The problem with technographic signals
BuiltWith says a company "uses Zendesk." G2 says they're a customer. Job postings mention the tool once. All of these are inferred. None of them prove active use today.
The real question for GTM is simpler: does a live tenant subdomain exist right now? If yes, they're a confirmed customer. If no, move on.
A confirmed login URL is evidence. A BuiltWith tag is a periodic crawl — accuracy sits around 80% on common frontend stacks, lower on anything behind auth, and the data can be months stale.1
The insight: SaaS tenant subdomains are public
Most enterprise SaaS platforms route tenants on subdomains. company.zendesk.com. company.my.salesforce.com. company.atlassian.net. To serve HTTPS on these subdomains, they issue TLS certificates. Every certificate issued is logged publicly in certificate transparency (CT) logs.
CT logs are meant for security auditing. But they also contain a complete history of every subdomain ever given a tenant slot. When you combine that with an HTTP probe to confirm the tenant is live today, you get a confirmed customer list.
This is Jordan Crawford's fingerprint-first methodology from Blueprint: identify the signal that proves active use before touching a single contact. In this case, the fingerprint is the live login URL.
Platform fingerprints: what 200 vs ghost means
Each platform behaves differently. Some use wildcard DNS (every slug resolves). Some return 404 for unknown tenants. Some redirect to a login page with a specific URL fragment. You have to know what you're looking for.
| Platform | URL pattern | Live signal | Ghost signal |
|---|---|---|---|
| Salesforce | {slug}.my.salesforce.com | HTTP 200 | HTTP 404 |
| Zendesk | {slug}.zendesk.com | HTTP 200 | HTTP 403 |
| Freshdesk | {slug}.freshdesk.com | HTTP 302 | HTTP 404 |
| Jamf Cloud | {slug}.jamfcloud.com | final URL has /view/sso/login | bare URL, no path |
| Atlassian | {slug}.atlassian.net | HTTP 200 | HTTP 404 |
| ServiceNow | {slug}.service-now.com | HTTP 200 | timeout |
| Salesloft | {slug}.salesloft.com | HTTP 200 | DNS NXDOMAIN |
| PagerDuty | {slug}.pagerduty.com | HTTP 405 | 0/timeout |
| Greenhouse | job-boards.greenhouse.io/{slug} | HTTP 200 | HTTP 404 |
| Workday | {slug}.myworkday.com | CT logs only | wildcard DNS |
| BambooHR | {slug}.bamboohr.com | CT logs only | wildcard DNS |
| Outreach | {slug}.outreach.io | CT logs only | wildcard DNS |
| Gong | {slug}.app.gong.io | CT logs only | wildcard DNS |
| Monday.com | {slug}.monday.com | CT logs only | wildcard DNS |
| HubSpot | {slug}.hs-sites.com | CT logs only | wildcard DNS |
| NetSuite | {slug}.app.netsuite.com | CT logs only | wildcard DNS |
| Datadog | {slug}.datadoghq.com | CT logs only | wildcard DNS |
| Greenhouse (legacy) | boards.greenhouse.io/{slug} | HTTP 200 | HTTP 404 |
Wildcard DNS platforms (Workday, BambooHR, etc.) return a valid DNS response for any slug. HTTP probing is unreliable there. Instead, you query certificate transparency logs, which only contain real tenant certs.
The pipeline
subfinder replaces crt.sh
crt.sh has 2-3 outages per week. Postgres timeouts. 502s. The solution is subfinder, which aggregates 50+ passive sources simultaneously: certificate transparency logs, Censys, SecurityTrails, Wayback Machine, VirusTotal. One command, one output, no babysitting.
subfinder -d jamfcloud.com -o subdomains.txt
On jamfcloud.com this returned 11,913 subdomains.
Filter to real slug candidates
Not all subdomains are tenant slugs. Strip nested subdomains (a.b.jamfcloud.com). Strip known internal infrastructure: help, status, api, mail, sandbox, dev, test, staging, demo, app, www.
After filtering: 2,893 clean slug candidates.
httpx probe with follow-redirects
httpx fires 100 concurrent HEAD requests. The critical flag is -fr (follow redirects). Without it, platforms that 302 before returning 200 — Jamf, Salesforce, Freshdesk — are missed entirely. This is the most common reason pipelines undercount.
httpx -l slugs.txt -fr -mc 200 -o live.txt -threads 100
After the httpx pass: 1,357 returned HTTP 200.
