Why is crt.sh so slow?

crt.sh runs a single PostgreSQL instance against the entire CT log corpus. Heavy queries (wildcards, large result sets) routinely time out. There is no CDN, no read replica, and an undocumented ~5 request per minute rate limit per source IP.

Does crt.sh have an official API?

No. The only programmatic access is appending &output=json to the search URL, which is undocumented, unsupported, and rate limited. Every popular crt.sh API client on GitHub is an unofficial wrapper.

Is there a free crt.sh alternative?

CT Radar offers a free tier with 100 searches per day. MerkleMap removed its free tier in 2025 and now charges €49/month. Censys offers 100 credits per month. Cert Spotter's hosted API starts at $15/month.

Best crt.sh alternatives in 2026

crt.sh is the de-facto standard for searching Certificate Transparency logs, and it is also famously slow, frequently down, and offers no official API. Below is a side-by-side comparison of six tools you can use instead.

Why people look for a crt.sh alternative

Timeouts. Wildcard queries (%.example.com) and high-fan-out domains routinely exceed crt.sh's query budget.
Rate limit. Roughly 5 requests/minute per source IP, undocumented but enforced.
No official API. Every crt.sh client on GitHub scrapes the website.
No SLA. Outages happen. crt.sh down means recon pipelines stop.
No CLI / pipe friendliness. Output is HTML by default; you have to fetch ?output=json and parse manually.

Six alternatives compared

CT Radarthis site

cert.imfht.com ↗

Free tier:: 100 searches/day, full API access
Paid:: Pro $29/mo, Enterprise custom
API:: REST + CLI (JSON / NDJSON)
Speed:: Sub-second LSM-tree backend
Recon-tool fit:: First-class — pipes into httpx, nuclei, subfinder

Indexes 19 active CT logs. Built specifically as a fast crt.sh replacement.

crt.sh

crt.sh ↗

Free tier:: Unlimited UI, ~5 req/min programmatic
Paid:: —
API:: Undocumented JSON output
Speed:: Often 10-60s, frequent timeouts
Recon-tool fit:: Manual — no native pipe support

Industry default by name recognition. Maintained by Sectigo. No CDN, no SLA.

MerkleMap

merklemap.com ↗

Free tier:: None (removed in 2025)
Paid:: €49/mo (100K req)
API:: REST
Speed:: Fast
Recon-tool fit:: subfinder integration broke after paywall

Used to be free. Strong recon mindshare lost when paid-only.

Censys Search

search.censys.io ↗

Free tier:: 100 credits/mo, 100-result cap
Paid:: Starter $99/mo, Enterprise quote
API:: REST
Speed:: Fast
Recon-tool fit:: censys-subdomain-finder (community)

Pivoted to enterprise ASM. CT search is secondary.

Cert Spotter

sslmate.com/certspotter ↗

Free tier:: Open source agent only
Paid:: Hobbyist $15/mo, Pro+
API:: REST (paid)
Speed:: Fast
Recon-tool fit:: Built for monitoring, not ad-hoc search

Different ICP — ops/compliance over recon.

Chaos (ProjectDiscovery)

chaos.projectdiscovery.io ↗

Free tier:: Free with API key
Paid:: Enterprise SSO/webhooks
API:: REST
Speed:: Fast
Recon-tool fit:: Native — feeds nuclei/subfinder

Only covers bug-bounty / VDP scoped targets — not general-purpose CT.

Which one should you actually use?

For ad-hoc passive recon — CT Radar is the closest drop-in replacement for crt.sh: free, fast, REST API included, and pipes into httpx / nuclei / subfinder without custom glue. For continuous compliance monitoring, Cert Spotter is purpose-built. For enterprise attack-surface management with internet scan data alongside CT, Censys is the heavyweight. For bug-bounty program targets specifically, Chaos is the right answer because it is scope-aware.

crt.sh itself is still useful as a reference oracle when you need to be sure something is authoritatively logged — Sectigo runs it as a public service, and being slow does not make it wrong. Just don't put it in a pipeline.

Try CT Radar now

Search 1.5 billion certificates in under a second. No signup needed for the search bar.

Search certificates →