How it works
CertControl queries Certificate Transparency (CT) logs via crt.sh (with automatic fallback to CertSpotter) to retrieve every certificate ever issued for a domain. Since every publicly trusted certificate must be logged in a CT log, this gives a near-complete picture of your subdomain landscape — including services spun up by developers, partners, or forgotten projects.
For each discovered subdomain, CertControl then:
- Performs a DNS resolution check to determine if the subdomain is currently live
- Runs a dangling domain check — detecting DNS records that point to unclaimed cloud resources (S3, Azure, GitHub Pages, etc.)
- Cross-references with your existing monitored endpoints so you can see at a glance what is already covered
Go to Scanner → Subdomains
In the left-hand menu click Scanner, then select the Subdomains tab.
Enter a root domain and search
Type your root domain — for example example.com — and click Discover. Do not include www. or a subdomain prefix; always use the root domain to get a full picture.
Review the results
Each row in the results table shows:
| Column | What it means |
|---|---|
| Hostname | The discovered subdomain |
| DNS | Resolved IP address, or "no DNS" if the record no longer exists |
| Status | live DNS resolves dangling DNS points to unclaimed resource not monitored not yet in your endpoint list |
| Shared IP | Number of other subdomains resolving to the same IP — useful for spotting shared hosting |
Add unmonitored subdomains as endpoints
Click Add to endpoints next to any subdomain marked not monitored to immediately start scanning it. CertControl will run a full certificate and TLS scan within seconds.