Fingerprint check
For Jamf specifically, 200 is not enough. The final URL after redirect must contain /view/sso/login. Wildcard responses exist that return 200 but are not real tenants. The Python script does this secondary check.
After fingerprint filtering: 436 confirmed real tenants.
Sample confirmed jamfcloud.com customers: github, cirruslogic, clearwateranalytics, vistaequitypartners, txstate, childrenscolorado.
Live confirmed customer URLs
These returned confirmed responses on 2026-05-07:
Salesforce: uber.my.salesforce.com, amazon.my.salesforce.com, walmart.my.salesforce.com, ibm.my.salesforce.com, adidas.my.salesforce.com
Zendesk: shopify.zendesk.com, slack.zendesk.com, squarespace.zendesk.com, box.zendesk.com
Atlassian: netflix.atlassian.net, nasa.atlassian.net, spotify.atlassian.net, linkedin.atlassian.net, lyft.atlassian.net
PagerDuty: netflix.pagerduty.com, airbnb.pagerduty.com, stripe.pagerduty.com, cloudflare.pagerduty.com
Jamf Cloud: ibm.jamfcloud.com, stanford.jamfcloud.com, autodesk.jamfcloud.com, metlife.jamfcloud.com
Not guesses. Clickable URLs returning 200 right now.
How slug generation works
The tenant slug is almost always the domain prefix. shopify.com becomes shopify. That's the first candidate tried.
The script generates up to 5 variants and tries each in order:
shopify.com→shopify(wins immediately)tcs.com→ triestcs,tata-consultancy-services,tctranetechnologies.com→ triestrane,tranetechnologieswilliams-sonomainc.com→ trieswilliams,williams-sonomainc,williams-sonoma
Legal suffixes get stripped automatically: inc, corp, technologies, plc, ltd. Domain prefix beats company name — it's more reliable because it's what the company typed when they provisioned the account.
Cost model
| Step | Provider | Cost |
|---|---|---|
| Seed company list (25/platform) | Bloomberry | ~$5.25 per platform |
| subfinder subdomain discovery | None — open source | Free |
| httpx HTTP probing | None — open source | Free |
| Fingerprint check | None — direct HTTP | Free |
| Contact enrichment (optional) | Dropleads / Apollo | Free tier |
$5-10 gets you a confirmed customer list for one platform. $50-100 covers 10 platforms, 250 companies each.
The whole HTTP probing side is free. The only real cost is the seed list. Bloomberry's bloomberry_get_current_customers is the cheapest technographic source for this at $0.21 per result.
How to run it
Install the tools:
brew install subfinder httpx
Run the full pipeline:
python3 ct_harvest.py --platform zendesk
Or with a Bloomberry seed list:
deepline tools execute bloomberry_get_current_customers \
--payload '{"vendor_name":"Zendesk","company_employee_size_range":"5,001-10,000;10,001+","limit":20}'
python3 slug_probe.py \
--csv bloomberry_output.csv \
--platforms zendesk salesforce atlassian jamf \
--output confirmed_tenants.csv
The slug_probe.py output: domain, company_name, platform, slug_tried, login_url, confirmed, probe_method, all_slugs_tried. The ct_harvest.py output: platform, slug, subdomain, login_url, confirmed, source. Filter confirmed=yes in either case.
What to do with the list
A confirmed tenant URL beats "saw this tool mentioned" by a wide margin. A few ways to use it:
Competitive displacement: you're targeting confirmed active users, not ex-customers or people who evaluated the tool twice in 2022.
ICP validation: check whether your existing customers have tenants on the tools you're targeting before you scale outbound.
Account prioritization: stack confirmed signals across platforms. A company confirmed on Salesforce + Zendesk + PagerDuty is a different account than one you found in a G2 review.
Contact enrichment: feed the tenant list back into Deepline to find IT, RevOps, or CX contacts at each confirmed account.
Code
Both scripts are open source, no API keys required:
gtm-eng-skills/examples/office-hours/tenant-enum/
ct_harvest.py— subfinder + httpx bulk harvest, 17 platformsslug_probe.py— domain-to-slug probe from a company CSVREADME.md— full usage, fingerprint reference
Install: brew install subfinder httpx. No accounts, no tokens.
Footnotes
-
BuiltWith accuracy benchmarks from TechnologyChecker.io and PredictLeads. Common complaint: "stale data especially. Makes it an inefficient screener" — @case_rsrch on X, May 2026. ↩