Skip to content

Subfinder

Purpose

Subfinder discovers subdomains for domain scope items using the subfinder CLI.

Plugin Information

Plugin ID: subfinder

Category: Recon

Plugin Type: recon

Execution: passive CLI recon

Default State: enabled

Default Profiles:

  • quick
  • default
  • deep
  • stealth
  • recon_nmap
  • tls_audit
  • web_discovery
  • port_discovery
  • recon_expanded
  • screenshot

Input Scope

Accepted asset types:

  • domain

Required metadata:

  • None

Produces targets:

  • A comma-separated domain list passed with -d.

Output

Creates assets:

  • subdomain

Creates vulnerabilities:

  • None

May enrich:

  • Subdomain metadata from Subfinder JSON output.

Metadata:

  • Full JSON line from Subfinder when JSON parsing succeeds.
  • Empty metadata for plain text fallback lines.

Graph Relations

The worker derives parent-domain containment from emitted subdomains:

domain -> contains -> subdomain

If no parent_domain metadata is present, the worker derives the parent from the subdomain value.

Files / Artifacts

Produces:

  • None

Dependencies

Required binary: subfinder

Required installer entry: tools.subfinder

Command model:

subfinder -d <domain[,domain...]> -json -silent [-rate-limit <n>]

Example Flow

domain
  -> subfinder
subdomain

Notes

Only domain scope items are used. IP, CIDR, URL, and service inputs are skipped without failure.