Reference

Everything the Whisper MCP server exposes: 5 tools, 6 resources, 7 prompts, the schema-introspection pattern AI agents should use, and example questions you can ask in plain language.

Updated May 2026

Reference Documentation

Reference for everything the Whisper MCP server exposes: 5 tools, 6 resources, 7 prompts, plus example questions agents can answer with them. For client-by-client install instructions, see the Setup guide.

What's exposed

The connector advertises 5 tools, 6 resources, and 7 prompts. All tools are read-only.

Tools (5)

ToolPurpose
queryPrimary Cypher tool — runs an arbitrary Cypher query against the graph and returns rows
list_labelsSchema introspection — returns every node label with its count and indexed properties
describe_label(label)Property metadata for a single label — names, types, indexed flag, in/out edge types
explain_indicator(indicator)Threat assessment for an IP / hostname / ASN / CIDR (composite score, level, factors)
whisper_history(indicator)Historical WHOIS or BGP snapshots for an indicator

list_labels and describe_label are cached server-side for five minutes, so the agent can call them as often as it needs to without paying a quota cost — see Schema introspection below for the recommended pattern.

Resources (6)

ResourceContents
whisper://schema/fullFull schema reference: every label, every edge type, every threat-intel property
whisper://schema/relationshipsEntity-relationship map — which labels connect to which, in which direction
whisper://guide/functionsCypher function reference (aggregations, string, numeric, date/time, schema introspection)
whisper://guide/cookbookPersona-organised cookbook — 72 live-validated query patterns across 8 analyst roles
whisper://statsLive database statistics (node and edge counts by category)
whisper://quotaCaller's plan tier, max query depth, current usage

Prompts (7)

PromptWhat it does
investigate-ipWalks an IP through prefix → ASN → owner → threat intel → reverse-DNS
map-attack-surfaceMaps a domain's external attack surface: subdomains, hosting, mail, SPF, nameservers
compare-domainsCompares the infrastructure of two or more domains side-by-side
blast-radiusASN failure-impact analysis: prefixes, peers, downstream domains affected if the ASN goes down
threat-triageComprehensive indicator triage — pulls feed listings, score, level, and historical context in one pass
whois-pivotDomain pivot via shared WHOIS contacts (registrar, email, phone, organisation)
bgp-investigationFull ASN profile — peers, prefixes, registered-org, country, MOAS conflicts, threat density

Schema introspection

When an agent isn't sure whether the canonical property is h.name or h.fqdn, or whether to anchor on HOSTNAME or DOMAIN, it should call list_labels and describe_label before writing the query. Both tools are cached for five minutes server-side and return in milliseconds — they're cheap to call and prevent the most common query bug (writing a defensive MATCH (h) WHERE h:HOSTNAME OR h:DOMAIN OR h:FQDN ... against a billion-node label, which the validator rejects).

A typical introspection-then-query transcript:

User:     What labels does the Whisper graph have?
Agent:    [calls list_labels]
          → [{name: "HOSTNAME", count: 2_631_997_144, indexed_properties: ["name"]},
             {name: "IPV4", count: 618_914_961, indexed_properties: ["name"]},
             ... 18 more]
Agent:    The graph has 20 labels. The biggest are HOSTNAME (2.6B), IPV4 (619M), and
          ANNOUNCED_PREFIX (1.4M). What do you want to look at?

User:     Show me the threat properties on a hostname.
Agent:    [calls describe_label("HOSTNAME")]
          → {name: "HOSTNAME", count: 2_631_997_144,
             properties: [{name: "name", type: "String", indexed: true},
                          {name: "threatScore", type: "Double"},
                          {name: "threatLevel", type: "String"},
                          {name: "isThreat", type: "Boolean"},
                          {name: "isC2", type: "Boolean"}, ...],
             out_edges: [{type: "RESOLVES_TO", to: "IPV4"},
                         {type: "CHILD_OF", to: "HOSTNAME"},
                         {type: "HAS_REGISTRAR", to: "REGISTRAR"}, ...],
             in_edges:  [{type: "NAMESERVER_FOR", from: "HOSTNAME"},
                         {type: "MAIL_FOR", from: "HOSTNAME"}, ...]}
Agent:    [calls query]
          MATCH (h:HOSTNAME {name: "evil.example"})
          RETURN h.threatScore, h.threatLevel, h.isThreat, h.isC2,
                 h.isPhishing, h.isMalware

Agents that introspect first write valid queries on the first try; agents that don't tend to fall back to defensive label-or'ed scans that the validator rejects.

What you can ask

The graph has DNS, BGP routing, IP allocation, GeoIP, WHOIS (237M emails, 65M phone numbers), email infrastructure (MX and full SPF chains), DNSSEC, 9.1 billion web hyperlinks, and 40 threat intel feeds. All of it is connected. The AI walks the edges between them in a single conversation, so you don't have to piece it together yourself. Just ask in plain language.

Incident response

You got an IP or domain from an alert. Start here.

  • "Investigate 185.220.101.42 -- who owns it, where is it, is it on any threat feeds, and what else is hosted there?"
  • "This domain showed up in our logs: secure-login-update.com. Is it live? Who registered it? Does the registrant own other domains?"
  • "We're seeing traffic to 104.16.132.229. Trace it: IP to prefix to ASN to org. Then check if any co-hosted domains are flagged."
  • "Here are 20 IPs from our SIEM. Which ones are Tor exits, C2, or on blocklists?"

