Why are Certificate Transparency logs useful in recon?

Problem Statement

C T logs are public and show certificates issued for a domain. Hostnames on those certs often include new apps and subdomains.

SolutionRead Only

curl 'https://crt.sh/?q=%25.example.com&output=json' | jq '.[].name_value'

This question appears in the following practice sets: