MCP Client Setup

Last updated: March 2026

Hook up any MCP-compatible client to WhisperGraph and query internet infrastructure in plain language.

You'll need an API key

Get one at console.whisper.security.

Client configuration

Claude Desktop

OAuth support coming soon. Once available, you'll be able to add WhisperGraph directly via Settings > Connectors with no bridge required.

For now, use the mcp-remote bridge (requires Node.js). Add this to your claude_desktop_config.json:

{
  "mcpServers": {
    "whisper-graph": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.whisper.security",
        "--header",
        "Authorization: Bearer YOUR_API_KEY"
      ]
    }
  }
}

Config file location:

OSPath
macOS~/Library/Application Support/Claude/claude_desktop_config.json
Windows%APPDATA%\Claude\claude_desktop_config.json

Note: Claude Desktop's config file only supports local (stdio) MCP servers. Remote HTTP servers like WhisperGraph require the mcp-remote bridge shown above. If tool calls fail with "Session not found" errors, restart Claude Desktop to get a fresh session.

Cursor / Windsurf

{
  "mcpServers": {
    "whisper-graph": {
      "url": "https://mcp.whisper.security",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Where to add this:

ClientLocation
CursorSettings > MCP Servers
WindsurfSettings > MCP

Claude Code (CLI)

claude mcp add -t http whisper-graph https://mcp.whisper.security \
  -H "Authorization: Bearer YOUR_API_KEY"

VS Code

Create .vscode/mcp.json in your project root:

{
  "servers": {
    "whisper-graph": {
      "type": "http",
      "url": "https://mcp.whisper.security",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

What you can ask

The graph covers DNS, BGP routing, IP allocation, GeoIP location, web hyperlinks (Common Crawl), email infrastructure (MX and SPF), DNSSEC, WHOIS registration data, and threat intelligence. Just ask in plain language.

DNS and infrastructure

  • "What IPs does cloudflare.com resolve to, and what ASN owns them?"
  • "Find all subdomains of tesla.com" — returns results like accounts.tesla.com, auth.tesla.com, app.tesla.com, billing.tesla.com, and more
  • "Who are the nameservers for google.com?" — ns1–ns4.google.com
  • "Where is apple.com hosted?" — resolves to 17.253.144.10 in Cupertino, US

IPs and geolocation

  • "Where is 185.220.101.42 located and who owns it?" — Berlin, DE, owned by AS60729 (TORSERVERS-NET), a known Tor exit node operator
  • "How many domains point to 8.8.8.8?"
  • "What prefix does 104.16.132.229 belong to, and what ASN routes it?" — 104.16.128.0/20, AS13335 (Cloudflare)

BGP and routing

  • "How many BGP peers does Cloudflare (AS13335) have?" — hundreds of peers across global IXPs
  • "Which prefixes does AS36459 announce?" — 26 prefixes
  • "What would be affected if AS16509 (Amazon) went down?"

WHOIS and registrant intelligence

  • "Who registered secure-login-update.com?" — registered by "rebecca laura" using rebeccal@yopmail.com (a disposable email service)
  • "What other domains did rebecca laura register?" — reveals afterlifeevents.com, pandas-crossing.com, pandascrossing.com, rel313.com, ritualbeads.com, synthetikat.com
  • "Has this domain changed registrars?" — secure-login-update.com moved through three registrars (IANA #69 → #925 → #955)

Threat intelligence

  • "Is 185.220.101.42 on any threat feeds?" — listed on Dan Tor Exit, Tor Exit Nodes, and IPsum
  • "What category of threats is this hostname associated with?"
  • "Check if any IPs hosting example.com appear on threat feeds"

Web links

The graph includes billions of hyperlinks extracted from Common Crawl, mapping which websites link to which.

