EN English ES Español DE Deutsch FR Français PT Português JP 日本語 CN 中文 IT Italiano KR 한국어 NL Nederlands
Recipe12 credits

Infrastructure Discovery

Map your organization's external infrastructure and attack surface. Discover subdomains, identify exposed services, and find potential security gaps before attackers do.

What's Included

Subdomain Enum Discover all subdomains
IP Mapping Infrastructure topology
Security Scan Exposed services detection
Asset Inventory Complete digital footprint
SubdomainsSSL CertsDNS LookupIP LookupTech Stack
Interactive intelligence tool

Run the check, then ship the workflow

Use the browser tool for a fast answer, then move the same logic into scripts, monitoring, or product flows when it becomes repeatable.

1
Start with the live form

Enter a domain, URL, IP, email, or record and get a focused result without setup.

2
Review decision-ready signals

Outputs highlight statuses, risks, records, and next actions instead of raw provider noise.

3
Automate the winning workflow

Use the request and response examples to turn a one-off check into an API call or recipe.

Used by people at amazing companies

VercelLLM PulseOLXCasa ModernaPipeCal.comBeehiivSnykTogglRemoteSprigDeel

What this tool helps you decide

Each page is shaped around a practical operational question, not just a raw lookup.

Signal

See the current DNS, registration, security, pricing, or reputation evidence.

Context

Compare the result with related checks so the next move is easier to trust.

Action

Copy examples, open linked tools, or move into API documentation when you need scale.

Trust signals before you integrate

Transparent docs, authenticated requests, and visible reliability details make it easier to evaluate DomScan before you ship.

Uptime API artifacts

OpenAPI, Swagger, Postman, CLI, SDK, and MCP links are one click away.

API keys Protected access

Authenticated endpoints use API keys with clear credit costs before you call them.

Free allowance Sign Up for Free

Start with 10,000 monthly credits and upgrade only when usage grows.

Active Example Request

Start from the curl and HTTP samples, then map the parameters into your application code.

Example Request

Example Request bash 
curl -s "https://domscan.net/v1/recipes/infrastructure-discovery?domain=example.com"   -H "X-API-Key: $DOMSCAN_API_KEY"

Example Response

Example Response json 
{
  "success": true,
  "data": {
    "subdomains": [
      "www",
      "api",
      "cdn"
    ],
    "hosts": [
      "198.51.100.10",
      "198.51.100.11"
    ],
    "services": [
      "nginx",
      "cloudflare",
      "github"
    ]
  },
  "meta": {
    "recipe_name": "infrastructure-discovery",
    "credits_used": 12,
    "credits_saved": 11,
    "duration_ms": 1084
  },
  "errors": []
}

Built from the same API surface

The browser experience previews DomScan's structured endpoints, so teams can validate a use case before writing code.

Open API docs All Tools
Enter your organization's primary domain

Results


          

        


        
        

          
 Frequently Asked Questions

          

            
      

        
How are subdomains discovered?

        
We use Certificate Transparency logs, DNS enumeration, and passive reconnaissance to discover subdomains without active scanning.

      

      

        
Is this an active scan?

        
No, this is passive reconnaissance only. We don't probe or test your systems directly, only gather publicly available information.

      

      

        
How can I reduce my attack surface?

        
The report identifies unnecessary exposed services, outdated SSL certificates, and misconfigured DNS that could be addressed.

      

          

        


        
        

          

            
Need More Power?

            
Get API access for automation, higher limits, and custom integrations.

            

               Get API Key
               View API Docs