Cheat Sheet

One-page Cypher cheat sheet for WhisperGraph — schema, traversal chains, procedures, and the limits. Print-friendly.

Updated July 2026

Cheat Sheet Documentation

WhisperGraph is the internet as a queryable database — DNS, BGP/RPKI, WHOIS/RDAP, GeoIP, the web link graph, email posture, threat intel, and the physical internet, all pre-joined. This page is the dense quick-reference: labels, edges with directions, the traversal chains worth memorizing, procedure one-liners, and the limits. If you already know Cypher, this is the WhisperGraph-specific part you need. Deeper detail lives in the Graph Schema, Procedures, and the Use Cases.

Scale: ~7.4B nodes · ~39B edges · 43 threat feeds · 25 categories. GET /api/query/stats returns live totals.


Endpoint

POST https://graph.whisper.security/api/query
Content-Type: application/json
User-Agent: whisper-client/1.0   # send an explicit UA to avoid a WAF 403
X-API-Key: <your-key>            # optional — anonymous works keyless (2-hop cap)

{"query": "MATCH (h:HOSTNAME {name:\"www.google.com\"})-[:RESOLVES_TO]->(ip) RETURN ip.name LIMIT 3"}

MCP for agents at https://mcp.whisper.security. See MCP setup. Full API details: Cypher API.


Node labels

There is no Domain or FQDN label — every name is a HOSTNAME. Every node has a name property. Labels marked (virtual) are synthesized at query time — reach them through an edge, never via a deep unanchored scan.

Core DNS & addressingHOSTNAME (~2.6B), IPV4 (~619M), IPV6, PREFIX, ANNOUNCED_PREFIX (virtual), REGISTERED_PREFIX (virtual), TLD

Routing & orgASN (AS13335), ASN_NAME, ORGANIZATION, TLD_OPERATOR

WHOIS & registrationREGISTRAR, EMAIL, PHONE, RDAP_ENTITY

Geo & DNSSECCITY, COUNTRY, DNSSEC_ALGORITHM

Threat intelFEED_SOURCE (43, virtual), CATEGORY (25, virtual), THREAT_TAG (MISP-galaxy), THREAT_SIGNAL_TYPE, ACTOR (APT28), ATTACK_PATTERN (MITRE ATT&CK)

RPKI & routing observationsROA, BGP_PATH_OBSERVATION

Physical infrastructureFACILITY, INTERNET_EXCHANGE, SUBMARINE_CABLE, CABLE_LANDING, CDN_POP, DNS_ROOT_INSTANCE, CLOUD_REGION (aws:eu-west-1)

Egress, fingerprint & transparencyVENDOR, TOR_RELAY, TLS_FINGERPRINT (JA3/JARM), CT_OBSERVATION, DMARC_RECIPIENT


Edge types — with directions

Directions are strict: a wrong-way traversal returns zero rows with no error. The arrow below is the stored direction; traverse backwards with <-[:EDGE]-.

DNS & web

EdgeFrom → ToNotes
RESOLVES_TOHOSTNAME → IPV4/IPV6Forward only. Reverse DNS: (ip)<-[:RESOLVES_TO]-(h)
ALIAS_OFHOSTNAME → HOSTNAMECNAME
CHILD_OFHOSTNAME/EMAIL → HOSTNAME/TLDchild → parent (var-length walks reach the TLD)
NAMESERVER_FORHOSTNAME → HOSTNAMEserver → domain. A domain's NS: (d)<-[:NAMESERVER_FOR]-(ns)
MAIL_FORHOSTNAME → HOSTNAMEserver → domain. A domain's MX: (d)<-[:MAIL_FOR]-(mx)
LINKS_TOHOSTNAME → HOSTNAMEWeb hyperlink (the largest edge type)

BGP, routing & RPKI

EdgeFrom → ToNotes
BELONGS_TOIPV4/IPV6 → PREFIXRIR allocation (also FEED_SOURCE → CATEGORY)
ANNOUNCED_BYIPV4/IPV6 → ANNOUNCED_PREFIXvirtual
ROUTESASN → ANNOUNCED_PREFIX/PREFIXvirtual
HAS_NAMEASN → ASN_NAMEasn.name is the AS number; network name is on ASN_NAME (virtual)
PEERS_WITHASN ↔ ASNsymmetric — matches either arrow
CONFLICTS_WITHANNOUNCED_PREFIX → ASNMOAS conflict (virtual)
ROA_AUTHORIZES_ORIGINROA → ASNRPKI authorizes origin AS
ROA_AUTHORIZES_PREFIXROA → PREFIXRPKI authorizes prefix
OPERATESTLD_OPERATOR → TLDRegistry operator

