ProjectDiscovery Part 1: subfinder

The first phase of a penetration test is almost always discovery. Up until the middle of 2025, I was still using older versions of OWASP amass and Sublist3r for discovery… until a coworker gently mocked me and told me to use subfinder instead.

It was A Moment for me. I realized just how stale my skills had gotten over the last 4 years. An elephant has never sat on me but I’m pretty sure that’s what it feels like when one does. It hurt. That was the inspiration for this sabbatical project, to catch up on all of the training I was promised over the decades but never seem to get. Meanwhile, the “bills for skills” problem in security is a clusterfuck… we’re all expected to know how to hack into anything and everything, even as tech stacks get more bloated and convoluted, to learn on our own AND pay for the 999 services necessary to, you know, practice? Let’s learn together. My treat.

One of the most counter-intuitive things about this work: it is often the case that my “customer” cannot provide a list of targets. Or maybe they provided one target but are hoping we won’t find another instance of the same code running in development mode. Or there’s shadow IT, a ubiquitous and evergreen problem because all human enterprise lacks operational discipline. No judgment. This is why my kids don’t have college loan debt.

Another thing that customers don't quite grok? A penetration test is different from a red team campaign. A pentest is scoped to a specific target and hopefully you have some code to speed things along. By contrast, red teaming is finding every possible exposure. Sometimes discovery doesn't matter for a pentest, but it always matters for a red team assessment. My well-worn two cents: always do discovery anyway. Later you can laugh with your coworkers about anyone who is unhappy about something you found fortuitously.

Sublist3r is written in Python. Every time I run Sublist3r, it spews a lot of errors. I don’t want to shit on the authors, but it is very much the sort of tool pentesters write. I know, because I’ve written a lot of one off tools for assessments. By last count, I’ve written nmap in 6 languages? I have nothing against Python or Ruby; if I’m in a hurry to bang out a bespoke tool, I’ll use whatever has the best libraries. But there’s newer, faster and sexier stuff out there.

Subfinder is written in Go. I love Go. Every fuzzing or scanning tool I have written in Go was screaming fast. This is subfinder:

Found 11545 subdomains for $DOMAIN in 2 minutes 9 seconds

While amass is… still running. AND subfinder has a -csv flag. Because grown-ups have to write reports.

Before you can install subfinder, you will need to install Go. You will also want to add your $GOPATH to your $PATH – usually this is $HOME/go/bin. After that, there’s not much to it:

% go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
# [... wait ...]
% subfinder -d example.com
# [... wait ...]
[INF] Found 22248 subdomains for example.com in 30 seconds 62 milliseconds

Another excellent use case for subfinder is cataloging and monitoring your own external attack surface. Run it weekly and then hassle everyone you work with to find out who owns whatever you fine. Boom. Now you have a new Risk Profile.

Last note: I will be writing about more ProjectDiscovery (PD) tools in the coming weeks. PD maintains a pretty amazeballs collection of open-source security tools designed for reconnaissance, vulnerability scanning, and general offensive security work. Everything is built to work together so you can chain tools for more efficient security assessments. In addition to tools you can clone, configure and install, ProjectDiscovery has a hosted cloud service with a free tier.