Owais Shaikh
Senior Security Researcher • 5x BlackHat USA and MEA speaker
Imagine this: You are a CISO. Your organization, example.com, is a building. Scattered around it are doors, loading bays, parking garages and a basement. Some are locked; while some aren’t. Some weren’t even in the original design. Some were never closed.
Subdomain discovery is like trying to find each of those doors, but from the perspective of an attacker. This could be dev.company.com, vpn.company.com, apiv1.company.com, you name it. Each of these “subdomains” is a distinct DNS entry mapped to an actual machine. Together, they form the perimeter of your organization, which is the primary target for attackers. Researchers at the Vienna University of Technology discovered almost 1,520 vulnerable subdomains across 50,000 of the world’s most popular websites, a number which keeps on growing!
This is done by enumerating all available DNS records a registered domain, through a combination of techniques. The goal is simple, yet complex: identify every reachable hostname that resolves to infrastructure owned by that domain, yet you can’t just grab DNS records. You need to figure out easy paths that can be hijacked.
More subdomains, more risks
Modern companies don’t just operate on one domain. Marketing campaigns spin up landing pages, development teams deploy test environments, experiments live briefly, then vanish. All these subdomains multiply and quietly expand your attack surface. At Zeron, subdomain discovery isn’t just a checklist feature. Our attack surface management platform paints a living picture of how an organization functions on the internet, how it integrates partners, and how it can accidentally expose issues that are ripe to exploit.
In less than a year, the Security Research team at Zeron crossed the one-billion mark for total discovered subdomains across the internet.
Most public tools perform a one-time enumeration. Zeron’s subdomain discovery is a continuous culmination of a wide range of signals via dozens of pipelines, over several years.
Every time a domain is searched via Zeron’s ASM [Externo], each query feeds back into our systems, triggering dynamic discovery based on newly observed patterns.
Not only do we ingest public sources such as certificate transparency logs, DNS records, and historical resolution data, but we also scan live and historical commits across platforms like GitHub, GitLab, and Bitbucket, where subdomains appear. In configuration files, YAML files, CI/CD pipelines, and hardcoded endpoints.
Typo-squatting and homoglyph variants represent brand abuse, phishing risk and shadow campaigns. Security-wise, they are early indicators of impersonation and credential harvesting.
Our at-scale permutation and combination logic identifies patterns common in development and marketing teams: regional prefixes, staging deployments, and branding material. These aren’t just guesses. They come from frequency and reuse across the internet.
The result is a signal-rich data matrix of subdomains and domains that reflect how a brand functions and is both reused – and sometimes misused across the internet.
Benchmarks Against Popular Tools
To ground our claims, we benchmarked our subdomain counts against three of the most popular open-source subdomain enumeration tools available: amass, subfinder, and Sublist3r.
The methodology is quite simple:
- Choose 3 target companies operating at different scales
- Run each tool in their most advanced possible configuration
- Clean and de-duplicate their results to match Zeron’s accuracy
- Compared the number of subdomains discovered
- Compare the diversity and uniqueness of data from each tool
For our study, we chose Apple Inc (apple.com), HDFC Bank (hdfc.bank.in) and Accenture (accenture.com), all three being companies located in different parts of the world, in different industries and serving a vast variety of customers.
amass
OWASP’s amass is a comprehensive asset discovery and subdomain enumeration framework. It is widely considered a gold standard for open-source enumeration.
We ran amass overnight, since we configured it to continuously enumerate from passive sources as well. It performed as expected for a mature, popular subdomain enumeration framework. amass’ strength lies in breadth across passive sources combined with active resolution and brute-forcing, an approach that inspired Zeron. Unlike amass, however, Zeron’s ASM returned all these results in just 5 seconds.
For hdfc.bank.in, amass identified 211 unique subdomains, while Zeron captured 483 unique subdomains, representing a 2.3× increase.
This result is quite interesting, given the October 2025 mandate by the Reserve Bank of India requiring all commercial Indian banks to migrate to a bank.in domain before the end of the year. This resulted in the domain hdfcbank.com being migrated hdfc.bank.in. Zeron was easily able to catch up to this, while amass could not.
For apple.com and accenture.com, a different situation occurs. While amass reliably captured long-standing and infrastructure-centric subdomains, it consistently underrepresented developer-driven assets and marketing campaigns, where Zeron’s offering excelled. Amass captured 2,903 subdomains for apple.com, while Zeron found 44,958 subdomains. For accenture.com, amass discovered 2,217 subdomains, versus a staggering 88,557 subdomains from Zeron.
Zeron’s ASM was also able to identify their origin, which was mostly certificate tree expansion and renewal and developer-introduced hostnames on both public code repositories and in endpoints. A significant portion of Zeron’s discoveries corresponded to short-lived infrastructure, internal endpoints, and region-specific environments that were absent from amass’ results.
Sublist3r
Sublist3r is a classic Python-based OSINT subdomain enumeration tool that pulls data from search engines and third-party services like VirusTotal. It is widely referenced in reconnaissance pipelines, especially for bug bounties and in penetration testing. This approach reflects an earlier generation of OSINT-based enumeration.
For accenture.com, Sublist3r identified just 123 unique subdomains. Zeron, however, discovered 88,557 unique subdomains, representing a 720× increase. This disparaging gap highlights not just the breadth that Zeron searches subdomains at, but also the depth. While tools like Sublist3r rely on pre-enumerated sources, Zeron uses more optimized techniques, yet yields more results almost instantly.
subfinder
subfinder is a fast, passive subdomain discovery tool built by the renowned Project Discovery. It aggregates results from multiple online sources and APIs. It works especially well when provided with multiple API keys from popular OSINT sources.
subfinder demonstrates strong performance compared to both amass and Sublist3r, which is expected, since we supplied it with as many API keys as we could. Its passive-first architecture makes it especially efficient for domains with public exposure.
While subfinder produced a far narrower gap than both amass and Sublist3r, Zeron still had it defeated. For apple.com, the tool returned 40,618 unique subdomains after a 10-minute scan, while Zeron returned 44,958 unique subdomains. Unlike subfinder, however, Zeron performs incremental discovery of subdomains with low online visibility but high internal reuse, which subfinder cannot detect.
In addition, Zeron also contextualizes what is actively used. This provides a plethora of metrics, such as occurrences and sources, showcasing a subdomain’s entire life cycle. For a given set of subdomains, we can also discover usernames and emails on various platforms, discover assets, vulnerabilities and associated organization financials.
Such in-depth overview is unheard of in the industry. That is the difference between enumeration and continuous discovery, and that is where Zeron excels.
Why Organizations Should Care
An undiscovered or forgotten subdomain can become a phishing page, a defaced landing site, or a broken user journey that silently bleeds credibility. Conversely, understanding the full subdomain landscape gives teams visibility into sprawl, execution, and shadow deployments that never made it into official documentation.
Attackers attack from places that aren’t obvious. This makes subdomain enumeration the first step in their plans, which developers tend to neglect. Zeron doesn’t just help teams reduce risk. It gives organizations a clearer picture of their risk: messy, distributed, and ever-changing.
Conclusion
In the end, subdomain discovery isn’t about who can generate the longest list. It’s about translating cyber chaos into measurable risk. Every subdomain is a checkpoint, a forgotten experiment, or an unexpected liability.
Zeron doesn’t just stop at discovering subdomains. We quantify what it translates to in terms of cyber risk. We turn raw discovery into defensible, executive-level insight.
When your attack surface is alive and expanding, and static tools fall behind, Zeron keeps score in real-time.
That’s the reality. We built for it.