MCP Client Setup

Set up any MCP-compatible client to query WhisperGraph for internet infrastructure intelligence.

Updated March 2026

MCP Client Setup Documentation

Whisper MCP gives AI assistants access to WhisperGraph, a graph database of internet infrastructure: tens of billions of nodes and edges. DNS, BGP, IP allocation, WHOIS, threat intel. The AI writes Cypher, runs it, and gives you results.

Setup

Claude Desktop

Add it through Settings → Connectors:

  1. Open Settings → Connectors
  2. Click Add Connector
  3. Enter the URL: https://mcp.whisper.security
  4. Sign in with your Whisper Security account

Claude Code

claude mcp add --transport http whisper-graph https://mcp.whisper.security

Opens your browser for sign-in on first use. Scope options:

  • --scope user -- all projects
  • --scope project -- current project only
  • --scope local -- this machine, this project (default)

Cursor

  1. Open Settings → MCP
  2. Click Add new global MCP server
  3. Paste:
{
  "mcpServers": {
    "whisper-graph": {
      "url": "https://mcp.whisper.security"
    }
  }
}
  1. Save and restart Cursor For team-wide config, use .cursor/mcp.json in the project root instead.

VS Code (GitHub Copilot)

Create .vscode/mcp.json in your project root:

{
  "servers": {
    "whisper-graph": {
      "type": "http",
      "url": "https://mcp.whisper.security"
    }
  }
}

For user-level config (all projects), use Command Palette > MCP: Add Server.

Windsurf

  1. Open Settings (Cmd+, on Mac, Ctrl+, on Windows)
  2. Search for MCP
  3. Click View raw config
  4. Add:
{
  "mcpServers": {
    "whisper-graph": {
      "serverUrl": "https://mcp.whisper.security"
    }
  }
}
  1. Save and restart Windsurf uses serverUrl instead of url.

Antigravity

  1. Click ... at the top of the chat panel
  2. Click MCP Servers > Manage MCP Servers > View raw config
  3. Add to mcp_config.json:
{
  "mcpServers": {
    "whisper-graph": {
      "serverUrl": "https://mcp.whisper.security"
    }
  }
}
  1. Go back to Manage MCP Servers and click refresh Config file: ~/.gemini/antigravity/mcp_config.json

ChatGPT

  1. Go to chatgpt.com → Settings → Connectors
  2. Click Add Connector
  3. Enter the URL: https://mcp.whisper.security
  4. Complete the sign-in ChatGPT supports OAuth only.

OpenAI Codex

Add to ~/.codex/config.toml:

[mcp_servers.whisper-graph]
url = "https://mcp.whisper.security"

Then authenticate:

codex mcp login whisper-graph

Other clients

Any MCP client that speaks Streamable HTTP works.

TransportURL
Streamable HTTPhttps://mcp.whisper.security
SSEhttps://mcp.whisper.security/sse
For STDIO-only clients, use the mcp-remote bridge:
npx mcp-remote https://mcp.whisper.security

Connecting through API key

If your client doesn't support OAuth, you can authenticate with an API key instead.

  1. Go to console.whisper.security and generate an API key
  2. Pass it as a Bearer token in the Authorization header

Most MCP clients let you set custom headers in their config. Add:

Authorization: Bearer YOUR_API_KEY

For STDIO-only clients, use the mcp-remote bridge with the --header flag:

npx mcp-remote https://mcp.whisper.security --header "Authorization: Bearer YOUR_API_KEY"

Keep your API key out of version control.

What you can ask

The graph has DNS, BGP routing, IP allocation, GeoIP, WHOIS (237M emails, 65M phone numbers), email infrastructure (MX and full SPF chains), DNSSEC, 9.1 billion web hyperlinks, and 40 threat intel feeds. All of it is connected. The AI walks the edges between them in a single conversation, so you don't have to piece it together yourself. Just ask in plain language.

Incident response

You got an IP or domain from an alert. Start here.

  • "Investigate 185.220.101.42 -- who owns it, where is it, is it on any threat feeds, and what else is hosted there?"
  • "This domain showed up in our logs: secure-login-update.com. Is it live? Who registered it? Does the registrant own other domains?"
  • "We're seeing traffic to 104.16.132.229. Trace it: IP to prefix to ASN to org. Then check if any co-hosted domains are flagged."
  • "Here are 20 IPs from our SIEM. Which ones are Tor exits, C2, or on blocklists?"

