Known Limitations

What WhisperGraph doesn't know: subdomain WHOIS, anycast GeoIP, BGP route flux, threat-feed staleness, and Cypher write restrictions.

Updated May 2026

Known Limitations Documentation

What WhisperGraph doesn't know — published explicitly so you can plan around the gaps. Updated as the graph and ingestion pipelines evolve.

DNS

Subdomain WHOIS history — WHOIS history is captured per registrable domain. whisper.history("www.cloudflare.com") returns nothing because WHOIS doesn't apply to subdomains. Use the parent domain.

Recursive DNS observation gaps — Observations come from passive DNS, public resolvers, and our own probes. Domains that resolve only via private DNS (split-horizon, internal AD) are not observable. RESOLVES_TO will be empty for these.

Stale CNAME chains — CNAME chains are observed at resolution time. If a target domain is deleted, the chain may persist in the graph for up to 24 hours before being marked stale.

GeoIP

Anycast IPs — One IP, many physical locations. Cloudflare 1.1.1.1, Google DNS 8.8.8.8, etc. GeoIP for these returns the publisher's nominal HQ, not the actual edge a user hits. Don't use GeoIP for anycast IPs to draw geographic conclusions.

Mobile carrier NAT — Carrier-grade NAT pools span continents. GeoIP for a mobile IP is a guess.

VPN exit nodes — GeoIP returns the exit location, not the user's true location.

BGP

Route flux — A prefix may be announced and withdrawn many times per hour during instability. The graph stores the current announcement; historical hops require whisper.history().

MOAS conflicts — Real hijacks vs legitimate anycast both produce MOAS. WhisperGraph reports the conflict; interpretation requires context (RPKI status, ASN reputation, history).

Inferred peeringPEERS_WITH edges are inferred from BGP path observations, not from confirmed peering agreements. They're directionally correct but the metadata (peering type, capacity) isn't ground truth.

Threat intelligence

Feed staleness windows — Hourly incremental + daily full refresh means a freshly listed indicator can take up to ~60 minutes to appear in MATCH ... LISTED_IN. For real-time alerting, query the source feed directly and use WhisperGraph for context.

False positives — Low-quality feeds occasionally list legitimate infrastructure. Filter by feed category or use explain() which weights feeds by reliability.

No malware sample data — File hashes appear in some feeds but the graph does not store the actual samples. Use external sandboxes.

API and Cypher

Read-only — No CREATE, MERGE, SET, DELETE. See FAQ.

No procedures for write operations — All procedures (explain, whisper.history, whisper.quota, etc.) are read-only.

Plan-tier depth limits — For plan limits see the pricing page.

No regex matching on string properties — String filters are exact-match only (or STARTS WITH / ENDS WITH / CONTAINS substrings). For regex, post-process in your client.

Splunk add-on

See also Splunk Troubleshooting → Known limitations.

No correlation-search pack ships — The TA ships disabled example enrichment templates. There is no broad prebuilt detection pack — that was removed in favour of templates customers tailor. See Saved Searches.

ES integration is opt-in — KV-store populators and risk-based alerting hooks are disabled by default. See Enterprise Security Integration.

If you hit a limitation that isn't documented here, please tell us — known unknowns become known knowns faster when you do.

PreviousFAQNextHow to Ask for Help