Subdomain enumeration / attack-surface mapping / DNS recon. Certificate Transparency log mining (crt.sh). All-public data. Each subdomain with first-seen, last-seen, cert count.