The internet, queryable like a database

See the infrastructure relationships your tools miss

Every layer of the internet — DNS and routing to WHOIS, physical infrastructure, and threat intelligence — pre-joined into one live graph.Trace hidden relationships and replay point-in-time BGP & WHOIS history — every verdict sourced.

Get a free API keyRead the docs
Live · graph.whisper.security
indicator investigation
RESOLVES_TO
SUBDOMAIN OF
SUBDOMAINS
REGISTERED_BY
LISTED_IN
IN
OPERATES_EXIT_NODE
BELONGS_TO
ANNOUNCED_BY
PEERS_WITH
AUTHORIZES
LOCATED_IN
HAS_COUNTRY
INDICATOR · IPV4
185.220.101.1
CO-HOSTED
berlin01.tor-ex…
DOMAIN
artikel10.org
SUBDOMAINS
19 hosts
WHOIS
Privacy-protected
THREAT FEEDS
Dan Tor Exit
IPsum
Tor Exit Nodes
+1 more
CATEGORIES
TOR Network
General Blacklists
TOR
4 exit relays
⚠ TOXIC /24
68/85 flagged
185.220.101.0/24
ASN
AS60729
BGP PEERS
AS3320 · AS5405
+3 more
RPKI
✓ 7 ROAs
GEOIP
Brandenburg, DE
COUNTRY
DE
HIGHscore 7.4 · 4 feeds

68/85 IPs in this /24 are flagged — addressing × threat, one query

Run your own →
Context over isolation

Why infrastructure context changes the outcome

The question is not whether a domain is suspicious. It’s whether you understand everything connected to it.

Without infrastructure context
??suspicious domainisolatedindicator?
Uncertain decision
High risk of false positive
With Whisper
suspicious domainsharedownershiprelatedassetshistoricalactivitylinkedinfrastructure
Confident decisionThreat cluster blocked
Block the cluster, not one domain

See it on a live threat investigation

Indicator to infrastructure

How Whisper reveals hidden infrastructure relationships

Watch a single indicator expand into a complete threat infrastructure map — in milliseconds.

01

Query

Start with one indicator — a domain, IP, hostname, or TLS fingerprint.

explain evil.com
02

Graph expansion

One traversal fans out across DNS, hosting, and routing — billions of nodes, sub-millisecond.

+18 hostnames+12 IPs+4 ASNs
03

Relationship discovery

Shared registrants, co-hosting, and reused TLS fingerprints surface the hidden links.

Shared TLS fingerprintSame WHOIS registrant
04

Risk insight

An explained verdict, scored against 43 threat feeds — the whole cluster, not one domain.

CriticalKnown threat cluster

Run the Indicator Investigation live

Use cases by domain

Starting points, not a fixed menu — it’s one queryable graph, so you can ask anything of it. Find the domain that matches your work.

Threat investigation

21 examples

Indicator Investigation · Blast Radius

Threat actor & TTP

5 examples

Map a named actor to its ATT&CK techniques · Actor → shared TTPs → other actors

Attack surface & recon

8 examples

Attack-Surface Mapper · Find Subdomains

Brand protection

6 examples

Typosquat Scanner · Build the takedown evidence package

Network & routing

13 examples

Route-Health Checker · Enrich an ASN — routing, RPKI & physical footprint

DNS & email security

7 examples

Grade DNS & email posture · Audit mail-server & MX hygiene

Infrastructure & supply chain

18 examples

Map an org’s infrastructure concentration risk · Digital Infrastructure Mapping

AI agent grounding

3 examples

Map a named actor to its ATT&CK techniques · Ground your AI agent before it acts

Research & OSINT

7 examples

Time Machine · Find Subdomains

Browse by roleSOC, DFIR & IRThreat intelligenceAI agents & MCPBrand protectionNetwork & BGPAttack surface & reconInfrastructure, supply-chain & complianceResearch & OSINT

Browse all use casesWrite your own queryExplore in Graph
Developer & AI first

Access Whisper through MCP and API

Whisper is built to be queried by machines. Point your AI agents straight at the infrastructure graph over the Model Context Protocol (MCP) and let them run the messy, multi-step relationship investigations for you.