  • "What websites does google.com link to?" — drive, mail, maps, news, play, youtube, and gstatic.com
  • "Who links to tesla.com?" — thousands of sites across automotive, tech, and news domains
  • "Do these two domains link to each other?" — check for mutual web references between sites

Email infrastructure

  • "What are the mail servers for tesla.com?" — tesla-com.mail.protection.outlook.com (Microsoft 365)
  • "What third-party email services does netflix.com authorize via SPF?" — reveals Salesforce, Campaign Monitor, and Netflix's own SPF ranges
  • "Does this domain have SPF records, and who can send email on its behalf?"

DNSSEC

  • "Is cloudflare.com signed with DNSSEC?" — yes, using ECDSAP256SHA256
  • "What DNSSEC algorithm does this domain use?"

Domain hierarchy and history

  • "What are the parent domains of www.shop.example.com?" — walks the CHILD_OF chain up to the TLD
  • "Show the WHOIS history for google.com" — historical registrar changes, contact updates
  • "Show the BGP routing history for 8.8.8.8" — historical prefix announcements

Comparing infrastructure

  • "Do google.com and youtube.com share any nameservers or ASNs?"
  • "Compare the hosting infrastructure of two suspicious domains — are they run by the same actor?"

Example investigations

You can ask multi-step questions naturally. The LLM will chain multiple queries behind the scenes to build a complete picture.

Tor exit node investigation

"Investigate 185.220.101.42. Where is it located, who operates it, and is it on any threat feeds?"

The graph reveals it's in Berlin, operated by AS60729 (TORSERVERS-NET) on prefix 185.220.101.0/24, and flagged on three threat feeds: Dan Tor Exit, Tor Exit Nodes, and IPsum.

Phishing domain triage

"I got a phishing email pointing to secure-login-update.com. Map its full attack surface — IPs, nameservers, mail servers, subdomains, WHOIS, and threat feed hits."

The graph shows the domain is currently dormant (no DNS resolution), registered with a disposable yopmail.com email by "rebecca laura", and shares that registrant with 6 other domains — some hosted on AWS Global Accelerator IPs.

Registrant pivoting

"Find the WHOIS registrant for secure-login-update.com, then find every other domain they registered."

Pivoting on registrant "rebecca laura" uncovers afterlifeevents.com, pandas-crossing.com, pandascrossing.com, rel313.com, ritualbeads.com, and synthetikat.com — three of which share the same pair of AWS IPs.

Attack surface mapping

"Map the full attack surface of tesla.com — subdomains, IPs, ASNs, mail servers, SPF includes, and nameservers."

Returns dozens of subdomains (accounts, auth, app, billing, vpn endpoints), their hosting infrastructure, and email authorization chain.

Bulletproof hosting detection

"What's the blast radius for AS60729? How many prefixes does it route, how many domains are hosted on them, and do any show up on threat feeds?"

Fraud infrastructure correlation

"I have two suspicious domains: pandas-crossing.com and afterlifeevents.com. Do they share IPs, nameservers, ASNs, or registrant details?"

Both resolve to the same pair of AWS IPs (15.197.225.128, 3.33.251.168) and share the same WHOIS registrant — strong evidence of common ownership.

Web link analysis

"What external sites does google.com link to, and what does their hosting infrastructure look like?"

The graph shows google.com links to youtube.com and gstatic.com as external domains. Following the infrastructure chain reveals both are hosted on Google's own ASN (AS15169), confirming they stay within Google's network.

Troubleshooting

"Missing or invalid Authorization header" Double-check your key. The header format is Bearer YOUR_API_KEY (space between "Bearer" and the key).

Connection timeout The server uses Streamable HTTP at /. Clients that only speak stdio MCP won't connect. Make sure yours supports HTTP transport.

"Session not found" (Claude Desktop with mcp-remote) The mcp-remote bridge doesn't automatically reconnect when a server-side session expires. Restart Claude Desktop to get a fresh session. This does not affect Claude Code, Cursor, VS Code, or Windsurf, which handle session lifecycle natively.