Feed Categories
The 18 categories WhisperGraph uses to group threat-intel feeds.
Updated May 2026
Feed Categories Documentation
Threat-intel feeds in WhisperGraph are grouped into 18 categories. Use the category to filter feeds when scoring or hunting (e.g. only C2 Servers + Malware Distribution for confirmed-bad).
For the full feed list see the Feed Catalog.
Categories
| Category | What it covers |
|---|---|
| Ad/Tracking Blocklists | Domains used for ads and behavioural tracking |
| Anonymization Infrastructure | VPN exit nodes, proxies, anonymizing relays |
| Attack Sources | IPs observed scanning or attacking |
| Brute Force | SSH/RDP/credential brute-force sources |
| C2 Servers | Confirmed command-and-control infrastructure |
| General Blacklists | Catch-all reputation lists from operators |
| Malicious Domains | Domains involved in malware or attack chains |
| Malicious Infrastructure | Hosting providers and ASNs hosting badness |
| Malware Distribution | URLs/IPs serving malware payloads |
| Phishing | Domains and URLs used for credential theft |
| Popularity/Trust | Top-N domain lists used for whitelisting and reputation |
| Proxies | HTTP/SOCKS proxy infrastructure |
| Reference Data | Public infrastructure datasets (e.g. Bitcoin nodes) |
| Reputation | General reputation aggregators |
| Spam | Mail spam sources |
| TOR Network | Tor relays and exit nodes |
| Threat Intelligence | Curated threat-intel from intel providers |
| VPNs | Commercial VPN egress IPs |
Querying by category
-- All feeds in a category
MATCH (cat:CATEGORY {name: "C2 Servers"})<-[:IN_CATEGORY]-(f:FEED_SOURCE)
RETURN f.name
-- All indicators flagged by any C2 feed
MATCH (cat:CATEGORY {name: "C2 Servers"})<-[:IN_CATEGORY]-(f:FEED_SOURCE)<-[:LISTED_IN]-(ind)
RETURN labels(ind)[0] AS type, ind.name LIMIT 100
-- Categories an indicator falls under
MATCH (ip:IPV4 {name: "185.220.101.1"})-[:LISTED_IN]->(f:FEED_SOURCE)-[:IN_CATEGORY]->(cat:CATEGORY)
RETURN DISTINCT cat.name