Reference

The connector advertises 6 tools, 6 resources, and 8 prompts. All tools are read-only.

Tools (6)

list_labels and describe_label are cached server-side for five minutes, so the agent can call them as often as it needs to without paying a quota cost — see Schema introspection below for the recommended pattern.

domain_variants — typosquatting & brand protection

domain_variants(name, [label], [includeNonExistent]) runs 14 mutation algorithms (character omission, repetition, transposition, QWERTY-adjacent replacement/insertion, vowel-swap, bitsquatting, homoglyph / Unicode confusables, hyphenation, dot insertion/omission, TLD-swap, TLD-addition, subdomain-add) and by default returns only the lookalike domains that are actually registered in the graph. Each row: variant, method, exists, nodeId, label, confidence (0.3–0.9), confidenceLabel.

Arguments:

• name (required) — the domain to generate variants for. Unicode / IDN input is accepted.
• label (optional, default HOSTNAME) — the node label to check variants against.
• includeNonExistent (optional boolean, default false) — set true to also return generated variants that are not registered in the graph.

Note: exists means registered / observed, not malicious — pivot hits through explain_indicator for a threat verdict.

Resources (6)

Prompts (8)

When an agent isn't sure whether the canonical property is h.name or h.fqdn, or whether to anchor on HOSTNAME or DOMAIN, it should call list_labels and describe_label before writing the query. Both tools are cached for five minutes server-side and return in milliseconds — they're cheap to call and prevent the most common query bug (writing a defensive MATCH (h) WHERE h:HOSTNAME OR h:DOMAIN OR h:FQDN ... against a billion-node label, which the validator rejects).

A typical introspection-then-query transcript:

User:     What labels does the Whisper graph have?
Agent:    [calls list_labels]
          → [{name: "HOSTNAME", count: 2_631_997_144, indexed_properties: ["name"]},
             {name: "IPV4", count: 618_914_961, indexed_properties: ["name"]},
             ... 18 more]
Agent:    The graph has 20 labels. The biggest are HOSTNAME (2.6B), IPV4 (619M), and
          ANNOUNCED_PREFIX (1.4M). What do you want to look at?

User:     Show me the threat properties on a hostname.
Agent:    [calls describe_label("HOSTNAME")]
          → {name: "HOSTNAME", count: 2_631_997_144,
             properties: [{name: "name", type: "String", indexed: true},
                          {name: "threatScore", type: "Double"},
                          {name: "threatLevel", type: "String"},
                          {name: "isThreat", type: "Boolean"},
                          {name: "isC2", type: "Boolean"}, ...],
             out_edges: [{type: "RESOLVES_TO", to: "IPV4"},
                         {type: "CHILD_OF", to: "HOSTNAME"},
                         {type: "HAS_REGISTRAR", to: "REGISTRAR"}, ...],
             in_edges:  [{type: "NAMESERVER_FOR", from: "HOSTNAME"},
                         {type: "MAIL_FOR", from: "HOSTNAME"}, ...]}
Agent:    [calls query]
          MATCH (h:HOSTNAME {name: "evil.example"})
          RETURN h.threatScore, h.threatLevel, h.isThreat, h.isC2,
                 h.isPhishing, h.isMalware

Agents that introspect first write valid queries on the first try; agents that don't tend to fall back to defensive label-or'ed scans that the validator rejects.

The query tool returns a typed error envelope that clients and LLMs can branch on instead of parsing free-text messages.

errorCode is one of:

QUERY_TOO_EXPENSIVE is the size guard, distinct from DB_TIMEOUT's duration guard — a query can be cheap-per-row but still touch too many elements.

Beyond the wrapper tools, the query tool accepts these procedures directly inside Cypher:

whisper.variants() also works in expression position, not only as a top-level CALL — e.g. RETURN size(whisper.variants("paypal.com")) or MATCH (h:HOSTNAME {name: whisper.variants("paypal.com")[0].variant}) RETURN h. explain() and whisper.history() remain CALL-only.

