> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withgiga.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Subdomain Enumeration

> Seven passive OSINT sources combined for full attack surface discovery

# Subdomain Enumeration

Every audit begins by enumerating the target's subdomains. WithGiga uses **passive OSINT only** — no DNS brute-force, no traffic to the target during enumeration. This keeps the engagement quiet and minimizes false positives.

## The seven sources

GigaOps queries all of these in parallel and merges results:

| Source              | Type                     | Coverage                                       |
| ------------------- | ------------------------ | ---------------------------------------------- |
| **crt.sh**          | Certificate Transparency | Subdomains observed in issued TLS certificates |
| **HackerTarget**    | DNS aggregation          | Multi-source DNS dataset                       |
| **AlienVault OTX**  | Threat intelligence      | Subdomains observed in security telemetry      |
| **Anubis**          | DNS history database     | Historical and current DNS records             |
| **URLScan.io**      | URL scanning archive     | Subdomains observed across scanned URLs        |
| **Wayback Machine** | Web archive              | Subdomains referenced in archived pages        |
| **RapidDNS**        | DNS query aggregator     | Cross-source DNS dataset                       |

Each source contributes a partial view. Combining them produces the most complete passive subdomain set practically obtainable.

## Validation

Raw OSINT results contain noise — expired DNS, typos, decommissioned subdomains. GigaOps validates every candidate:

1. **DNS resolution** — does the subdomain still resolve?
2. **Liveness** — is anything answering on common ports (80, 443, plus discovered ones)?
3. **HTTP response** — does the live host respond meaningfully (not 404 from a default page)?
4. **Stack fingerprinting** — what is it (so later phases can target appropriately)?

Subdomains that pass validation become the working target set for phases 3+.

## Targeting the right scope

By default, enumeration is scoped to the workspace's primary domain and any explicit subdomains you pass in `targets`.

```bash theme={null}
# Audit the primary domain and let GigaOps discover everything else
curl -X POST .../audits -d '{"type":"deep","targets":["acme.example.com"]}'

# Audit a specific set of subdomains and enumerate only within them
curl -X POST .../audits -d '{
  "type":"deep",
  "targets":[
    "app.acme.example.com",
    "api.acme.example.com",
    "admin.acme.example.com"
  ]
}'
```

GigaOps will enumerate subdomains under whatever apex domain it can derive from the targets. If you want to restrict scope strictly to the targets you pass, say so in [Autonomous](/audits/autonomous) mode:

```
Scope: Test only the three subdomains passed in `targets`. Do not
enumerate, scan, or interact with any other subdomain under
acme.example.com.
```

## What you'll see in the report

The audit report includes an **Attack Surface** section listing every subdomain discovered, marked as in-scope or out-of-scope, with the source that surfaced each one. This serves as both:

* Evidence of enumeration coverage
* A starting point for the next engagement

## Targets that don't show up

Passive OSINT will miss:

* Internal-only subdomains that never appear in CT logs or public scans
* Subdomains created very recently (under a few hours old)
* Subdomains intentionally excluded from public DNS

If you need to test internal subdomains or pre-launch infrastructure, pass them explicitly in `targets`.

## Programmatic access

You can run subdomain enumeration as a standalone operation, separate from a full audit:

```bash theme={null}
curl -X POST https://api.withgiga.ai/api/subdomains \
  -H "Authorization: Bearer $GIGA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "acme.example.com"}'
```

See the [Subdomains API reference](/api-reference/subdomains) for details.
