loading
Loading content
loading
Also known as subdomain discovery
Subdomain enumeration uncovers the hostnames that live under a registered domain, like api.example.com or vpn.example.com. Each one can point to a different application, server, or third-party service, so finding them expands the attack surface a tester or defender has to account for.
Two broad approaches do the work. Passive methods pull names from sources that already exist: certificate transparency logs, public DNS datasets, search engines, and threat feeds, none of which touch the target. Active methods generate candidate names from a wordlist and resolve them against DNS to see which respond, which catches hosts that never appear in public records. Combining both gives the widest coverage.
The payoff is reach. Defenders often track their apex domain well but lose sight of subdomains spun up by separate teams, and those forgotten hosts are exactly where stale services and dangling DNS records accumulate. Enumeration drags them back into view.
In a Trickest workflow, enumeration usually runs first and feeds everything downstream. Resolved subdomains flow into DNS enumeration, port scanning, and screenshotting, and they update the asset inventory that asset discovery maintains.
Related terms