Subdomain Monitoring & Discovery
Every forgotten subdomain is an unlocked door. DriftAlarm continuously discovers, inventories, and monitors all subdomains across your domains — surfacing shadow IT, staging environments, and takeover risks before attackers find them.
Why Subdomains Are Your Biggest Blind Spot
Modern organizations accumulate subdomains at an alarming rate. Marketing launches a campaign microsite on promo.example.com. Engineering spins up staging.api.example.com for a sprint demo. A contractor sets up vendor-portal.example.com for a short-term project. Months later, the projects end, the teams move on, and the subdomains remain — unpatched, unmonitored, and pointing at infrastructure nobody remembers provisioning.
These orphaned subdomains are a leading entry point in external attacks. A subdomain pointing to a decommissioned cloud instance can be hijacked through a subdomain takeover, letting an attacker serve phishing pages or malware from your own domain. A forgotten staging environment running an outdated application version may expose admin panels on ports like 8080 or 8443, complete with default credentials. Shadow IT subdomains bypass your security controls entirely because your team does not know they exist.
The challenge is not just discovery — it is continuous monitoring. A subdomain that is safe today can become dangerous tomorrow when its underlying infrastructure changes, its SSL certificate expires, or a new CVE affects the software it runs. Traditional approaches like annual penetration tests and manual DNS audits only capture a point-in-time snapshot. By the time the next audit arrives, dozens of new subdomains may have appeared, and existing ones may have drifted into a vulnerable state.
External attack surface management (EASM) platforms like DriftAlarm solve this by treating subdomain monitoring as a continuous, automated process rather than a periodic manual task. Instead of relying on someone to remember every subdomain, DriftAlarm discovers them programmatically and watches for changes around the clock.
How DriftAlarm Discovers and Monitors Subdomains
DriftAlarm uses Amass, the industry-standard open-source reconnaissance tool, to enumerate subdomains through passive DNS databases, certificate transparency logs, search engine scraping, and active brute-force techniques. This multi-source approach uncovers subdomains that single-method tools miss — including those created by third-party services, CDN configurations, and legacy DNS entries.
Every discovered subdomain is probed with httpx to determine what is actually running. DriftAlarm checks HTTP and HTTPS on standard ports (80, 443) and common alternative ports (8080, 8443, 3000, 9090). The probe captures response codes, page titles, server headers, TLS certificate details, and technology fingerprints — giving you a clear picture of what each subdomain is serving.
Each subdomain is assessed for risk indicators: dangling CNAME records that could enable takeover, expired or mismatched SSL certificates, exposed administrative interfaces, outdated software versions, and open ports running unnecessary services. Subdomains are categorized by risk severity so your team can prioritize remediation.
DriftAlarm establishes a baseline of your subdomain inventory and monitors for changes using 32 built-in drift detection rules across 7 rule packs. When a new subdomain appears, an existing subdomain changes its DNS resolution, an SSL certificate approaches expiry, or a previously closed port opens, DriftAlarm triggers an alert through Slack or email notifications. This drift detection is what sets DriftAlarm apart from one-time scanning tools.
When DriftAlarm identifies a risky subdomain, Claude AI analyzes the specific context — the subdomain's DNS configuration, the services running on it, the technologies detected — and provides actionable remediation steps. Instead of a generic 'fix this vulnerability' alert, you get specific guidance like 'Remove the CNAME record pointing to the deprovisioned Heroku app at example.herokudns.com to prevent subdomain takeover.'
What You Get
Complete Subdomain Inventory
Maintain a continuously updated inventory of every subdomain across all your domains. DriftAlarm combines passive reconnaissance (certificate transparency logs, DNS databases, web archives) with active enumeration to build the most comprehensive subdomain map possible. See every subdomain, its IP resolution, HTTP response, and technology stack in a single view.
Subdomain Takeover Detection
Automatically identify dangling DNS records where a subdomain's CNAME points to a third-party service (AWS S3, Azure, Heroku, GitHub Pages, Shopify) that has been deprovisioned. DriftAlarm checks for the specific error responses and HTTP status codes that indicate a takeover opportunity, flagging them as critical before an attacker can claim the orphaned resource.
Shadow IT Discovery
Surface subdomains created outside of approved change management processes. When a developer spins up a staging environment, a marketing team launches a campaign microsite, or a contractor deploys a vendor portal, DriftAlarm discovers it during the next scan cycle and alerts your security team. No more relying on people to remember to submit a ticket.
New Subdomain Alerts with Drift Detection
Receive immediate Slack or email notifications when new subdomains appear on your domains. DriftAlarm's drift detection engine compares each scan against your established baseline and flags any additions, removals, or changes. Track the rate of subdomain growth over time and correlate new subdomains with internal change records.
Technology and Service Fingerprinting
For each discovered subdomain, DriftAlarm identifies the web server (Apache, Nginx, IIS), application framework (React, WordPress, Django), hosting provider (AWS, Azure, GCP, Cloudflare), and any exposed APIs or admin interfaces. This technology inventory helps you assess patch obligations and identify subdomains running end-of-life software.
DNS Record Monitoring
Track A, AAAA, MX, NS, CNAME, and TXT records for every subdomain using RDAP lookups. DriftAlarm detects unauthorized DNS changes, identifies subdomains with conflicting DNS configurations, and monitors for DNS hijacking indicators. Changes to DNS records trigger drift alerts so you can investigate immediately.
See Your Attack Surface — Start Free Trial
Who Uses This
Security Engineers and SOC Teams
Security engineers use DriftAlarm's subdomain monitoring to maintain a continuously updated external asset inventory. Instead of running manual Amass scans and parsing output files, they get a structured inventory with risk assessments and change tracking. SOC teams configure drift alerts to Slack channels so new or changed subdomains are reviewed as part of daily operations, reducing mean time to detect shadow IT from weeks to hours.
IT and Infrastructure Managers
IT managers responsible for DNS hygiene and domain management use DriftAlarm to ensure that decommissioned projects have their DNS records cleaned up. When a cloud resource is deleted but the CNAME record remains, DriftAlarm flags the dangling reference before it becomes a takeover risk. This is especially valuable for organizations using multiple cloud providers where DNS records span AWS Route 53, Azure DNS, and Cloudflare.
Compliance and Risk Teams
Compliance teams use DriftAlarm's subdomain inventory to satisfy external asset management requirements in SOC 2, ISO 27001, and PCI DSS frameworks. The continuous monitoring provides evidence that the organization maintains an up-to-date inventory of internet-facing assets and actively manages the risk of unauthorized or forgotten subdomains.
DevOps and Platform Engineering Teams
DevOps teams use subdomain monitoring to catch staging and development environments that were never properly decommissioned. DriftAlarm surfaces subdomains like dev.api.example.com or staging-v2.example.com that may be running outdated code, exposed debugging endpoints, or open database ports. Integrating DriftAlarm alerts into the team's Slack channel creates a feedback loop between infrastructure provisioning and security hygiene.
Frequently Asked Questions
Discover Every Subdomain Across Your Attack Surface
30-day free trial. No credit card required. Results in 90 seconds.