Introduction
What WhisperGraph is, what data it holds, and the three ways to query it.
Introduction Documentation
WhisperGraph maps the internet into one pre-joined graph you can query: DNS, BGP and RPKI routing, WHOIS registration, GeoIP, the open-web link graph, email posture, threat intelligence, and the physical internet of data centers, internet exchanges, and submarine cables. It holds about 7.4 billion nodes and 39 billion edges — 39 node labels and 46 edge types — refreshed continuously. Because the layers are already joined, one query crosses data that would otherwise mean five separate tools and a day of glue code.
The difference from a flat lookup tool is the pivot. Anchor on a hostname and you can walk to its IP, the prefix that announces it, the ASN that routes the prefix, the country it sits in, and any threat feed that lists it, in a single statement. A passive-DNS tool gives you the IP and stops. WhisperGraph gives you the IP and everything connected to it.
One graph, every layer of the internet: DNS, BGP, RPKI, WHOIS, GeoIP, threat intelligence, and the physical internet, pre-joined into a single queryable graph.
What's in the graph
A compact tour. The full model is in the Graph Schema — broken into Entities, Connection Types, and Pivoting Examples — and the longer walk-through is on the Whisper Graph landing page.
- DNS and web — hostnames, resolution, aliases, nameservers, the subdomain hierarchy, and the hyperlink graph between sites.
- Routing — ASNs, announced prefixes, peering, RPKI ROAs, and multi-origin (MOAS) conflicts.
- Addressing and geo — IPv4 and IPv6 addresses, CIDR blocks, and IP-to-city-to-country location.
- Ownership — registrars, registrant emails and phones, and organizations from WHOIS and RDAP.
- Email posture — SPF mechanisms, DMARC reporting addresses, and DNSSEC, zone by zone.
- Threat intelligence — 43 feeds across 25 categories (Threat Feeds & Categories), plus named threat actors mapped to MITRE ATT&CK techniques.
- The physical internet — data centers, internet exchanges, submarine cables and their landings, CDN PoPs, and cloud regions.
Procedures
Stored procedures answer the hardest questions in one CALL, usually faster and cleaner than a hand-written traversal. The Procedures overview covers them all; the four flagship ones each have a detail page.
explain()— a scored threat verdict for an IP, domain, ASN, or CIDR, with the contributing feeds and factors attached as evidence.whisper.variants()— typosquat variants of a domain, flagged by whether each one is actually registered.whisper.history()— point-in-time WHOIS snapshots for domains and BGP routing history for IPs, ASNs, and prefixes.whisper.origins()— the origin infrastructure behind a CDN-fronted domain.
Beyond them, an identity family (whisper.identify, whisper.assess, whisper.walk) answers whose infrastructure a host is and whether it's dangerous, and a set of helpers cover naming, quota, and Tor/TLS lookups.
Three ways in
- Whisper API — send read-only Cypher as an HTTP POST to
https://graph.whisper.security/api/query. Anonymous queries need no key and are capped at 2 hops; a free key raises that to 3 hops via theX-API-Keyheader. The query language itself is documented in the Cypher Reference. - MCP for AI agents — connect Claude or any MCP client to the graph and let the agent walk it itself, grounding answers in sourced infrastructure data. Setup takes a minute: MCP setup.
- Integrations — a native Splunk app today, with the REST API and MCP covering everything else.
Start here
- Getting Started — run a cross-layer query in a few minutes.
- Whisper Graph — the data: layers, schema, threat feeds, procedures.
- Use Case Examples — guided workflows you can run in the browser, plus copy-paste recipes.
- Whisper API — the endpoint, auth tiers, and response format.
Want to go deeper than 2 hops? Grab a free API key — no card needed, and it raises the traversal cap to 3 hops.