With a TLS certificate that has a wildcard SAN, what action is most likely for the tester?

Wildcard TLS certificates extend trust to many subdomains, but they don’t guarantee security for every host in the tree. The tester’s best move is to map the actual surface area by discovering subdomains that aren’t covered by the wildcard and then examine those for potential vulnerabilities. This leverages what the wildcard SAN implies about scope: it reduces effort by covering a broad set of subdomains, but gaps remain (such as deeper sub-subdomains or misconfigured hosts) that can hide risky services or outdated software. By enumerating these non-covered subdomains and assessing their security posture, you can reveal hidden exposure that the wildcard certificate doesn’t automatically secure. Ignoring the SAN and focusing on the private key misses the practical testing angle tied to how the certificate covers hostnames. Enumerating IP addresses isn’t directly tied to the hostname-based trust of TLS certificates, and certificate transparency logs, while useful for spotting misissued certificates, doesn’t address the immediate surface area created by a wildcard.