sub-alter
OSINT CLI tool to query a commercial Domains/Subdomains Discovery dataset and enumerate domains and subdomains that match user-defined include/exclude patterns.
sub-alter is a production-grade OSINT command-line tool maintained by a member of Haltman.io. It queries a commercial domains/subdomains discovery dataset to enumerate domains and subdomains that match user-defined include/exclude patterns.
Typical use cases:
-
Brand and trademark monitoring
-
Vendor and third-party footprint discovery
-
Infrastructure mapping and OSINT enrichment
-
Security investigations requiring controlled enumeration
Installation
Requirements
- Go 1.22+
- Valid Domains/Subdomains Discovery API key (WhoisXML)
git clone https://github.com/haltman-io/sub-alter.git
cd sub-alter
go mod tidy
go build -o sub-alter ./cmd/sub-alter
./sub-alter -h
go install github.com/haltman-io/sub-alter/cmd/sub-alter@latest
sub-alter -h
Configuration
API key configuration (required)
sub-alter --api-key YOUR_API_KEY -di "*example.com*"
On startup, the tool looks for a file next to the executable:
.sub-alter.yaml
If it does not exist, it is created automatically:
api_keys: []
Populate with one or more keys:
api_keys:
- KEY_1
- KEY_2
Keys are rotated round-robin per request.
Usage
Basic domain discovery
sub-alter -di "*example.com*"
Searches for domains containing example.com anywhere.
Domain include / exclude filters
sub-alter -di "example.com" -de "test.example.com"
Maximum 4 items per include/exclude array (provider constraint).
Subdomain include / exclude filters
sub-alter -si "aws*" -se "*portal*" -se "*beta*"
Discover subdomains starting with aws, excluding portals and beta environments.
Mixed filters (domains + subdomains)
sub-alter -di "google.com" -di "twitter.com" -se "*portal*"
Output to file (clean & deduplicated)
sub-alter -di "*example.com*" -o results.txt
- File is overwritten if it exists
- One domain per line
- No ANSI colors
- Deduplicated output
Possible Problems / Important Notes
Provider limits
- API hard limit: 30 requests per second
- The tool rejects values above this limit
sub-alter -di "*example.com*" -rl 10
Include / exclude constraints
Each include/exclude array supports max 4 items. Exceeding this causes the tool to exit with an error.
Proxy and TLS behavior
Supported proxy schemes: http://, https://, socks5://
sub-alter -di "*example.com*" --proxy socks5://127.0.0.1:9050
Use --insecure/-k only in controlled lab environments.
API cost awareness
- This provider may bill per request
- The tool sends only fields explicitly requested via flags
- Avoid unnecessary wildcard searches in large investigations
External References
Last updated Feb 12, 2026
Built with Documentation.AI