Stop Chasing Ghosts. Detect DNS Vulns with Zero Noise.

Pipe your existing subdomain lists into a high-fidelity engine built to eliminate theoretical false positives. Get verified takeovers, dangling cloud IPs, and SSRF enablers—not just 'potential' leads.

View on GitHub
saurabh@prashrut: ~/subpipe-cli

$ cat subdomains.txt | subpipe

🚀 SubPipe Analysis Started: 26 targets sent to api.subpipe.run

[13:38:52] LOW Internal/RFC1918 IP Exposure (SSRF): internal-test.subpipe.run

[13:38:52] HIGH MX Domain Expired: alt-dead-domain.subpipe.run

[13:38:52] CRITICAL Nameserver Takeover: demo-ns.subpipe.run [Verified]

[13:38:57] MEDIUM Potential GCP Elastic IP Takeover: demo-gcp.subpipe.run

[13:39:00] HIGH ElasticBeanstalk Takeover Detected: demo-eb.subpipe.run

✅ Scan Finished in 44.34s

The SubPipe Arsenal

We do one thing, and we do it better than anyone else. Binary findings across the entire DNS spectrum.

Active Detection

  • Standard HTTP Subdomain Takeovers (via Nuclei templates).
  • A Record Takeovers (Dangling Cloud IPs validated against AWS/GCP ranges). (ipv4)
  • NS & MX Record Hijacking (Integrating automated registrar availability checks).
  • Dangling CNAMEs to Internal RFC1918 IPs (SSRF enablers).
  • Expired Domain Hijacking (Classic CNAMEs).

Shipping Next

  • TXT Record Secret Leakage (API keys, tokens).
  • Unrestricted Zone Transfers (AXFR).
  • BIMI & DMARC Delegation Takeovers.
  • AAAA Record Takeovers (Dangling Cloud IPs validated against AWS/GCP ranges). (ipv6)

Plugs directly into your recon pipeline.

SubPipe doesn't find subdomains; it analyzes them. It's a lightning-fast, single-binary CLI tool that takes stdin from your favorite recon tools. Install it directly via Go or grab the latest release. GitHub repository.

Step 1: Install
$ go install github.com/subpipe/subpipe@latest
Step 2: Test Instantly

Run the script on the right to verify engine outputs against real vulnerabilities that we hosted for you on *.subpipe.run

$ subfinder -d target.com -silent | subpipe
targets=("demo-aws.subpipe.run" "demo-ipv6.subpipe.run" "demo-gcp.subpipe.run" "demo-ns.subpipe.run" "demo-mx.subpipe.run" "demo-s3-x912.subpipe.run" "demo-surge.subpipe.run" "demo-azure.subpipe.run" "demo-eb.subpipe.run" "analytics.google.com" "elements.heroku.com" "tasks.google.com" "cloud.google.com" "dead-domain.subpipe.run" "alt-dead-domain.subpipe.run" "internal-test.subpipe.run" "cname-ssrf.subpipe.run")

printf "%s\n" "${targets[@]}" > subdomains.txt
cat subdomains.txt | subpipe

FAQ