Announcing certgrep

Today we officially launch certgrep, our second free public tool for the security community since we originally launched Have I Been Squatted (over two years ago!).

Like Have I Been Squatted, certgrep was born out of an internal need to improve our detection capabilities; as we pushed our detection beyond classic typosquatting, we kept coming back to the same pain point: we needed to search CT logs with complex queries and high concurrency capabilities. This means searching with patterns, not just exact matches, and we needed it to be fast and reliable.

So certgrep is our attempt at a practical alternative to services like crt.sh, optimized for pattern-based discovery and high concurrency.

“

Note: we are planning to publish a separate engineering piece that dives into the inner workings of certgrep. There are a lot of interesting decisions made to make certgrep work both technically and economically, so stay tuned if you're interested.

”

What it's good at (today)#

• Powerful searches: regex + substring-style searches that make it easier to spot naming patterns across certs.
• Fast results: the UI is built around a workflow that allows you to query and then drill-down using filters to find what you're looking for.

Here are a few examples of the kinds of searches it's meant for:

• (?i)cer[-_]?g[-_]?ep.*
• .*(login|signin|account|secure).*yourbrand.*
• ^\\*\\.[a-z0-9-]{6,}\\.(com|net)$

What to expect (honest limitations)#

• It's not full-history (yet). Right now we index roughly the most recent ~100M cert entries, which means very old certificates may not show up. This will keep expanding over time.
• There can be delay. Certificates appear in CT fast, but our indexing lag can be up to ~24h. In practice it's often much less, and we'll keep shrinking it as we reduce the delta.
• It's only optimized for searching SANs. One of the tradeoffs we made to be able to make certgrep free to use is that we only index Subject Alternative Names (SANs) in certificates. If you have usecases where you need to search for certificates by some other field (e.g. organization name), this is not currently part of certgrep's intended design.

If you need deep historical completeness or searching via fields other than the SAN right now, crt.sh is still an excellent tool.

What's next#

• A free public API with reasonable rate limits
• SDKs (Python, Rust, Go, JS/TS) so you can plug it into workspaces and workflows
• Better coverage + faster refresh as we scale out ingestion
• Deeper integration of CT results into Have I Been Squatted lookup results

We are very proud to be able to provide certgrep to the public, and we hope you enjoy trying it out as much as we enjoyed untangling the technical challenges required to build it. We're releasing this because we want it to be useful, not because it's perfect. We listen to all of our users (often times obsessively), so please reach out to us on any of our channels below with any feedback or requests.