whisper.identify() — Identity & Assessment

Answer whose infrastructure a host is, whether it is dangerous, and — when there's no direct match — what sits around it. The identity family: identify, assess, walk.

Updated July 2026Procedures

whisper.identify() — Identity & Assessment Documentation

Three procedures answer the questions you ask about a host before you decide what to do with it: whose infrastructure is this, is it dangerous, and — when neither has a clean answer — what sits around it. They are built to run over a batch of hosts and return decision-ready columns, so they slot straight into triage and enrichment pipelines.

whisper.identify(hosts) — whose infrastructure is this

whisper.identify() resolves a host to the vendor or service that operates it. Pass one host or a batch (1 to 256 per call) and it returns the canonical identity plus the evidence behind it.

CALL whisper.identify(["api.stripe.com", "cdn.shopify.com"])
YIELD host, canonical_name, category, roles, host_class, confidence
RETURN host, canonical_name, category, host_class, confidence
ColumnMeaning
hostThe input host.
canonical_nameThe resolved vendor or service identity.
categoryWhat kind of service it is (saas, cloud, cdn, …).
rolesThe roles the host plays (api, mail, cdn-edge, …).
host_classA coarse classification of the host.
confidenceHow strongly the evidence supports the identity.
evidenceThe signals that produced the match.

Use it to label infrastructure at scale — attributing a list of hostnames from a log or an alert to the services behind them, without a hop-by-hop traversal per host.

whisper.assess(hosts) — is it dangerous

whisper.assess() answers the safety question for a batch of hosts, and — critically — tells you how much it actually knows. The argument must be a list; passing a bare string returns a 400.

CALL whisper.assess(["example.com", "185.220.101.1"])
YIELD host, label, band, coverage, signals, evidence
RETURN host, label, band, coverage
ColumnMeaning
labelThe assessment (clean, suspicious, …).
bandSeverity band (NONECRITICAL).
coverageHow much data backs the assessment.
signalsThe threat signals that fired.
evidenceThe underlying evidence.

Gate on coverage. A clean label with coverage: no-data means we have no data on this host, not this host is safe. The coverage values are known-clean (we have data and it is clean), structural-only (we know the infrastructure but have no threat data), and no-data (nothing to go on). Treat no-data as unknown, never as benign.

whisper.walk(host [, depth] [, budgetMs]) — the structural neighborhood

When whisper.identify() has no direct match, whisper.walk() returns a bounded structural neighborhood — the host's siblings and the nearest known vendors — so you still get context to reason about an unknown host. It is depth- and budget-bounded so it stays fast on large networks.

CALL whisper.walk("unknown-host.example", 2, 800)
YIELD host, no_atlas_match, path
RETURN host, no_atlas_match, path

The optional second argument is the traversal depth and the third is a time budget in milliseconds. Keep both modest — this is a fallback for the case where a direct identity lookup came back empty, not a general graph crawler.

Where these fit

  • Start with identify to attribute known infrastructure.
  • Use assess for the safety verdict on a batch, and always read coverage before you act on label.
  • Fall back to walk only when identify returns no match and you need surrounding context.

For a single scored threat verdict with per-feed evidence, use explain(). For the full procedure catalog, see the Procedures overview.