Certificate Transparency recon for a domain — discover its subdomains and issued certificates from public CT logs (passive attack-surface mapping). Pass domain. Returns the deduplicated set of subdomains seen across all certs (subdomains + subdomainCount), and the certificates (issuer, validity window, SAN dns names), most recent first. Sourced from SSLMate certSpotter (primary) with a crt.sh fallback — keyless. Live CT-log data over a huge append-only dataset an LLM cannot enumerate. For external attack-surface discovery, shadow-IT/subdomain inventory, and certificate monitoring. Note: CT shows names that ever appeared in a cert, not necessarily live hosts.