Goal: turn a single target into a wide, defensible attack surface by discovering apex domains owned by the company, its acquisitions, and its sub-organizations—using only open sources.
Great bugs often live just outside the obvious example.com. If you can map acquired brands and subsidiaries, you’ll uncover older tech stacks, forgotten portals, and regional sites that are still very much in scope for “wide-scope” programs.
Below is the exact recon playbook I use. I’ll use Walmart as the running example, but you can swap any company.
Crunchbase: the obvious starting point
What is Crunchbase?
Crunchbase is a business intelligence site that tracks companies, funding, acquisitions, leadership, and links (including official websites).
- Open the company’s crunchbase profile (e.g., Walmart) and go to Financials → Acquisitions. You’ll see a limited list: acquirer, date, price etc.
Link: https://www.crunchbase.com/organization/walmart/financial_details
Click into each acquired company and grab its top-level domain from the profile (e.g., Vizio → vizio.com). Add each to your recon list.
PitchBook: the backup scout
PitchBook also lists investments and acquisitions. The public (free) view is short, but it still gives names you can pivot on later. Treat it as a second source to catch what Crunchbase misses.
Link: https://pitchbook.com/profiles/company/11653-30#investments
Link: https://pitchbook.com/profiles/company/11787-22#investments
PitchBook shows even less information than Crunchbase, so it isn’t very helpful here.
Outsmart the Limits: Mining Crunchbase & PitchBook via Dorks
Crunchbase and PitchBook both hint at a company’s acquisitions—but those tables are short, and the paywalls come fast. No problem. Let Google do the scrolling for you.
The idea
Search engines cache profile pages that mention “acquired by,” “acquirer,” “parent company,” and similar phrases. By scoping queries to these domains, you can surface far more acquisition and subsidiary pages than the UI will ever show you—then pivot from each result to grab the official website/TLD.
Crunchbase (Walmart examples)
site:*.crunchbase.com “acquired by Walmart”
site:*.crunchbase.com (“acquired by” OR “acquirer”) “Walmart”
Open the results one by one, collect the company names, then grab their official domains from their profiles.
PitchBook (FIS examples)
site:pitchbook.com “acquired by” “Fidelity National Information Services”
site:pitchbook.com “acquirer” “Fidelity National Information Services”
site:pitchbook.com “acquired by” “FIS Data Systems”
Open the results one by one, collect the company names, then grab their official domains from their profiles.
Think beyond Mergers & Acquisitions: the sub-org snowball
Most researchers stop at acquisitions. That’s a mistake. Acquisitions are only half the tree. On the Walmart overview page, look for “Sub-organizations.” These are internal divisions/holdings that often run their own domains.
- Sub-orgs often operate older stacks and independent sites = fresh attack surface.
- Each sub-org can have its own acquisitions → more domains, deeper recursion.
Crunchbase sub-org dork
site:*.crunchbase.com “Sub-Organization of” “Walmart”
Pitchbook sub-org dork
site:pitchbook.com “parent company” “Fidelity National Information Services”
Now, go recursive:
-
Each acquired company might have sub-orgs.
-
Each sub-org may have done acquisitions.
-
Walk the tree: acquisition of an acquisition is still your target’s footprint.
Mini case: FIS → FIS Data Systems → Vericenter
Let’s take Fidelity National Information Services (FIS) as an example. FIS has a sub-organization (or business unit) called FIS Data Systems.
Link: https://pitchbook.com/profiles/company/10609-30#overview
After pivoting into that entity’s profiles (site:pitchbook.com "acquired by" "FIS Data Systems" ), you’ll find Sungard Vericenter listed under it. Vericenter’s official site is vericenter.com, so you can add vericenter.com — and consider *.vericenter.com — to your recon list for enumeration.
Link: https://pitchbook.com/profiles/company/10632-34#overview
In practice, the flow is:
FIS (parent) → FIS Data Systems (sub-org) → Sungard Vericenter (owned property) → vericenter.com (candidate apex, plus wildcard).
Wikipedia: the sleeper goldmine
Wikipedia has curated lists that are fantastic for brand discovery, especially consumer companies with lots of stores/products.
Start here: https://en.wikipedia.org/wiki/Lists_of_corporate_assets
- Lists of corporate assets → scan for your target’s “List of assets owned by …”
Individual company pages often include subsidiaries and brands boxes.
Next what to do:
Collect brand names you don’t recognize. Google each with site:, “official site”, or “website” to find the apex domain. This step routinely surfaces regional brands and legacy properties you won’t find in investor databases.
Twitter/X OSINT: who they follow tells you who they are
Official accounts often follow only brand family members: regional arms, product lines, support accounts, and digital wallets.
Example: @WalmartMexico
Open Following and you’ll spot:
- @walmart_express → walmart.com.mx
- @CashiMx (Walmart Mexico’s digital wallet) → cashi.com.mx
Each bio often contains a site link—new TLDs for your list. From there, click into their following lists and repeat. It cascades.
Note: X now rate-limits how many “following” entries you can view at once. You can still sample strategically (and I’ll share a rate-limit workaround in a separate post).
From Tweets to TLDs: How to Dork the X Timeline
Generic searches can surface acquisitions you missed, or confirm rumored ones.
Generic dorks:
|
|
A little more specfic search:
|
|
Advanced X Search: Time-Boxed, Account-Scoped Dorks
X (Twitter) Web lets you stack search operators to target official acquisition announcements from a single account over a specific date range. Here’s a clean pattern you can drop in the search bar (no UI needed).
-
from: restricts to one account
-
since:/until: time-box results (UTC; until: is exclusive)
-
OR groups catch wording variants
-
filters reduce noise (original posts, links only, language, etc.)
|
|
What it does: shows English-language original posts (no retweets/replies) from @Walmart in 2025 and mention acquisitions/investments.
Use this to collect official announcements or credible press, then pivot into domains from the press releases.
Company newsrooms: the gold mine
Nothing beats the company’s own newsroom/blog. M&A, new ventures, regional launches—they announce everything here, often with links to new domains.
Example — Turning a press release into domains
Walmart’s newsroom announced that its majority-owned Flipkart launched a wholesale initiative in India called Best Price Wholesale: https://corporate.walmart.com/news/2020/07/23/walmarts-majority-owned-flipkart-launches-wholesale-business-to-help-small-businesses-in-india-source-directly-from-manufacturers-and-producers
A quick pivot from that brand name turns up multiple apex domains tied to the launch:
-
bestprice.in
-
bestprice-registration.com
-
bestpricewholesale.co.in
Add these to your recon sheet (and consider wildcards like *.bestprice.in)—one newsroom post just expanded the attack surface from a single parent brand to several new apexes with their own stacks and potential legacy subdomains.
Scan for brand launches, partnerships, and regional rollouts—each often brings fresh domains.
A single brand can hide a galaxy of domains. With a few dorks, a bit of recursion, and a habit of reading the company’s own announcements, you can grow your target map from one domain to an entire ecosystem—where the best bugs tend to live.
For more write-ups and recon tips, follow me on X: Skyhex_ and LinkedIn: https://www.linkedin.com/in/aryan-b-79b012157/