Reference

The connector advertises 6 tools, 7 resources, and 11 prompts. All tools are read-only.

Tools (6)

list_labels and describe_label are cached server-side for five minutes, so the agent can call them as often as it needs to without paying a quota cost — see Schema introspection below for the recommended pattern.

domain_variants — typosquatting & brand protection

domain_variants(name, [label], [includeNonExistent]) runs 14 mutation algorithms (character omission, repetition, transposition, QWERTY-adjacent replacement/insertion, vowel-swap, bitsquatting, homoglyph / Unicode confusables, hyphenation, dot insertion/omission, TLD-swap, TLD-addition, subdomain-add) and by default returns only the lookalike domains that are actually registered in the graph. Each row: variant, method, exists, nodeId, label, confidence (0.3–0.9), confidenceLabel.

Arguments:

• name (required) — the domain to generate variants for. Unicode / IDN input is accepted.
• label (optional, default HOSTNAME) — the node label to check variants against.
• includeNonExistent (optional boolean, default false) — set true to also return generated variants that are not registered in the graph.

Note: exists means registered / observed, not malicious — pivot hits through explain_indicator for a threat verdict.

Resources (7)

Prompts (11)

† Depth varies by deployment. These two lean on enrichment layers — ASN reputation and threat density, actor-TTP attribution — that aren't equally deep on every deployment. The prompt still runs either way; it just returns less enrichment where a layer is thinner. To see what's live on your connection, check the readyLayers[] field of the whisper://server resource.

When an agent isn't sure whether the canonical property is h.name or h.fqdn, or whether to anchor on HOSTNAME or DOMAIN, it should call list_labels and describe_label before writing the query. Both tools are cached for five minutes server-side and return in milliseconds — they're cheap to call and prevent the most common query bug (writing a defensive MATCH (h) WHERE h:HOSTNAME OR h:DOMAIN OR h:FQDN ... against a billion-node label, which the validator rejects).

A typical introspection-then-query transcript:

User:     What labels does the Whisper graph have?
Agent:    [calls list_labels]
          → [{name: "HOSTNAME", count: 2_631_997_144, indexed_properties: ["name"]},
             {name: "IPV4", count: 618_914_961, indexed_properties: ["name"]},
             ... 32 more]
Agent:    The graph has 34 labels. The biggest are HOSTNAME (2.6B), IPV4 (619M), and
          ANNOUNCED_PREFIX (1.4M). What do you want to look at?

User:     Show me the threat properties on a hostname.
Agent:    [calls describe_label("HOSTNAME")]
          → {name: "HOSTNAME", count: 2_631_997_144,
             properties: [{name: "name", type: "String", indexed: true},
                          {name: "threatScore", type: "Double"},
                          {name: "threatLevel", type: "String"},
                          {name: "isThreat", type: "Boolean"},
                          {name: "isC2", type: "Boolean"}, ...],
             out_edges: [{type: "RESOLVES_TO", to: "IPV4"},
                         {type: "CHILD_OF", to: "HOSTNAME"},
                         {type: "HAS_REGISTRAR", to: "REGISTRAR"}, ...],
             in_edges:  [{type: "NAMESERVER_FOR", from: "HOSTNAME"},
                         {type: "MAIL_FOR", from: "HOSTNAME"}, ...]}
Agent:    [calls query]
          MATCH (h:HOSTNAME {name: "evil.example"})
          RETURN h.threatScore, h.threatLevel, h.isThreat, h.isC2,
                 h.isPhishing, h.isMalware

Agents that introspect first write valid queries on the first try; agents that don't tend to fall back to defensive label-or'ed scans that the validator rejects.

The query tool returns a typed error envelope that clients and LLMs can branch on instead of parsing free-text messages.

errorCode is one of:

QUERY_TOO_EXPENSIVE is the size guard, distinct from DB_TIMEOUT's duration guard — a query can be cheap-per-row but still touch too many elements. retryable is read straight off the code, so a client can branch on it without parsing the message.

