Attack Path Analysis

An external attack path is the chain of internet infrastructure that connects an attacker to a target: a phishing hyperlink, the lookalike domain it points to, the IP that domain resolves to, the prefix announcing that IP, the ASN that routes it, the data center it sits in, and the subsea cable underneath. Each link is an edge in Whisper Graph, so the whole route is one traversal instead of a dozen lookups stitched by hand.

Use an internal attack-path tool (BloodHound, a BAS platform, a cloud IAM analyzer) when the question is inside one organization — privilege escalation through Active Directory, lateral movement across hosts, permission chains in one tenant. Use Whisper when the path runs between organizations and across the public internet: tracing an adversary's infrastructure, connecting two indicators, or finding the shared node that ties a campaign together. They are complementary — internal tools own the perimeter inward, Whisper owns the perimeter outward.

Whisper pre-joins seven layers into one graph: web hyperlinks (LINKS_TO), DNS (RESOLVES_TO, CHILD_OF), WHOIS ownership (REGISTERED_BY, HAS_EMAIL), BGP routing and RPKI (ANNOUNCED_BY, ROUTES, ROA_AUTHORIZES_ORIGIN), GeoIP (LOCATED_IN), threat intelligence across 43 feeds (LISTED_IN, explain()), and the physical layer (AS_PRESENT_AT, CABLE_LANDS_AT). The steps below trace a path down through them.

Step 1 — Anchor on the adversary's TTPs

The path starts with the attacker. Pull a named actor's MITRE ATT&CK techniques to anchor the steps you are tracing.

MATCH (ac:ACTOR {name: "Volt Typhoon"})-[:USES_TECHNIQUE]->(t:ATTACK_PATTERN)
RETURN ac.name AS actor, collect(DISTINCT t.name)[0..10] AS techniques
LIMIT 1

Step 2 — Trace one indicator down the layers

From a hostname, follow resolution into routing — DNS to IP to the announcing ASN — in one statement.

MATCH (h:HOSTNAME {name: "github.com"})-[:RESOLVES_TO]->(ip:IPV4)
OPTIONAL MATCH (ip)-[:ANNOUNCED_BY]->(:ANNOUNCED_PREFIX)-[:ROUTES]->(a:ASN)
RETURN ip.name AS ip, a.name AS asn
LIMIT 5

Step 3 — Reach the physical layer

Keep going where every other tool stops: from the network to the data centers it occupies and the subsea cables landing beside them.

MATCH (a:ASN {name: "AS13335"})-[:AS_PRESENT_AT]->(f:FACILITY)<-[:LANDING_NEAR]-(l:CABLE_LANDING)<-[:CABLE_LANDS_AT]-(cab:SUBMARINE_CABLE)
RETURN f.name AS datacenter, cab.name AS submarine_cable
LIMIT 6

Run the whole path in one statement — a web-facing hostname all the way down to the submarine cable. This six-hop traversal is the move no competitor's query language can make:

MATCH (h:HOSTNAME {name: "cloudflare.com"})-[:RESOLVES_TO]->(:IPV4)
      -[:ANNOUNCED_BY]->(:ANNOUNCED_PREFIX)-[:ROUTES]->(a:ASN {name: "AS13335"})
      -[:AS_PRESENT_AT]->(f:FACILITY)<-[:LANDING_NEAR]-(:CABLE_LANDING)<-[:CABLE_LANDS_AT]-(cab:SUBMARINE_CABLE)
RETURN a.name AS asn, f.name AS facility, cab.name AS cable
LIMIT 6

Against cloudflare.com it returns real facilities and the cables beside them — Equinix LA1 feeding the Pacific Light Cable Network, for instance. The full six-hop chain needs an internal-depth key; the three-hop physical step above reaches the same layer and runs on a free key.

Step 4 — Find the hidden link via shared infrastructure

Two indicators that look unrelated reveal their connection the moment you find the infrastructure they share. shortestPath returns the exact chain — here, a typosquat wired back to the real google.com through one WHOIS registrant.

MATCH p = shortestPath(
  (a:HOSTNAME {name: "google.com"})-[:HAS_EMAIL|RESOLVES_TO|NAMESERVER_FOR|ALIAS_OF*1..3]-(b:HOSTNAME {name: "acount-google.com"})
)
RETURN [n IN nodes(p) | coalesce(n.name, labels(n)[0])] AS path, length(p) AS hops
LIMIT 1

Step 5 — Identify the choke point

The payoff is the choke point: the shared node that, severed, collapses the most paths. Expand one host to everything co-tenanted on its IP — a common IP, prefix, ASN, or registrant is a choke point you can block, sinkhole, or report.

MATCH (h:HOSTNAME {name: "github.com"})-[:RESOLVES_TO]->(ip:IPV4)<-[:RESOLVES_TO]-(other:HOSTNAME)
WHERE other.name <> "github.com"
RETURN ip.name AS shared_ip, collect(DISTINCT other.name)[0..12] AS reachable_from_here
LIMIT 1

Step 6 — Score every node with explain()

Each node on the path carries its own evidence. explain() returns a scored, feed-by-feed verdict for any IP, hostname, ASN, or CIDR, so the choke point comes with a defensible reason, not a black-box number.

CALL explain("185.220.101.1")

Traversal depth is governed by your plan: 2 hops anonymous, 3 on a free key, 5 on Pro. Most steps above are 1–2 hops and run for anyone; the physical-layer step is 3 hops (free) and the full web-link-to-cable chain is 6 (internal). When a query exceeds your tier you get a query-depth-exceeded error — grab a free key or split the chain into anchored single hops joined with WITH.

shortestPath needs a bounded length — always cap the range (*1..3). Variable-length patterns follow only physical edges; the synthesized ones (ANNOUNCED_BY, ROUTES, LISTED_IN) must be written as explicit single hops joined with WITH, or the path silently returns nothing. Bound high-fan-out intermediates with WITH ... LIMIT before expanding so a choke-point query doesn't explode.

• Map adversary infrastructure — pivot one indicator into the whole campaign.
• Network & BGP security — MOAS, RPKI, and the physical-footprint recipes.
• Attack-surface mapping — enumerate an org's external footprint.
• Concepts: Attack path analysis · Choke point analysis · Infrastructure pivoting.