WHOIS & registration

EdgeFrom → ToNotes
HAS_REGISTRARHOSTNAME → REGISTRARCurrent registrar
PREV_REGISTRARHOSTNAME → REGISTRARHistorical — track transfers
HAS_EMAILHOSTNAME → EMAILWHOIS contact
HAS_PHONEHOSTNAME → PHONEWHOIS contact
REGISTERED_BYHOSTNAME/ASN/PREFIX → ORGANIZATIONRegistrant / owning org
SAME_ORG_ASORGANIZATION → ORGANIZATIONEntity reconciliation

Geo

EdgeFrom → ToNotes
LOCATED_INIPV4/IPV6 → CITYChain HAS_COUNTRY for the country
HAS_COUNTRYASN/CITY/IPV4/PHONE → COUNTRYCountry code

Threat intel & egress

EdgeFrom → ToNotes
LISTED_INIPV4/IPV6/HOSTNAME → FEED_SOURCECarries firstSeen/lastSeen/weight (virtual)
HAS_SIGNALIPV4/IPV6/HOSTNAME/ASN/PREFIX → THREAT_SIGNAL_TYPEThreat signal
OPERATES_EXIT_NODEIPV4 → TOR_RELAYTor-exit identity
DELEGATED_TOPREFIX/IPV4/VENDOR → VENDORCloud/SaaS operator (distinct from WHOIS owner)
USES_TECHNIQUEACTOR → ATTACK_PATTERNAdversary TTPs

Email security (SPF / DMARC / DKIM)

EdgeFrom → ToNotes
SPF_INCLUDEHOSTNAME → HOSTNAMEinclude:
SPF_IPHOSTNAME → IPV4/IPV6/PREFIXip4:/ip6:
SPF_A / SPF_MX / SPF_EXISTS / SPF_REDIRECTHOSTNAME → HOSTNAMEOther SPF mechanisms
DMARC_REPORTS_TOHOSTNAME → DMARC_RECIPIENTWhere DMARC reports go
DKIM_SIGNED_BYHOSTNAME → VENDORMail vendor whose key signs the domain
EMITS_TLS_FINGERPRINTIPV4 → TLS_FINGERPRINTJA3/JARM

Physical infrastructure & CT

EdgeFrom → ToNotes
AS_PRESENT_ATASN → FACILITYNetwork in a datacenter
IX_MEMBERASN → INTERNET_EXCHANGENetwork at an IXP
IX_HOSTED_ATINTERNET_EXCHANGE → FACILITYIXP's building
CABLE_LANDS_ATSUBMARINE_CABLE → CABLE_LANDINGSubsea cable landing
LANDING_NEARCABLE_LANDING → FACILITYLanding near a facility
CDN_POP_ATCDN_POP → FACILITYCDN PoP in a facility
FIBER_SEGMENTFACILITY → FACILITYFiber link
PREFIX_IN_REGIONPREFIX → CLOUD_REGIONPrefix in a cloud region
SEEN_IN_CTHOSTNAME → CT_OBSERVATIONSubdomain/SAN discovery

Virtual edges: ROUTES, HAS_NAME, CONFLICTS_WITH, ANNOUNCED_BY, and BELONGS_TO → CATEGORY are synthesized at query time. Write them as explicit single hops — never inside a variable-length [*1..N] pattern.


Direction landmines (memorize these)

EdgeRight way
RESOLVES_TOHOSTNAME → IPV4. No PTR edge — reverse with (ip)<-[:RESOLVES_TO]-(h)
MAIL_FOR / NAMESERVER_FORserver → domain. A domain's MX/NS: (d)<-[:MAIL_FOR]-(mx)
CHILD_OFchild → parent
PEERS_WITHsymmetric — (asn)-[:PEERS_WITH]-(peer) matches either way
LOCATED_INIPV4 → CITY, then CITY-[:HAS_COUNTRY]->COUNTRY (no IP→COUNTRY shortcut)

Must-know traversal chains

Host → network owner (attribution) — who hosts a domain and on whose AS:

MATCH (h:HOSTNAME {name:"github.com"})-[:RESOLVES_TO]->(ip:IPV4)
      -[:ANNOUNCED_BY]->(ap:ANNOUNCED_PREFIX)-[:ROUTES]->(a:ASN)-[:HAS_NAME]->(n:ASN_NAME)
RETURN ip.name, ap.name, a.name AS asn, n.name AS network LIMIT 5

IP → jurisdiction(:IPV4)-[:LOCATED_IN]->(:CITY)-[:HAS_COUNTRY]->(:COUNTRY)

Blast radius (one indicator → the campaign) — pivot on shared infra:

MATCH (ip:IPV4 {name:"203.0.113.10"})<-[:RESOLVES_TO]-(h:HOSTNAME)
OPTIONAL MATCH (h)-[:HAS_EMAIL]->(e:EMAIL)<-[:HAS_EMAIL]-(sibling:HOSTNAME)
RETURN h.name, e.name, collect(DISTINCT sibling.name)[..20] AS shared_registrant LIMIT 25

