Platform · Public Discovery

See every certificate issued for your domains.

By Updated

Continuously monitor Certificate Transparency logs and public TLS endpoints to identify certificates, subdomains, and issuance activity tied to your domains — including the rogue and shadow ones nobody authorized.

Scan your domain Book a demo
AgentlessReal-time CT logsRogue detection
domain monitoring · acme.comwatching CT logs
*.acme.comCT logknown
promo.acme.ioCT logrogue
blog.acme.comDNS scanunowned
api.acme.comTLS scanknown
The problem

The internet knows more
about your certs than you do.

The internet often knows about certificates before internal teams do. Every certificate issued for your domains is logged publicly — the question is whether you’re watching those logs or an attacker is.

Shadow issuance

Anyone can request a certificate for a domain you forgot to lock down.

Rogue certificates

Mis-issued or fraudulent certs are an early signal of compromise.

Forgotten subdomains

Old marketing and staging hosts keep live certificates you never see.

No external view

Internal tools can’t show what the world can see about your domains.

How it works

Watch the public internet,
continuously.

1
Monitor CT logs

Watch Certificate Transparency in real time for your domains.

2
Resolve DNS

Map domains and subdomains to live endpoints.

3
Active scan

Probe internet-facing hosts for presented certificates.

4
Flag the unknown

Surface rogue, shadow, and unowned certificates.

Architecture

Public signals into
your inventory.

Public sources
CT logsreal-time issuance
DNSdomains · subdomains
Active TLS scaninternet-facing
MachineCertcorrelate · flag · alert
Output
Domain inventoryevery public cert
Rogue alertsmis-issuance
Change alertsnew issuance
Outcomes

Own what the world
can see.

Catch rogue issuance

Real-time CT monitoring flags mis-issued certs.

Full external view

See your domains exactly as the world does.

Find forgotten hosts

Surface old subdomains still serving certs.

Issuance alerts

Know the moment a new cert appears.

Brand protection

Detect look-alike and fraudulent certificates.

Zero setup

Agentless — start watching in seconds.

FAQ

Public discovery,
answered.

Public discovery finds every TLS certificate issued for your domains using publicly available sources — Certificate Transparency logs, DNS, and active internet scanning — without needing any agent or access to your internal network.
CT logs are public, append-only records of certificates issued by participating Certificate Authorities. Monitoring them lets you see every certificate issued for your domains in near real time, including ones you didn’t request.
By comparing CT-log issuance against your known inventory, MachineCert flags certificates issued for your domains that nobody registered — a key early indicator of mis-issuance, compromise, or brand abuse.
Yes. It relies entirely on public data sources and active scanning of internet-facing endpoints, so there’s nothing to install to start monitoring your public certificate footprint.
Often, yes. DNS enumeration and CT-log data surface subdomains and hosts — including old marketing, staging, and campaign sites — that still have live certificates.
CT-log monitoring is near real-time, so newly issued certificates for your domains typically appear within minutes and can trigger alerts.
No — it complements it. Public discovery covers what’s visible externally; internal discovery (via the agent) covers private infrastructure. Together they give complete coverage.
Yes. You can configure alerts for any new certificate issued for your domains, routed to email, Slack, Teams, or your SIEM.
Explore the platform

Related capabilities

Certificate discoveryThe full discovery picture.Internal discoveryAgent-based private discovery.Cloud discoveryRead-only cloud connectors.Risk scoringScore what discovery finds.For security teamsRogue detection & risk.TLS certificatesHow public certs work.
Get started

See every public cert for your domain.

Run a free scan and watch MachineCert surface every certificate the world can see for your domains.

Book a demo