Threat hunting

Any threat feed can tell you an IP is bad. The graph lets you pivot -- follow a bad IP to its ASN, find the other prefixes, check what's hosted there, pull WHOIS on the domains, and see if the registrant has other infrastructure. One conversation.

  • "Find every domain registered by the same WHOIS contact as secure-login-update.com. Do any share IPs or nameservers?"
  • "Check AS60729 -- how many of its prefixes have threat-listed IPs? What's the threat density?"
  • "Are there MOAS conflicts on this prefix? Which ASNs are announcing it?"
  • "Find all IPs in 185.220.101.0/24 that appear on threat feeds. Group by category."
  • "What domains resolve to IPs on the Dan Tor Exit feed? Cross-reference with their WHOIS registrants."

Attack surface

Everything an attacker would look for: subdomains, IPs, mail servers, SPF authorization chains, nameservers, WHOIS.

  • "Map tesla.com -- subdomains, IPs, ASNs, nameservers, mail servers, SPF includes, and WHOIS registrant."
  • "What third-party services can send email as netflix.com? Walk the full SPF include chain."
  • "Find every subdomain of example.com, resolve them, and group by ASN. How many hosting providers?"
  • "Where does the CNAME chain for www.example.com end up? Who hosts the final target?"

WHOIS and registrant pivoting

This is where investigations get interesting. WHOIS gives you a registrant email or phone number. The graph has 237M emails and 65M phones, so you can follow that contact to every other domain they registered, then check if those domains share hosting.

  • "Find the WHOIS registrant for secure-login-update.com, then every other domain they registered. Do any share infrastructure?"
  • "What domains use this contact email? Show their IPs and ASNs, and flag any that are threat-listed."
  • "Has google.com changed registrars? Show the history."
  • "Find domains registered with the same phone number. Any overlap in hosting?"
  • "Compare WHOIS for these five domains -- same registrant? Same email? Same registrar?"

BGP and routing

115K ASNs, 2.5M prefixes, full peering topology.

  • "If AS16509 (Amazon) went down, how many prefixes and peers are affected? What domains go dark?"
  • "Which ASNs peer with both Cloudflare and Google?"
  • "Show the BGP routing history for 8.8.8.0/24. Has the announcing ASN changed?"
  • "Find prefixes with MOAS conflicts announced by AS60729. Any of them hosting threat-listed IPs?"
  • "What RIR allocated this prefix? Which org registered it?"

Comparing infrastructure

The thing that's hard to do anywhere else: checking whether two domains share anything. Same IPs, same ASN, same nameservers, same registrant email, same phone number. The graph checks all of it at once.

  • "Do pandas-crossing.com and afterlifeevents.com share any infrastructure?"
  • "These three phishing domains were reported separately. Any shared nameservers, IPs, ASNs, or WHOIS contacts?"
  • "Compare the hosting and email setup of these two competing SaaS products."
  • "Find domains that share both the same registrant email and the same IP range as this known-bad domain."

Email and SPF

The graph stores the full SPF record structure -- includes, ip4, a, mx, exists, redirect -- as separate edges. So you can walk the authorization chain rather than parsing TXT records by hand.

  • "Who can send email as shopify.com? Walk the SPF chain."
  • "What domains use the same SPF include targets as this phishing domain?"
  • "Does this domain have MX records? SPF? Give me the full email setup."

GeoIP and data residency

619M IPv4 addresses mapped to cities and countries.

  • "Where are all the IPs that example.com resolves to? List by country."
  • "Does this company host anything in sanctioned countries? Check all their domain IPs."
  • "Find all IPs in this ASN that geolocate to Russia."

Web links

9.1 billion hyperlinks from Common Crawl.

  • "What external domains does google.com link to? Where are those hosted?"
  • "Who links to this suspicious domain? Are any of the linking sites threat-listed?"
  • "Do these two domains link to each other?"

DNSSEC

  • "Is cloudflare.com signed with DNSSEC? What algorithm?"
  • "What percentage of domains under this nameserver use DNSSEC?"

History

WHOIS and BGP changes over time.

  • "Show the WHOIS history for google.com -- registrar changes, nameserver updates, ownership."
  • "BGP routing history for 8.8.8.8 -- has the announcing ASN or prefix changed?"
  • "When was this domain registered? Has it changed hands?"

Try these prompts

The connector ships seven slash-style prompts. Three of them are recent additions worth a try:

threat-triage

Comprehensive indicator triage in one pass — feed listings, composite score, level, recency, historical sightings.

/threat-triage 185.220.101.1

This indicator is a TOR exit node listed in four feeds (Dan Tor Exit, Tor Exit Nodes, FireHOL Level 2, Spamhaus DROP). The prompt returns the full feed list, score breakdown, first/last seen across all feeds, and the upstream ASN's reputation.

whois-pivot

Pivots from a single domain through every shared WHOIS contact (registrar, email, phone, organisation) to find related infrastructure.

/whois-pivot cloudflare.com

Returns: every other domain registered with the same email, phone, or organisation; whether any of those domains share IPs or nameservers; flags on threat-listed neighbours.

bgp-investigation

Full ASN profile — peers, prefixes, MOAS conflicts, registered organisation, country, threat density inside the network.

/bgp-investigation AS13335

For Cloudflare's ASN, the prompt returns peer count, prefix inventory (sample), MOAS detections, country of registration, and how many of the routed IPs appear in threat feeds.

PreviousSetup