Domain → mail / name servers (reverse traversal)MATCH (d:HOSTNAME {name:"github.com"})<-[:MAIL_FOR]-(mx) RETURN mx.name LIMIT 10

MOAS / possible BGP hijackMATCH (p:ANNOUNCED_PREFIX {name:"216.168.228.0/24"})-[:CONFLICTS_WITH]->(a:ASN) RETURN p.name, collect(a.name) LIMIT 25

IP → feeds → categories(:IPV4)-[:LISTED_IN]->(:FEED_SOURCE)-[:BELONGS_TO]->(:CATEGORY)

ASN → physical footprint(:ASN)-[:AS_PRESENT_AT]->(:FACILITY) and (:ASN)-[:IX_MEMBER]->(:INTERNET_EXCHANGE)-[:IX_HOSTED_AT]->(:FACILITY)

Actor → ATT&CKMATCH (a:ACTOR {name:"APT28"})-[:USES_TECHNIQUE]->(t:ATTACK_PATTERN) RETURN t.name LIMIT 25

The Use Cases have copy-paste recipes per workflow.


Threat properties on a node

Threat-listed IPV4 / IPV6 / HOSTNAME nodes carry the verdict inline, so one anchored read gives the whole posture — no extra hops:

MATCH (ip:IPV4 {name:"185.220.101.1"})
RETURN ip.threatScore, ip.threatLevel, ip.isThreat, ip.isTor, ip.isAnonymizer LIMIT 1
  • threatScore (numeric), threatLevel (NONECRITICAL), and the flags isThreat, isTor, isAnonymizer.
  • For the scored reasoning — feeds, weights, factors — call explain(). A NONE/clean read means "not listed at this granularity," not "safe."

Procedures — one-liners

Call from Cypher with CALL. Full signatures in Procedures.

ProcedureOne-liner
explain("indicator")Scored verdict + factors[] + sources[] — IP, host, ASN, or CIDR. Evidence chain, not a black box
whisper.variants("domain")Typosquats across many algorithms; returns registered lookalikes by default
whisper.history("indicator")WHOIS history (domain) or BGP history (IP/ASN/prefix). Needs a key
whisper.origins("domain")Discover the real origin IPs behind a CDN/proxy
whisper.quota()Plan, hourly/daily limits, maxQueryDepth — free, doesn't count against quota
db.labels() / db.relationshipTypes() / db.schema()Introspect the live schema before anchoring — don't count against quota

explain() auto-detects the indicator type. exists: true from whisper.variants() means registered, not malicious — pivot the hit through explain() for a verdict.


Query rules (one line each)

Do thisNot that
Anchor on name: MATCH (h:HOSTNAME {name:"example.com"})MATCH (h:HOSTNAME) WHERE h.name = "example.com"
Prefix match: WHERE h.name STARTS WITH "mail."Regex: WHERE h.name =~ "^mail\\..*"
Suffix match: WHERE h.name ENDS WITH ".example.com"Broad ENDS WITH "example.com" (scan)
Always add LIMITOpen-ended traversal on a billion-node label
GET /api/query/stats for global countsMATCH ()-[r]->() RETURN count(r)
OPTIONAL MATCH for sparse WHOIS fieldsMandatory MATCH (drops rows silently)
Confirm with CALL db.labels() before anchoringGuessing a Domain/fqdn that doesn't exist
Single explicit hops for virtual edges (ROUTES, HAS_NAME, CONFLICTS_WITH)Virtual edges inside [*1..N]
CALL explain(ip) for scoringManual ASN→PREFIX→IP→LISTED_IN walks (time out on big nets)

Speed guide: anchored point lookups = instant · STARTS WITH / selective ENDS WITH ".dom" = fast · multi-hop + OPTIONAL MATCH = 1–5s · LINKS_TO traversals and full HOSTNAME scans = slow · unanchored label scans and regex =~ on HOSTNAME = avoid.


Access & limits

TierHop capNotes
Anonymous2 hopsKeyless. No whisper.history. Quick sanity check
Free key3 hopsAll procedures
PaiddeeperSee pricing

Check yours with CALL whisper.quota() YIELD key, value RETURN key, value. Get a free key · Pricing.

# keyless 2-hop sanity check
curl -s -A "whisper-client/1.0" https://graph.whisper.security/api/query \
  -H "Content-Type: application/json" \
  -d '{"query":"MATCH (h:HOSTNAME {name:\"www.google.com\"})-[:RESOLVES_TO]->(ip) RETURN h.name, ip.name LIMIT 3"}'

See also the Threat Feeds & Categories reference (43 feeds / 25 categories) and the Cypher API for the full endpoint reference.