Cypher Cheat Sheet
One-page Cypher cheat sheet: schema, common patterns, and performance tips. Print-friendly.
Updated May 2026cypher Integration
Cypher Cheat Sheet Documentation
Endpoint
POST https://graph.whisper.security/api/query
Content-Type: application/json
X-API-Key: <your-key>
{"query": "CYPHER QUERY HERE"}
Node Labels
| Label | What It Represents |
|---|---|
HOSTNAME | Any DNS name: domains, subdomains, mail servers |
IPV4 | IPv4 addresses |
IPV6 | IPv6 addresses |
ASN | Autonomous System (format: AS15169) |
ASN_NAME | Human-readable ASN name |
PREFIX | Physical BGP prefix |
REGISTERED_PREFIX | RIR-allocated block (virtual) |
ANNOUNCED_PREFIX | BGP-announced prefix at query time (virtual) |
TLD | Top-level domain label |
REGISTRAR | Domain registrar (format: iana:292) |
EMAIL | WHOIS contact email address |
PHONE | WHOIS contact phone (E.164 format) |
ORGANIZATION | WHOIS registrant or RIR org |
CITY | GeoIP city (format: "City, CC") |
COUNTRY | ISO 3166-1 alpha-2 country code |
RIR | Regional Internet Registry |
FEED_SOURCE | Threat intelligence feed (40 feeds) |
CATEGORY | Threat category (18 categories) |
DNSSEC_ALGORITHM | DNSSEC signing algorithm |
Edge Types
| Edge | Traversal Pattern | Notes |
|---|---|---|
RESOLVES_TO | HOSTNAME → IPV4/IPV6 | DNS A/AAAA |
ANNOUNCED_BY | IPV4 → ANNOUNCED_PREFIX | BGP routing (virtual) |
ROUTES | ANNOUNCED_PREFIX → ASN | Virtual BGP chain |
BELONGS_TO | IPV4 → REGISTERED_PREFIX | RIR allocation |
HAS_NAME | ASN → ASN_NAME | Network display name |
PEERS_WITH | ASN → ASN | BGP peering |
CHILD_OF | HOSTNAME → HOSTNAME/TLD | Domain hierarchy |
NAMESERVER_FOR | HOSTNAME(NS) → HOSTNAME | DNS delegation |
MAIL_FOR | HOSTNAME(MX) → HOSTNAME | MX record |
ALIAS_OF | HOSTNAME → HOSTNAME | CNAME |
LINKS_TO | HOSTNAME → HOSTNAME | Web hyperlinks |
HAS_REGISTRAR | HOSTNAME → REGISTRAR | Current registrar |
PREV_REGISTRAR | HOSTNAME → REGISTRAR | Historical registrar |
HAS_EMAIL | HOSTNAME → EMAIL | WHOIS contact |
HAS_PHONE | HOSTNAME → PHONE | WHOIS contact |
REGISTERED_BY | HOSTNAME/PREFIX → ORGANIZATION | Registrant org |
HAS_COUNTRY | PREFIX/CITY → COUNTRY | Country code |
LOCATED_IN | IPV4 → CITY | GeoIP |
LISTED_IN | IPV4/HOSTNAME → FEED_SOURCE | Threat intel (virtual) |
SPF_INCLUDE | HOSTNAME → HOSTNAME | SPF include |
SPF_IP | HOSTNAME → IPV4/PREFIX | SPF ip: mechanism |
SPF_A | HOSTNAME → HOSTNAME | SPF a: mechanism |
SPF_MX | HOSTNAME → HOSTNAME | SPF mx: mechanism |
SPF_REDIRECT | HOSTNAME → HOSTNAME | SPF redirect: |
SPF_EXISTS | HOSTNAME → HOSTNAME | SPF exists: |
SIGNED_WITH | HOSTNAME → DNSSEC_ALGORITHM | DNSSEC signing |
Procedures
| Procedure | What It Does |
|---|---|
CALL explain("indicator") | Threat score and explanation (IP, domain, ASN, CIDR) |
CALL whisper.history("indicator") | Historical WHOIS and BGP snapshots |
CALL whisper.quota() | Current plan and usage |
CALL db.labels() | All node labels with counts |
CALL db.relationshipTypes() | All edge types with counts |
Performance Rules
| Do This | Not That |
|---|---|
MATCH (h:HOSTNAME {name: "example.com"}) | MATCH (h:HOSTNAME) WHERE h.name = "example.com" |
WHERE h.name STARTS WITH "mail." | WHERE h.name =~ "^mail\\..*" |
WHERE h.name ENDS WITH ".example.com" | WHERE h.name =~ ".*\\.example\\.com$" |
Always add LIMIT | Open-ended traversals on billion-node labels |
CALL db.relationshipTypes() for counts | MATCH ()-[r]->() RETURN count(r) |
OPTIONAL MATCH for WHOIS fields | Mandatory MATCH for sparse fields |
Query Complexity Guide
| Speed | Pattern |
|---|---|
| Instant | Anchored point lookups {name: "..."} |
| Fast (<1s) | STARTS WITH, ENDS WITH ".domain", CONTAINS |
| Medium (1-5s) | Multi-hop traversals, WHOIS with OPTIONAL MATCH |
| Slow | LINKS_TO traversals, full text scan across all HOSTNAME |
| Avoid | Unanchored label scans, regex =~ on HOSTNAME |