Recipes
Copy-paste Cypher for the query patterns behind Whisper's 28 guided workflows — console-internal building blocks you can adapt and run yourself.
Recipes Documentation
The console's 28 guided workflows are each built from smaller, atomic query patterns — a reconciled-verdict lookup, a BGP chain walk, a WHOIS pivot. Those patterns are console-internal implementation detail, not addressed directly by name over MCP or the website, but the queries themselves are worth having as copy-paste reference: every recipe below is validated Cypher you run yourself against the Whisper API, with the anchoring and depth explained.
Each recipe page groups the patterns for one job — SOC triage, campaign pivoting, attack-surface recon, brand protection, BGP/RPKI, DNS/email posture, compliance evidence, vendor risk, attribution, internet measurement, and the cross-cutting pivots that repeat across all of them. Where a guided workflow runs the same investigation in the browser, the recipe page links straight to it with a "Run it live" callout.
If you are new to the graph, run the single example on Getting Started first. Anonymous access is capped at 2 traversal hops; a free API key raises that to 3, which covers most recipes here.
The recipe pages
| Recipe | What it covers |
|---|---|
| Indicator Triage (SOC) | A raw IP or domain to a reconciled verdict, network attribution, co-hosted blast radius, and a paste-ready evidence chain. |
| Campaign Pivoting | Expand one IOC into the campaign around it: shared registrants, co-tenant hosts, TLS fingerprints, Tor egress. |
| Attack Paths & Blast Radius | The external attack path between two assets and the choke point that severs the most routes, plus dependency fan-out. |
| External Recon | Passive subdomain enumeration, Certificate Transparency discovery, IP-footprint mapping, and CDN de-cloaking. |
| Lookalike Hunting | Generate registered typosquats, resolve and score them, sweep risky TLDs, and expand a confirmed hit through co-hosting and WHOIS. |
| BGP & RPKI | MOAS detection, RPKI authorization checks, peering triage, origin history, and physical footprint. |
| Posture Audits | Nameserver and MX inventories, the full SPF authorization tree, DMARC/DKIM/DNSSEC checks, and portfolio-wide scorecards. |
| Compliance Evidence | Registrar verification, jurisdiction and data-residency checks, portfolio-wide posture audits, and sanctions screening. |
| Vendor & Portfolio Risk | An external posture snapshot per vendor, shared-provider exposure across a portfolio, and single-provider blast radius. |
| Attribution & Law Enforcement | Actor-to-technique mapping, shared-tradecraft pivots, and chaining phishing infrastructure to named actors. |
| Internet Measurement | How the internet is wired in a region or for an org — RIR, BGP, DNS, and geo joined at last. |
| Cross-Layer Patterns | The reusable pivots that repeat across every recipe above: bounded fan-out, batch existence checks, hop-limited traversals. |
For the guided, runnable version of these investigations — with a live result already loaded, a Run button, and an Open-in-Console link — see Use Case Examples, organized by the same jobs.