The server validates every query before running it. A query that breaks one of these rules comes back as VALIDATION_REJECTED with a suggestion:

1. shortestPath must be bounded (no unbounded variable-length path inside it).
2. LIMIT must be ≤ 500.
3. No unlabeled MATCH — every MATCH pattern must carry a node label.
4. No same-variable label disjunction — WHERE n:A OR n:B on one variable is rejected (introspect with describe_label instead).
5. Indexed text operators (CONTAINS / STARTS WITH / ENDS WITH) are allowed only on the .name property.
6. No unanchored scans on large labels — anchor the MATCH on an indexed value.
7. Exploration queries must include a LIMIT.

The graph has DNS, BGP routing, IP allocation, GeoIP, WHOIS (237M emails, 65M phone numbers), email infrastructure (MX and full SPF chains), DNSSEC, 9.1 billion web hyperlinks, and ~40 threat intel feeds (39 live today; the exact count is available from the whisper://stats resource). All of it is connected. The AI walks the edges between them in a single conversation, so you don't have to piece it together yourself. Just ask in plain language.

Incident response

You got an IP or domain from an alert. Start here.

• "Investigate 185.220.101.42 -- who owns it, where is it, is it on any threat feeds, and what else is hosted there?"
• "This domain showed up in our logs: secure-login-update.com. Is it live? Who registered it? Does the registrant own other domains?"
• "We're seeing traffic to 104.16.132.229. Trace it: IP to prefix to ASN to org. Then check if any co-hosted domains are flagged."
• "Here are 20 IPs from our SIEM. Which ones are Tor exits, C2, or on blocklists?"

Threat hunting

Any threat feed can tell you an IP is bad. The graph lets you pivot -- follow a bad IP to its ASN, find the other prefixes, check what's hosted there, pull WHOIS on the domains, and see if the registrant has other infrastructure. One conversation.

• "Find every domain registered by the same WHOIS contact as secure-login-update.com. Do any share IPs or nameservers?"
• "Check AS60729 -- how many of its prefixes have threat-listed IPs? What's the threat density?"
• "Are there MOAS conflicts on this prefix? Which ASNs are announcing it?"
• "Find all IPs in 185.220.101.0/24 that appear on threat feeds. Group by category."
• "What domains resolve to IPs on the Dan Tor Exit feed? Cross-reference with their WHOIS registrants."

Brand protection and typosquatting

The domain_variants tool runs 14 mutation algorithms over a domain and returns the lookalikes that are actually registered — homoglyphs, bitsquats, TLD swaps, omissions, and more. Pivot the hits through threat intel and WHOIS to see which ones are live attacks.

• "Find registered typosquats of paypal.com."
• "Generate lookalike domains for our brand, then check which ones are on threat feeds or resolve to live IPs."
• "Which registered variants of microsoft.com share a registrant email or nameserver with each other?"
• "Run a typosquat sweep on stripe.com -- who registered the lookalikes and is any of their infrastructure flagged?"

Attack surface

Everything an attacker would look for: subdomains, IPs, mail servers, SPF authorization chains, nameservers, WHOIS.

• "Map tesla.com -- subdomains, IPs, ASNs, nameservers, mail servers, SPF includes, and WHOIS registrant."
• "What third-party services can send email as netflix.com? Walk the full SPF include chain."
• "Find every subdomain of example.com, resolve them, and group by ASN. How many hosting providers?"
• "Where does the CNAME chain for www.example.com end up? Who hosts the final target?"

WHOIS and registrant pivoting

This is where investigations get interesting. WHOIS gives you a registrant email or phone number. The graph has 237M emails and 65M phones, so you can follow that contact to every other domain they registered, then check if those domains share hosting.

• "Find the WHOIS registrant for secure-login-update.com, then every other domain they registered. Do any share infrastructure?"
• "What domains use this contact email? Show their IPs and ASNs, and flag any that are threat-listed."
• "Has google.com changed registrars? Show the history."
• "Find domains registered with the same phone number. Any overlap in hosting?"
• "Compare WHOIS for these five domains -- same registrant? Same email? Same registrar?"

