Recipes

Copy-paste Cypher for the query patterns behind Whisper's 28 guided workflows — console-internal building blocks you can adapt and run yourself.

Updated July 2026

Recipes Documentation

The console's 28 guided workflows are each built from smaller, atomic query patterns — a reconciled-verdict lookup, a BGP chain walk, a WHOIS pivot. Those patterns are console-internal implementation detail, not addressed directly by name over MCP or the website, but the queries themselves are worth having as copy-paste reference: every recipe below is validated Cypher you run yourself against the Whisper API, with the anchoring and depth explained.

Each recipe page groups the patterns for one job — SOC triage, campaign pivoting, attack-surface recon, brand protection, BGP/RPKI, DNS/email posture, compliance evidence, vendor risk, attribution, internet measurement, and the cross-cutting pivots that repeat across all of them. Where a guided workflow runs the same investigation in the browser, the recipe page links straight to it with a "Run it live" callout.

If you are new to the graph, run the single example on Getting Started first. Anonymous access is capped at 2 traversal hops; a free API key raises that to 3, which covers most recipes here.

The recipe pages

RecipeWhat it covers
Indicator Triage (SOC)A raw IP or domain to a reconciled verdict, network attribution, co-hosted blast radius, and a paste-ready evidence chain.
Campaign PivotingExpand one IOC into the campaign around it: shared registrants, co-tenant hosts, TLS fingerprints, Tor egress.
Attack Paths & Blast RadiusThe external attack path between two assets and the choke point that severs the most routes, plus dependency fan-out.
External ReconPassive subdomain enumeration, Certificate Transparency discovery, IP-footprint mapping, and CDN de-cloaking.
Lookalike HuntingGenerate registered typosquats, resolve and score them, sweep risky TLDs, and expand a confirmed hit through co-hosting and WHOIS.
BGP & RPKIMOAS detection, RPKI authorization checks, peering triage, origin history, and physical footprint.
Posture AuditsNameserver and MX inventories, the full SPF authorization tree, DMARC/DKIM/DNSSEC checks, and portfolio-wide scorecards.
Compliance EvidenceRegistrar verification, jurisdiction and data-residency checks, portfolio-wide posture audits, and sanctions screening.
Vendor & Portfolio RiskAn external posture snapshot per vendor, shared-provider exposure across a portfolio, and single-provider blast radius.
Attribution & Law EnforcementActor-to-technique mapping, shared-tradecraft pivots, and chaining phishing infrastructure to named actors.
Internet MeasurementHow the internet is wired in a region or for an org — RIR, BGP, DNS, and geo joined at last.
Cross-Layer PatternsThe reusable pivots that repeat across every recipe above: bounded fan-out, batch existence checks, hop-limited traversals.

For the guided, runnable version of these investigations — with a live result already loaded, a Run button, and an Open-in-Console link — see Use Case Examples, organized by the same jobs.