Glossary

Subdomain Takeover

Q: What does Subdomain Takeover mean in cybersecurity?

Subdomain Takeover is a security term used to describe part of an organisation's external risk, exposure, or vulnerability management process.

Q: Why does Subdomain Takeover matter for external attack surface monitoring?

It matters because attackers evaluate internet-facing assets continuously, and unmanaged exposure can become an exploitable path into customer data, infrastructure, or business operations.

Q: How does VeilScan help with Subdomain Takeover?

VeilScan discovers public assets, checks them for verified issues, prioritises findings by business impact, and produces reports that explain remediation clearly.

A DNS record pointing to an unclaimed external service

Quick Answer: Subdomain takeover is a vulnerability where a DNS CNAME record for one of your subdomains points to an external service (GitHub Pages, Heroku, S3, Vercel, Fastly, etc.) that has been decommissioned or never registered. An attacker who claims that external service now controls what is served from your legitimate subdomain — enabling phishing pages, malware hosting, or authentication token theft under your domain's trust.

How does subdomain takeover happen?

The common scenario:

A developer creates blog.yourcompany.com CNAME yourcompany.github.io to host a GitHub Pages site
The GitHub Pages site is later deleted — but the DNS CNAME record is never removed
Now blog.yourcompany.com is a dangling CNAME: it points to a GitHub Pages slot that is unclaimed
An attacker creates a GitHub Pages site at yourcompany.github.io — and now controls what is served at blog.yourcompany.com

The attacker can serve a phishing page, a fake login form, or malware from your legitimate subdomain. Browsers show your domain in the address bar. Users have no indication the content is malicious.

Which services are commonly involved in subdomain takeover?

Subdomain takeover is possible on any external service that allows custom domain mapping and has claimable namespace:

GitHub Pages (*.github.io)
Heroku (*.herokuapp.com)
AWS S3 (*.s3.amazonaws.com static hosting)
Vercel, Netlify, Surge, Fastly, and similar hosting platforms
Azure App Services, Azure CDN
Shopify, Tumblr, and other SaaS platforms that support custom domains

How is subdomain takeover fixed?

Remediation: remove the dangling DNS CNAME record. If the service is still needed, re-register or re-deploy the target service before removing the DNS record — to avoid creating a window of vulnerability during remediation. Check all CNAME records pointing to external services and audit which ones are still active.

What are common questions about Subdomain Takeover?

What does Subdomain Takeover mean in cybersecurity?

Subdomain Takeover describes a security concept that affects how teams understand, monitor, and reduce external exposure across internet-facing assets.

Why does Subdomain Takeover matter for external attack surface monitoring?

It matters because attackers continuously inspect public assets. Tracking this concept helps teams reduce exploitable exposure before it becomes a breach path.

How does VeilScan help with Subdomain Takeover?

VeilScan discovers public assets, validates findings with proof, prioritises issues by business impact, and explains remediation in reports built for engineering and leadership.

What related terms should you read next?

Check your DNS for dangling CNAMEs. VeilScan detects subdomain takeover vulnerabilities as part of every scan. Start your free scan → · Back to glossary