Passive + Active Discovery

Find Every Subdomain, Not Just the Obvious Ones

Combine passive DNS, certificate transparency, web crawling, and active brute-forcing to discover subdomains that free tools miss.

Start Free TrialView API Docs
12+
Data Sources
Passive & active methods
24/7
Continuous Monitoring
Real-time new subdomain alerts
3x
More Subdomains
vs. free tools alone
5yr
Historical Data
Track changes over time

Multi-Source Discovery Process

We don't rely on a single method. We combine them all.

01

Passive DNS

Historical DNS records from our network sensors and third-party feeds reveal subdomains that existed in the past.

02

Certificate Transparency

Monitor CT logs for new SSL certificates issued for your domains, catching subdomains the moment they're created.

03

Web Crawling

Discover subdomains referenced in HTML, JavaScript, and API responses across your web properties.

04

DNS Brute-Forcing

Active enumeration using custom wordlists and intelligent permutation patterns to find hidden subdomains.

05

Third-Party APIs

Aggregate data from VirusTotal, SecurityTrails, Shodan, and other threat intelligence sources.

06

Continuous Monitoring

Get instant Slack/email alerts when new subdomains appear, so you can assess them before attackers do.

Everything You Need for Subdomain Recon

Professional-grade enumeration without the enterprise price tag

Wildcard DNS Detection

Automatically filter out false positives from wildcard DNS configurations that pollute your results.

Historical Timeline

Track when subdomains were first seen, last seen, and how they've changed over time with our 5-year historical archive.

Bulk Export

Export results to CSV, JSON, or integrate directly with your tools via our REST API or Slack/webhook notifications.

IP Resolution & Port Data

See what IPs each subdomain resolves to and what ports/services are exposed, all in one view.

Who Uses Subdomain Discovery?

From bug bounties to enterprise security

Bug Bounty Hunters

Find forgotten staging servers, old dev environments, and shadow IT that internal teams don't know about. More attack surface = more bugs.

Example Discovery
old-admin.staging.target.com
→ Found Apache 2.2 with known CVE

Security Teams

Get alerted when new subdomains appear in your infrastructure. Detect unauthorized deployments before they become security incidents.

Real-Time Alert
new-api.prod.yourcompany.com
→ Slack alert: Unknown subdomain detected

Penetration Testers

Start every engagement with comprehensive reconnaissance. Find the subdomains that automated tools miss and your competitors won't find.

Typical Engagement
✓ 147 subdomains found
✓ 23 unknown to client
✓ 8 with critical findings

Threat Intelligence

Monitor competitor infrastructure, track phishing campaigns using similar domains, and build threat actor profiles based on domain patterns.

Typosquatting Detection
yourcompany-login.com
→ Phishing site detected, 12 subdomains

BarkScan vs. Free Tools

Why developers upgrade from Amass and Subfinder

FeatureBarkScanAmassSubfinder
Passive DNS Sources12+86
Historical Data✓ 5 yearsLimited
Real-Time Monitoring✓ 24/7
API Access✓ REST APICLI onlyCLI only
Setup Time0 min30+ min15+ min
Wildcard Filtering✓ AutomaticManualManual

Simple, Usage-Based Pricing

Only pay for what you use. No per-seat fees.

Free Forever
$0/mo
  • 5 domains
  • 100 subdomain scans/mo
  • Basic data sources
  • API access
Start Free
Most Popular
$49/mo
  • 50 domains
  • Unlimited scans
  • All 12+ data sources
  • Real-time monitoring
  • Slack/webhook alerts
  • 5-year history
Start Free Trial
For Teams
Custom
  • Unlimited domains
  • Dedicated infrastructure
  • Custom data sources
  • SLA guarantee
  • Priority support
Contact Sales

Stop Missing Subdomains

Start with our free tier. Discover 3x more subdomains than free tools. Upgrade only when you need to.

Start Free Trial - No Credit Card Required