Subdomain Enumeration

Every audit begins by enumerating the target’s subdomains. WithGiga uses passive OSINT only — no DNS brute-force, no traffic to the target during enumeration. This keeps the engagement quiet and minimizes false positives.

The seven sources

GigaOps queries all of these in parallel and merges results:
SourceTypeCoverage
crt.shCertificate TransparencySubdomains observed in issued TLS certificates
HackerTargetDNS aggregationMulti-source DNS dataset
AlienVault OTXThreat intelligenceSubdomains observed in security telemetry
AnubisDNS history databaseHistorical and current DNS records
URLScan.ioURL scanning archiveSubdomains observed across scanned URLs
Wayback MachineWeb archiveSubdomains referenced in archived pages
RapidDNSDNS query aggregatorCross-source DNS dataset
Each source contributes a partial view. Combining them produces the most complete passive subdomain set practically obtainable.

Validation

Raw OSINT results contain noise — expired DNS, typos, decommissioned subdomains. GigaOps validates every candidate:
  1. DNS resolution — does the subdomain still resolve?
  2. Liveness — is anything answering on common ports (80, 443, plus discovered ones)?
  3. HTTP response — does the live host respond meaningfully (not 404 from a default page)?
  4. Stack fingerprinting — what is it (so later phases can target appropriately)?
Subdomains that pass validation become the working target set for phases 3+.

Targeting the right scope

By default, enumeration is scoped to the workspace’s primary domain and any explicit subdomains you pass in targets. 
# Audit the primary domain and let GigaOps discover everything else
curl -X POST .../audits -d '{"type":"deep","targets":["acme.example.com"]}'

# Audit a specific set of subdomains and enumerate only within them
curl -X POST .../audits -d '{
  "type":"deep",
  "targets":[
    "app.acme.example.com",
    "api.acme.example.com",
    "admin.acme.example.com"
  ]
}'
GigaOps will enumerate subdomains under whatever apex domain it can derive from the targets. If you want to restrict scope strictly to the targets you pass, say so in Autonomous mode: 
Scope: Test only the three subdomains passed in `targets`. Do not
enumerate, scan, or interact with any other subdomain under
acme.example.com.

What you’ll see in the report

The audit report includes an Attack Surface section listing every subdomain discovered, marked as in-scope or out-of-scope, with the source that surfaced each one. This serves as both:
  • Evidence of enumeration coverage
  • A starting point for the next engagement

Targets that don’t show up

Passive OSINT will miss:
  • Internal-only subdomains that never appear in CT logs or public scans
  • Subdomains created very recently (under a few hours old)
  • Subdomains intentionally excluded from public DNS
If you need to test internal subdomains or pre-launch infrastructure, pass them explicitly in targets.

Programmatic access

You can run subdomain enumeration as a standalone operation, separate from a full audit: 
curl -X POST https://api.withgiga.ai/api/subdomains \
  -H "Authorization: Bearer $GIGA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "acme.example.com"}'
See the Subdomains API reference for details.