Set up MCP API docs
See how AI agents sign up and use Whisper directly
agent ▸ whisper-mcp
# Agent asks
"Is 185.220.101.1 safe to route to?"
# Agent calls the WhisperGraph MCP
explain_indicator("185.220.101.1")
# Response
{
"type": "ip", "level": "HIGH", "score": 7.35,
"explanation": "Listed in 4 threat feeds",
"sources": [
"dan-tor-exit", "stamparm-ipsum",
"tor-exit-nodes", "stopforumspam-listed-ip-7d"
],
"coverage": { "granularity": "ipv4" }
}
LLM agent
tool call
Model Context Protocol (MCP)
Cypher query
Whisper Graph API
graph traversal
Infrastructure intelligence7.4B nodes
Speaks MCP with
ClaudeCursorVS CodeWindsurfOpenAI
Platform integrations

Enhance existing security platforms

Pipe infrastructure context straight into Splunk, Microsoft Sentinel, and the SOAR workflows your team already lives in — no rip-and-replace, no new console to learn.

Splunk·Search
| eval dest_ip=case(n=1,"1.1.1.1", n=2,"185.220.101.1", …)
| whisperlookup field=dest_ip type=ip
| table dest_ip whisper_asn_name whisper_country whisper_threat_level whisper_is_tor whisper_is_c2
dest_ipwhisper_asn_namewhisper_countrywhisper_threat_levelwhisper_is_torwhisper_is_c2
1.1.1.1CLOUDFLARENETUSINFO00
185.220.101.1TELNA-UKDEINFOtor0
8.8.8.8GOOGLEUSINFO00
104.16.132.229CLOUDFLARENETUSINFO00
93.184.216.34SYSAID-ASNCHNONE00

Raw dest_ip in → ASN ownership, geo, threat level, and Tor/C2 flags out — inline, no leaving Splunk. The Tor exit lights up on its own.

SplunkShippedSplunkbase
Microsoft SentinelShipping soon
OpenCTIShipping soon
WazuhPlanned
See all integrations Available cloud-hosted or on-prem.
How it works

How Whisper works

The graph engine behind every answer — built to take in billions of internet-scale events and resolve the hard, cross-layer queries in milliseconds.

01

Continuous collection

We watch the internet’s plumbing around the clock — global DNS, BGP routing, passive SSL, and active scans — so what you query reflects what’s true right now, not last quarter.

How we stay live
02

Entity resolution

Overlapping, contradictory feeds get reconciled into one clean record per thing — every domain, IP, certificate, and ASN, deduplicated and typed so the graph stays trustworthy.

Explore the technology
03

Relationship mapping

Then we draw the edges: who hosts whom, who shares a certificate, who routes which prefix. The result is one living map of the internet that re-stitches itself as the wiring changes.

The query language
04

Sub-millisecond query engine

Ask it anything from the console, the REST API, or an MCP agent and the answer returns in under a millisecond — relationship traversal and risk scoring at graph speed.

On performance
Built for AI agents, natively
Trusted at scale

Why security teams trust Whisper

The scale, speed, and freshness that incident responders and autonomous AI agents actually rely on — all on one pre-joined graph.

7.4B
Graph nodes
Domains, IPs, certs, ASNs
39B
Relationships
Continuously updated edges
<1ms
Query performance
On complex graph traversals
24/7
Continuous collection
Global telemetry ingestion

Built for where the market is going

  • FCC submarine-cable security rules (2026)
  • EU €347M Cable Security Toolbox
  • NIS2 Art. 21 supply-chain risk
  • DORA Art. 28–30 concentration risk
  • RPKI now covers 60%+ of IPv4 prefixes
  • OWASP Top 10 for Agentic Apps (2025)

Start seeing infrastructure

Connect Whisper once, and every tool in your stack gets sharper.

Explore the graphConnect your AI agentTalk to us