRouter: claude mcp add toolrouter -- npx -y toolrouter-mcp
  2. Ask Claude: "Enumerate all subdomains of my domain using security-httpx" and provide the domain
  3. Claude discovers subdomains and probes each one for live services
Read full guide →

ChatGPT

  1. Configure ToolRouter in ChatGPT
  2. Ask: "Find all subdomains of my domain" and provide the root domain
  3. ChatGPT discovers and probes subdomains, returning details for each
Read full guide →

Copilot

  1. Add ToolRouter to Copilot MCP config
  2. In Copilot Chat: "Enumerate subdomains of my company domain"
  3. Copilot discovers subdomains and returns details
Read full guide →

OpenClaw

  1. Connect ToolRouter: openclaw mcp add toolrouter -- npx -y toolrouter-mcp
  2. Ask OpenClaw: "Enumerate all subdomains of my domain"
  3. OpenClaw discovers and probes subdomains
Read full guide →

Related Use Cases

Open Probe Security Headers

Probe Security Headers

Check HTTP security headers across your web properties to identify missing protections like CSP, HSTS, and X-Frame-Options.

Security HTTPx icon
Security HTTPx4 agent guides
Open Discover Hidden Services

Discover Hidden Services

Find hidden or forgotten web services running on your infrastructure that may be exposed without your knowledge.

Security HTTPx icon
Security HTTPx4 agent guides
Open Check SSL/TLS Configuration

Check SSL/TLS Configuration

Verify SSL/TLS certificate validity, protocol versions, and cipher suite configurations across your hosts.

Security HTTPx icon
Security HTTPx4 agent guides
Open Detect Web Technologies

Detect Web Technologies

Identify the web technologies, frameworks, and server software running on target hosts.

Security HTTPx icon
Security HTTPx4 agent guides

Related Workflows

Full Security AssessmentComprehensive security assessment combining infrastructure probing, vulnerability scanning, penetration testing, and CVE intelligence.SSL and DNS AuditAudit SSL certificates, DNS configuration, HTTP security headers, and domain registration for security gaps.Subdomain Security ScanEnumerate subdomains, probe services, scan for takeover vulnerabilities, and capture visual evidence.Infrastructure Health CheckVerify DNS resolution, service availability, and server locations to ensure infrastructure is healthy and correctly configured.Web Application Security TestCrawl a web application, analyze HTTP security, test for injections, and document findings with screenshots.Network ReconnaissanceMap the complete network attack surface through DNS enumeration, geolocation, service probing, and attack vector analysis.API Security TestingTest API endpoints for authentication flaws, injection vulnerabilities, and compliance with OWASP API Security Top 10.Certificate MonitoringMonitor SSL/TLS certificates for expiration, verify TLS configuration, and confirm domain ownership alignment.Cloud Security AuditAudit cloud infrastructure by discovering assets, probing for misconfigurations, testing cloud-specific attacks, and checking CVEs.Third-Party Risk AssessmentAssess third-party vendor security through identity verification, external security probing, attack surface analysis, and breach history.Continuous Security MonitoringMaintain ongoing security visibility through DNS monitoring, service probing, vulnerability scanning, and CVE tracking.Dark Web Exposure CheckCheck for organizational data exposure on the web including credential leaks, paste sites, and breach databases.