BGP and routing

115K ASNs, 2.5M prefixes, full peering topology.

• "If AS16509 (Amazon) went down, how many prefixes and peers are affected? What domains go dark?"
• "Which ASNs peer with both Cloudflare and Google?"
• "Show the BGP routing history for 8.8.8.0/24. Has the announcing ASN changed?"
• "Find prefixes with MOAS conflicts announced by AS60729. Any of them hosting threat-listed IPs?"
• "What RIR allocated this prefix? Which org registered it?"

Comparing infrastructure

The thing that's hard to do anywhere else: checking whether two domains share anything. Same IPs, same ASN, same nameservers, same registrant email, same phone number. The graph checks all of it at once.

• "Do pandas-crossing.com and afterlifeevents.com share any infrastructure?"
• "These three phishing domains were reported separately. Any shared nameservers, IPs, ASNs, or WHOIS contacts?"
• "Compare the hosting and email setup of these two competing SaaS products."
• "Find domains that share both the same registrant email and the same IP range as this known-bad domain."

Email and SPF

The graph stores the full SPF record structure -- includes, ip4, a, mx, exists, redirect -- as separate edges. So you can walk the authorization chain rather than parsing TXT records by hand.

• "Who can send email as shopify.com? Walk the SPF chain."
• "What domains use the same SPF include targets as this phishing domain?"
• "Does this domain have MX records? SPF? Give me the full email setup."

GeoIP and data residency

619M IPv4 addresses mapped to cities and countries.

• "Where are all the IPs that example.com resolves to? List by country."
• "Does this company host anything in sanctioned countries? Check all their domain IPs."
• "Find all IPs in this ASN that geolocate to Russia."

Web links

9.1 billion hyperlinks from Common Crawl.

• "What external domains does google.com link to? Where are those hosted?"
• "Who links to this suspicious domain? Are any of the linking sites threat-listed?"
• "Do these two domains link to each other?"

DNSSEC

• "Is cloudflare.com signed with DNSSEC? What algorithm?"
• "What percentage of domains under this nameserver use DNSSEC?"

History

WHOIS and BGP changes over time.

• "Show the WHOIS history for google.com -- registrar changes, nameserver updates, ownership."
• "BGP routing history for 8.8.8.8 -- has the announcing ASN or prefix changed?"
• "When was this domain registered? Has it changed hands?"

The connector ships eight slash-style prompts. Four of them are recent additions worth a try:

threat-triage

Comprehensive indicator triage in one pass — feed listings, composite score, level, recency, historical sightings.

/threat-triage 185.220.101.1

This indicator is a TOR exit node listed in four feeds (Dan Tor Exit, Tor Exit Nodes, FireHOL Level 2, Spamhaus DROP). The prompt returns the full feed list, score breakdown, first/last seen across all feeds, and the upstream ASN's reputation.

whois-pivot

Pivots from a single domain through every shared WHOIS contact (registrar, email, phone, organisation) to find related infrastructure.

/whois-pivot cloudflare.com

Returns: every other domain registered with the same email, phone, or organisation; whether any of those domains share IPs or nameservers; flags on threat-listed neighbours.

bgp-investigation

Full ASN profile — peers, prefixes, MOAS conflicts, registered organisation, country, threat density inside the network.

/bgp-investigation AS13335

For Cloudflare's ASN, the prompt returns peer count, prefix inventory (sample), MOAS detections, country of registration, and how many of the routed IPs appear in threat feeds.

typosquat-sweep

Brand-protection sweep — finds registered lookalikes of a domain with domain_variants, enriches each with threat-feed listings, runs explain_indicator on the suspicious ones, and pivots through WHOIS to identify who registered them.

/typosquat-sweep paypal.com

Returns: every registered variant of the domain (with the mutation method and a confidence score), which of those variants are on threat feeds or resolve to live infrastructure, and the WHOIS registrant behind the suspicious ones.