AI & Agents
Ground AI agents in the live WhisperGraph over MCP: 6 read-only tools, a shared workflow gallery, and evidence behind every answer.
AI & Agents Documentation
An AI assistant that answers infrastructure questions from its training data is working from a snapshot that ages by the day. DNS records move and threat feeds add and drop indicators constantly. Whisper's MCP server at https://mcp.whisper.security connects any MCP-capable client to the live WhisperGraph, a graph of ~7.4 billion nodes and ~39 billion edges, so the agent runs the lookup instead of recalling one.
Grounding also fixes a quieter failure mode: the empty enrichment result. A flat lookup API returns the same nothing for a host no feed has ever seen and for a host that is positively known clean, and a language model fills that gap by guessing. Verdicts from the graph carry a coverage block, so an agent can tell "not listed at this granularity" apart from "safe". Every query and run_workflow result also ships an evidence block with the exact Cypher that ran, row counts, and timing, so the agent can cite the query behind each claim. AI Agent Grounding shows what this looks like in practice.
An MCP client calls a tool; the server validates it, runs read-only Cypher against WhisperGraph, and returns rows with an evidence trail
What the server offers
The server speaks MCP over streamable HTTP, and the whole surface is read-only: 6 tools, 4 resources, and 18 prompts. Write and admin Cypher is rejected before it reaches the database.
| Tool | What it does |
|---|---|
query | Run read-only Cypher; returns columns, rows, statistics, and the evidence block. The primary tool. |
explain_indicator | Threat verdict for an IP, hostname, CIDR, or ASN: score, level, factors, sources, and coverage. |
explain_schema | The schema on demand: the full label catalog, or one label's properties, edges, and a sample traversal. |
read_docs | List, search, or fetch these docs as Markdown, pulled on demand instead of held in always-on context. |
list_workflows | Search the workflow gallery; each result carries its full parameter space, so an agent can run any variant. |
run_workflow | Run one or more gallery workflows by slug in a single call, with per-step results and an evidence trail. |
The four resources cover the full schema (whisper://schema/full), live graph statistics (whisper://stats), your plan's depth cap and current usage (whisper://quota), and the server descriptor (whisper://server). The 18 prompts are generated from the workflow gallery: each wraps one run_workflow call for a flagship investigation, from indicator triage to typosquat hunting.
Connect
MCP access is available on every plan, including the free tier. Authentication is always required: sign up and a free API key is created automatically, then add the server to your client. In Claude Code:
claude mcp add --transport http whisper-graph https://mcp.whisper.security \
--header "Authorization: Bearer YOUR_API_KEY"
Interactive clients such as Claude Desktop can skip the key and sign in through OAuth 2.1 instead. A free key runs traversals up to 3 hops; your live limits are readable from whisper://quota. Setup has working configs for Claude, Claude Code, Cursor, VS Code, ChatGPT, and generic MCP clients.
Go deeper
- Setup: connect your client and run a first investigation.
- Reference: every tool, resource, and prompt, the evidence model, and the error envelope.
- Workflow Gallery: the shared investigation library behind
list_workflowsandrun_workflow. - Agent Skills: pre-built investigation skills that run on top of the connector.
- Agent Sign-up: how an agent obtains its own API key programmatically.
- AI Agent Grounding: the no-data versus known-clean problem, with a runnable workflow.
Agents that speak plain HTTP can skip MCP and call the Cypher API directly with an X-API-Key header.