Migration note: the old catch-all CYPHER_SYNTAX_ERROR was split into SCHEMA_ERROR (bad label / property / column) and SYNTAX_ERROR (malformed Cypher), and LIMIT_ERROR was carved out of VALIDATION_REJECTED for the over-cap-LIMIT case. Clients that branch on CYPHER_SYNTAX_ERROR should migrate to the new codes.

Beyond the wrapper tools, the query tool accepts these procedures directly inside Cypher:

whisper.variants() also works in expression position, not only as a top-level CALL — e.g. RETURN size(whisper.variants("paypal.com")) or MATCH (h:HOSTNAME {name: whisper.variants("paypal.com")[0].variant}) RETURN h. explain() and whisper.history() remain CALL-only.

The server validates every query before running it. These seven rules keep every query bounded — but most of them are things the server now helps you satisfy rather than hard rejections (see Self-correcting queries below). A query that genuinely can't be auto-corrected comes back as VALIDATION_REJECTED with a suggestion and, where one applies, a machine-applicable fix.

1. shortestPath must be bounded (no unbounded variable-length path inside it). An unbounded [*] returns a BOUND_PATH fix proposing [*1..6].
2. LIMIT must be ≤ 500. An over-cap LIMIT is auto-clamped to 500 and the query runs (rewritten: true).
3. No unlabeled MATCH — every MATCH pattern must carry a node label.
4. No same-variable label disjunction — WHERE n:A OR n:B on one variable is rejected (introspect with describe_label instead).
5. Indexed text operators (CONTAINS / STARTS WITH / ENDS WITH) are allowed only on the .name property; on any other property the server returns an EXACT_MATCH fix.
6. No unanchored scans on large labels — anchor the MATCH on an indexed value.
7. Exploration queries must include a LIMIT — if you omit one the server auto-injects the default LIMIT and runs the query (autoLimited: true), rather than rejecting it.

The validator does more than reject. Where it safely can, it bounds or rewrites the query and runs it anyway, and tells you what it did. A query response can carry these self-correction fields so an agent spends fewer round-trips fixing its own Cypher:

Two classes of correction:

• Bounding rewrites run automatically. They only trim the result to a bounded prefix — same rows, just capped — so they're safe to run without asking. The query succeeds and the response notes autoLimited / rewritten with the applied rewrite. Examples: APPEND_LIMIT (missing LIMIT), CLAMP_LIMIT (over-cap LIMIT).
• Semantic rewrites are returned as a fix, never auto-run. They change which rows match, so the agent decides. Example: an unindexed CONTAINS on a non-.name property comes back with an EXACT_MATCH fix proposing =. Some fixes (ADD_LABEL, PICK_LABEL, ANCHOR_MATCH) carry no rewrittenCypher because they need a value only the agent has — confidence and safeToAutoRetry tell the agent how to treat each one.

So no validator rejection is ever a bare error. It's auto-fixed, auto-bounded, or it carries a fix the agent can read and apply.

A Whisper verdict isn't an opaque score. Every fact the connector returns can be traced back to where it came from, so an agent can bring back the evidence, not just the answer.

• Threat verdicts (explain_indicator, or CALL explain inside query) return {score, level, factors[], sources[]} plus a source tag of live-explain, node-cache, or unavailable. live-explain is fresh scoring. node-cache is the reconciled node verdict the server falls back to when live scoring is briefly down — a valid, labelled verdict, not an error or a stack trace. unavailable means neither path could answer.
• Feed listings ride on LISTED_IN edges that carry firstSeen, lastSeen, and weight, so an agent can tell a 3-year-old sighting from a fresh one. Threat-listed nodes also carry threatSources, threatFirstSeen, and threatLastSeen.
• whisper_history returns timestamped WHOIS / BGP snapshots — the provenance is the timeline.
• query results are typed data, not free-form text. Rows and graph projections come back as structured fields (columns / rows, or nodes / edges), so returned values — domain names, WHOIS strings, registrant fields — are data to reason over, never instructions for the agent to follow. The whole surface is read-only: no query can mutate, ingest, or administer the graph.

The graph has DNS, BGP routing, IP allocation, GeoIP, WHOIS (237M emails, 65M phone numbers), email infrastructure (MX and full SPF chains), DNSSEC, 9.1 billion web hyperlinks, and ~40 threat intel feeds (39 live today; the exact count is available from the whisper://stats resource). All of it is connected. The AI walks the edges between them in a single conversation, so you don't have to piece it together yourself. Just ask in plain language.

