Amsterdam, 8th April 2025 – European cybersecurity company Hadrian, based in Amsterdam, introduces ‘Subwiz,’ the world’s first custom-trained AI tool for subdomain discovery. Traditionally, subdomain enumeration relied heavily on brute-force techniques, generating countless permutations and alterations to guess potential subdomains—an approach that required excessive DNS queries with no guarantee of success. Subwiz changes this by leveraging machine learning to recognize real-world subdomain patterns, making predictions far more accurate and drastically reducing the number of DNS queries needed.
Forgotten web pages as a target
Hackers are constantly searching for the weakest points in an organization’s armor, often focusing on blind spots like forgotten subdomains. Apex domains, such as hadrian.io, can have multiple subdomains, like old-internal.hadrian.io, that are poorly maintained or left unnoticed—making them prime targets for cyberattacks. “These subdomains frequently run outdated software, increasing the risk of exploitation. Attackers actively scan for such weak points, knowing they can offer an easy entry into an organization’s network,” says Olivier Beg, Chief Hacking Officer at Hadrian.
As security teams map out a domain, finding new subdomains becomes increasingly difficult—the closer you get to a complete picture, the harder it is to uncover the remaining gaps. By using a model trained on how subdomains are structured, Subwiz enables security researchers to push further toward full visibility. “Unseen subdomains are a common blind spot for organizations, often leaving them exposed to cyber threats. By improving discovery, we help reduce the risk of these unnoticed vulnerabilities being exploited,” Beg explains.
Protection of digital assets
With cyber threats continuously evolving, Subwiz helps organizations take a proactive approach to securing their online assets. “By uncovering subdomains that would otherwise remain hidden, we give businesses the chance to fix weaknesses before they become entry points for attackers,” Beg concludes.
Less effort, 10% more detected subdomains
Many ethical hackers and security researchers use subdomain detection techniques based on trial and error (brute force), which is quite time-consuming. “Even extensive wordlists and permutation generators often miss many subdomains due to the lack of context,” Beg says. “During benchmarking with Subwiz, we were able to find an additional 10.4% of existing subdomains compared to traditional detection methods.
A significant portion of these subdomains were not even intended to be publicly accessible—often the result of misconfigurations, legacy systems, or overlooked test environments. These exposed subdomains are especially problematic because they are more likely to run outdated software or contain vulnerable technologies. That makes them prime targets for exploitation and, therefore, the ‘gold dust’ of subdomains in security research.
Easy to integrate
Users of Subwiz can adjust various parameters within the tool during their search for subdomains, depending on their needs. “By narrowing your search, you can achieve maximum results. All subdomains in a particular area on the web could be discovered,” Beg adds. Next to that, Subwiz is easy to integrate with other subdomain detection tools that ethical hackers and security researchers are already using. For example, they can use Subwiz together with SanicDNS, the first open-source tool developed by Hadrian. SanicDNS is designed for ultra-fast scanning, whilst Subwiz focuses on discovering subdomains to be scanned.
The balance between computer power, time and quality
Subwiz was built using a lightweight LLM that can easily run on a laptop, generating hundreds of results in seconds. Beg explains: “When building Subwiz, we wanted to strike the right balance between exhaustive detection and efficiency. Instead of blindly testing millions of possibilities, we focused on intelligent predictions, and we found that running around 10,000 targeted subdomain tests per domain typically uncovers 10% more previously undetected subdomains. That extra visibility is crucial—it often reveals forgotten or vulnerable subdomains before attackers can exploit them.”
About Hadrian
Hadrian is a Dutch leading cybersecurity company specializing in offensive security solutions. With the mission to empower organizations from a hacker’s perspective, Hadrian uses advanced technologies to identify and mitigate vulnerabilities before they can be exploited. Through continuous monitoring and proactive threat analysis, Hadrian supports companies worldwide in building resilient digital infrastructures in an increasingly complex cyber landscape.
