Skip to main content

CRT.sh Integration with Snapsec AIM

The CRT.sh integration allows Snapsec AIM to automatically fetch subdomains discovered through global Certificate Transparency (CT) logs.
This helps identify hidden, forgotten, or shadow domains that appear in SSL certificates but are not tracked internally. This guide explains how to:
  1. Enable CRT integration in AIM
  2. Automatically import subdomains from CT logs
  3. Use the fetched data for inventory, threat analysis, and discovery

Prerequisites

CRT.sh does not require API keys — only a domain or organization keyword to search. You will need:
  • A registered domain (e.g., example.com)
  • Permission to manage AIM adapters
  • (Optional) Asset classification rules to tag imported assets

Installing the CRT Integration

  1. Go to AIM → Integrations
  2. Find CRT in the integrations list
  3. Click Install
A dialog will appear prompting you to configure:
  • Domain / Root Domain (required)
  • Polling Interval (optional, default daily)
Click Save once complete.

How CRT.sh Discovery Works

Once enabled, Snapsec AIM will:

🔍 Query CT Logs

Search CRT.sh for any certificate containing:
  • Your domain
  • Subdomains
  • Wildcard certificates
  • Historical certificates

🧩 Parse Certificate Records

AIM processes certificate CN/SAN entries to extract:
  • Subdomain names
  • Wildcard domain variants
  • Past domains still visible in public logs

🔗 Add New Assets to Inventory

Imported subdomains appear in:
  • Subdomains Catalog
  • Global Asset Inventory
  • Asset Relations Graph
  • Exposure analysis workflows
Each subdomain is enriched with:
  • DNS lookups
  • Technologies
  • IP mapping
  • Risk Indicators

How AIM Uses CRT Data

CRT integration helps solve several real problems:

✔ Identify Shadow Subdomains

Discover subdomains created without security approval but exposed publicly.

✔ Detect Legacy or Forgotten Environments

Old certificates reveal deprecated services still reachable online.

✔ Strengthen Surface Monitoring

New certificate issuance immediately alerts AIM to newly exposed assets.

✔ Enhance ASM + VM + TM Workflows

CRT-derived domains automatically flow into:
  • Vulnerability scans
  • Threat modeling projects
  • Attack surface maps

Troubleshooting

❗ No subdomains found

Ensure your root domain is correctly entered (e.g., example.com, not https://example.com).

❗ Too many results or noise

Use AIM classifiers to tag or filter unwanted entries.

❗ Duplicate records

AIM automatically deduplicates assets — duplicates will merge into a single asset entry.

Next Steps

View Subdomain Catalog

Explore all subdomains discovered from CRT and other adapters.