Incident response

You got an IP or domain from an alert. Start here.

• "Investigate 185.220.101.42 -- who owns it, where is it, is it on any threat feeds, and what else is hosted there?"
• "This domain showed up in our logs: secure-login-update.com. Is it live? Who registered it? Does the registrant own other domains?"
• "We're seeing traffic to 104.16.132.229. Trace it: IP to prefix to ASN to org. Then check if any co-hosted domains are flagged."
• "Here are 20 IPs from our SIEM. Which ones are Tor exits, C2, or on blocklists?"

Threat hunting

Any threat feed can tell you an IP is bad. The graph lets you pivot -- follow a bad IP to its ASN, find the other prefixes, check what's hosted there, pull WHOIS on the domains, and see if the registrant has other infrastructure. One conversation.

• "Find every domain registered by the same WHOIS contact as secure-login-update.com. Do any share IPs or nameservers?"
• "Check AS60729 -- how many of its prefixes have threat-listed IPs? What's the threat density?"
• "Are there MOAS conflicts on this prefix? Which ASNs are announcing it?"
• "Find all IPs in 185.220.101.0/24 that appear on threat feeds. Group by category."
• "What domains resolve to IPs on the Dan Tor Exit feed? Cross-reference with their WHOIS registrants."

Brand protection and typosquatting

The domain_variants tool runs 14 mutation algorithms over a domain and returns the lookalikes that are actually registered — homoglyphs, bitsquats, TLD swaps, omissions, and more. Pivot the hits through threat intel and WHOIS to see which ones are live attacks.

• "Find registered typosquats of paypal.com."
• "Generate lookalike domains for our brand, then check which ones are on threat feeds or resolve to live IPs."
• "Which registered variants of microsoft.com share a registrant email or nameserver with each other?"
• "Run a typosquat sweep on stripe.com -- who registered the lookalikes and is any of their infrastructure flagged?"

Attack surface

Everything an attacker would look for: subdomains, IPs, mail servers, SPF authorization chains, nameservers, WHOIS.

• "Map tesla.com -- subdomains, IPs, ASNs, nameservers, mail servers, SPF includes, and WHOIS registrant."
• "What third-party services can send email as netflix.com? Walk the full SPF include chain."
• "Find every subdomain of example.com, resolve them, and group by ASN. How many hosting providers?"
• "Where does the CNAME chain for www.example.com end up? Who hosts the final target?"

WHOIS and registrant pivoting

This is where investigations get interesting. WHOIS gives you a registrant email or phone number. The graph has 237M emails and 65M phones, so you can follow that contact to every other domain they registered, then check if those domains share hosting.

• "Find the WHOIS registrant for secure-login-update.com, then every other domain they registered. Do any share infrastructure?"
• "What domains use this contact email? Show their IPs and ASNs, and flag any that are threat-listed."
• "Has google.com changed registrars? Show the history."
• "Find domains registered with the same phone number. Any overlap in hosting?"
• "Compare WHOIS for these five domains -- same registrant? Same email? Same registrar?"

BGP and routing

115K ASNs, 2.5M prefixes, full peering topology.

• "If AS16509 (Amazon) went down, how many prefixes and peers are affected? What domains go dark?"
• "Which ASNs peer with both Cloudflare and Google?"
• "Show the BGP routing history for 8.8.8.0/24. Has the announcing ASN changed?"
• "Find prefixes with MOAS conflicts announced by AS60729. Any of them hosting threat-listed IPs?"
• "What RIR allocated this prefix? Which org registered it?"

Comparing infrastructure

The thing that's hard to do anywhere else: checking whether two domains share anything. Same IPs, same ASN, same nameservers, same registrant email, same phone number. The graph checks all of it at once.

• "Do pandas-crossing.com and afterlifeevents.com share any infrastructure?"
• "These three phishing domains were reported separately. Any shared nameservers, IPs, ASNs, or WHOIS contacts?"
• "Compare the hosting and email setup of these two competing SaaS products."
• "Find domains that share both the same registrant email and the same IP range as this known-bad domain."