Threat hunting

Any threat feed can tell you an IP is bad. The graph lets you pivot -- follow a bad IP to its ASN, find the other prefixes, check what's hosted there, pull WHOIS on the domains, and see if the registrant has other infrastructure. One conversation.

  • "Find every domain registered by the same WHOIS contact as secure-login-update.com. Do any share IPs or nameservers?"
  • "Check AS60729 -- how many of its prefixes have threat-listed IPs? What's the threat density?"
  • "Are there MOAS conflicts on this prefix? Which ASNs are announcing it?"
  • "Find all IPs in 185.220.101.0/24 that appear on threat feeds. Group by category."
  • "What domains resolve to IPs on the Dan Tor Exit feed? Cross-reference with their WHOIS registrants."

Attack surface

Everything an attacker would look for: subdomains, IPs, mail servers, SPF authorization chains, nameservers, WHOIS.

  • "Map tesla.com -- subdomains, IPs, ASNs, nameservers, mail servers, SPF includes, and WHOIS registrant."
  • "What third-party services can send email as netflix.com? Walk the full SPF include chain."
  • "Find every subdomain of example.com, resolve them, and group by ASN. How many hosting providers?"
  • "Where does the CNAME chain for www.example.com end up? Who hosts the final target?"

WHOIS and registrant pivoting

This is where investigations get interesting. WHOIS gives you a registrant email or phone number. The graph has 237M emails and 65M phones, so you can follow that contact to every other domain they registered, then check if those domains share hosting.

  • "Find the WHOIS registrant for secure-login-update.com, then every other domain they registered. Do any share infrastructure?"
  • "What domains use this contact email? Show their IPs and ASNs, and flag any that are threat-listed."
  • "Has google.com changed registrars? Show the history."
  • "Find domains registered with the same phone number. Any overlap in hosting?"
  • "Compare WHOIS for these five domains -- same registrant? Same email? Same registrar?"

BGP and routing

115K ASNs, 2.5M prefixes, full peering topology.

  • "If AS16509 (Amazon) went down, how many prefixes and peers are affected? What domains go dark?"
  • "Which ASNs peer with both Cloudflare and Google?"
  • "Show the BGP routing history for 8.8.8.0/24. Has the announcing ASN changed?"
  • "Find prefixes with MOAS conflicts announced by AS60729. Any of them hosting threat-listed IPs?"
  • "What RIR allocated this prefix? Which org registered it?"

Comparing infrastructure

The thing that's hard to do anywhere else: checking whether two domains share anything. Same IPs, same ASN, same nameservers, same registrant email, same phone number. The graph checks all of it at once.

  • "Do pandas-crossing.com and afterlifeevents.com share any infrastructure?"
  • "These three phishing domains were reported separately. Any shared nameservers, IPs, ASNs, or WHOIS contacts?"
  • "Compare the hosting and email setup of these two competing SaaS products."
  • "Find domains that share both the same registrant email and the same IP range as this known-bad domain."

Email and SPF

The graph stores the full SPF record structure -- includes, ip4, a, mx, exists, redirect -- as separate edges. So you can walk the authorization chain rather than parsing TXT records by hand.

  • "Who can send email as shopify.com? Walk the SPF chain."
  • "What domains use the same SPF include targets as this phishing domain?"
  • "Does this domain have MX records? SPF? Give me the full email setup."

GeoIP and data residency

619M IPv4 addresses mapped to cities and countries.

  • "Where are all the IPs that example.com resolves to? List by country."
  • "Does this company host anything in sanctioned countries? Check all their domain IPs."
  • "Find all IPs in this ASN that geolocate to Russia."

Web links

9.1 billion hyperlinks from Common Crawl.

  • "What external domains does google.com link to? Where are those hosted?"
  • "Who links to this suspicious domain? Are any of the linking sites threat-listed?"
  • "Do these two domains link to each other?"

DNSSEC

  • "Is cloudflare.com signed with DNSSEC? What algorithm?"
  • "What percentage of domains under this nameserver use DNSSEC?"

History

WHOIS and BGP changes over time.

  • "Show the WHOIS history for google.com -- registrar changes, nameserver updates, ownership."
  • "BGP routing history for 8.8.8.8 -- has the announcing ASN or prefix changed?"
  • "When was this domain registered? Has it changed hands?"