Passive Subdomain Discovery
Run low-noise passive subdomain discovery to understand attack surface expansion opportunities.
Best for teams mapping exposed internet assets, reviewing old environments, or checking whether DNS still points to systems that should have been retired.
What This Tool Checks
- A, AAAA, and CNAME discovery signals
- Confidence-scored asset mapping
- Attack-surface prioritization
Why It Matters
Attack surface expands quietly when forgotten subdomains, legacy hosts, and third-party delegations remain public after a project or migration is over.
Best For
Best for teams mapping exposed internet assets, reviewing old environments, or checking whether DNS still points to systems that should have been retired.
What To Do Next
Use the result to classify ownership first, then confirm which hosts are still needed and escalate the ones that look forgotten, exposed, or orphaned.
Related Resources
What does the Passive Subdomain Discovery look for?
Passive Subdomain Discovery focuses on a, aaaa, and cname discovery signals, confidence-scored asset mapping, attack-surface prioritization. It is designed to help teams identify this category of weakness quickly and then move into broader workflows if deeper follow-up is needed.
What is the difference between Quick and Comprehensive mode?
Quick mode stays public for focused diagnostics. Comprehensive mode is intended for authenticated workflows where users need saved history, richer follow-up, and broader account-linked execution.
When should I use the full Vulnify platform instead?
Use the full platform when you need more than one focused diagnostic, want to keep reports and history, or need scheduled scans, exports, and broader vulnerability coverage beyond passive subdomain discovery.