Email and SPF

The graph stores the full SPF record structure -- includes, ip4, a, mx, exists, redirect -- as separate edges. So you can walk the authorization chain rather than parsing TXT records by hand.

• "Who can send email as shopify.com? Walk the SPF chain."
• "What domains use the same SPF include targets as this phishing domain?"
• "Does this domain have MX records? SPF? Give me the full email setup."

GeoIP and data residency

619M IPv4 addresses mapped to cities and countries.

• "Where are all the IPs that example.com resolves to? List by country."
• "Does this company host anything in sanctioned countries? Check all their domain IPs."
• "Find all IPs in this ASN that geolocate to Russia."

Web links

9.1 billion hyperlinks from Common Crawl.

• "What external domains does google.com link to? Where are those hosted?"
• "Who links to this suspicious domain? Are any of the linking sites threat-listed?"
• "Do these two domains link to each other?"

DNSSEC

• "Is cloudflare.com signed with DNSSEC? What algorithm?"
• "What percentage of domains under this nameserver use DNSSEC?"

History

WHOIS and BGP changes over time.

• "Show the WHOIS history for google.com -- registrar changes, nameserver updates, ownership."
• "BGP routing history for 8.8.8.8 -- has the announcing ASN or prefix changed?"
• "When was this domain registered? Has it changed hands?"

The connector ships eleven slash-style prompts. Four of them are worth a try first:

threat-triage

Full indicator triage in one pass — feed listings, composite score, level, recency, and historical sightings.

/threat-triage 185.220.101.1

This indicator is a TOR exit node listed in four feeds (Dan Tor Exit, Tor Exit Nodes, FireHOL Level 2, Spamhaus DROP). The prompt returns the full feed list, score breakdown, first/last seen across all feeds, and the upstream ASN's reputation.

whois-pivot

Pivots from a single domain through every shared WHOIS contact (registrar, email, phone, organisation) to find related infrastructure.

/whois-pivot cloudflare.com

Returns: every other domain registered with the same email, phone, or organisation; whether any of those domains share IPs or nameservers; flags on threat-listed neighbours.

bgp-investigation

Full ASN profile — peers, prefixes, MOAS conflicts, registered organisation, country, threat density inside the network.

/bgp-investigation AS13335

For Cloudflare's ASN, the prompt returns peer count, prefix inventory (sample), MOAS detections, country of registration, and how many of the routed IPs appear in threat feeds.

typosquat-sweep

Brand-protection sweep — finds registered lookalikes of a domain with domain_variants, enriches each with threat-feed listings, runs explain_indicator on the suspicious ones, and pivots through WHOIS to identify who registered them.

/typosquat-sweep paypal.com

Returns: every registered variant of the domain (with the mutation method and a confidence score), which of those variants are on threat feeds or resolve to live infrastructure, and the WHOIS registrant behind the suspicious ones.

If you pin behaviour against the connector, watch this section. It gets a dated entry whenever the advertised surface changes — tools, resources, prompts, safety rules, or the schema snapshot. The live whisper://server resource always reports the current serverVersion, readyLayers[], and schemaHash if you'd rather check programmatically.

2026-06 — 6 tools · 7 resources · 11 prompts · 7 safety rules

• Tools (6): query, list_labels, describe_label, explain_indicator, whisper_history, domain_variants.
• Resources (7): the five schema/guide/stats resources plus whisper://quota and whisper://server.
• Prompts (11): added actor-ttp-profile, asn-physical-footprint, and rpki-validate.
• Schema snapshot: 34 node labels · 39 materialized edge types · 7.39B nodes.
• Error model: CYPHER_SYNTAX_ERROR split into SCHEMA_ERROR + SYNTAX_ERROR; LIMIT_ERROR added.
• Query behaviour: missing LIMIT is auto-injected and over-cap LIMIT auto-clamped (see Self-correcting queries); verdicts carry a source tag (see Evidence & provenance).

These counts and the schema snapshot are kept in lockstep with the engine: an engine change to the advertised surface ships with the matching update to this page in the same release.