Legal Disclaimer:

This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.

Subdomain OSINT Guide

Certificate Transparency (CT) Logs Explained

How an append-only ledger designed to prevent rogue certificates became a key resource for security reconnaissance.

The Cryptographic Audit Trail

Certificate Transparency (CT) is an open framework designed to monitor and audit the issuance of SSL/TLS certificates. The system mandates that Certificate Authorities (CAs) log every certificate they issue to public, cryptographically verifiable, append-only ledgers.

The Reconnaissance Leak

While CT logs were created to detect rogue or unauthorized certificates (such as an attacker trying to issue a fake certificate for a bank), they also act as a directory of an organization's subdomains.

The moment a developer generates a certificate for a subdomain (e.g., staging-payment.example.com), that record is pushed to public CT logs. Security researchers query these logs via interfaces like crt.sh to map the entire external attack surface.

Audit Your Subdomain Exposure

Map out forgotten development environments, staging configurations, and scan for dangling CNAME takeover vulnerabilities instantly.

Scan Subdomains Now

Frequently Asked Questions

What is an append-only ledger in CT?

A database structure using Merkle Trees where records can only be added, never modified or deleted, ensuring the integrity of the certificate log.

Can wildcard certificates hide subdomains in CT logs?

Yes. If an organization generates a wildcard certificate (*.example.com), individual subdomains are not logged, limiting passive discovery via CT logs.

Are CT logs updated in real-time?

Yes, CAs typically log certificates within seconds of issuance, allowing researchers to monitor new hosts as they are created.

Related Subdomain Topics

Subdomain Enumeration Guide: Active vs. Passive OSINT Discovery

Learn the methodologies of subdomain enumeration. Discover how mapping host infrastructure uncovers staging environments and shadow IT.

Learn More

Passive Subdomain Enumeration: Stealth Reconnaissance Techniques

Learn how to discover subdomains without interacting with the target server using stealth passive OSINT techniques.

Learn More

Active Subdomain Enumeration: Brute-forcing, Zone Transfers & DNS Probing

Learn how active subdomain probing works. Discover techniques for brute-forcing, wildcards handling, and DNS zone transfers.

Learn More

Subdomain Takeover Vulnerabilities: CNAME Hijacking & Remediation

What is a subdomain takeover? Learn how orphaned CNAME DNS records pointing to decommissioned third-party hosts allow attackers to hijack subdomains.

Learn More
Explore all subdomain profiles & topics

Related OSINT Guides

Subdomain Enumeration Guide
OSINT analysis guide
Passive Reconnaissance
OSINT analysis guide
Subdomain Takeovers
OSINT analysis guide