Feed Categories
The 18 categories WhisperGraph uses to group threat-intel feeds.
Updated May 2026
Feed Categories Documentation
Threat-intel feeds in WhisperGraph are grouped into 18 categories. Use the category to filter feeds when scoring or hunting (e.g. only C2 Servers + Malware Distribution for confirmed-bad).
For the full feed list see the Feed Catalog.
Categories
| Category | What it covers |
|---|---|
| Ad/Tracking Blocklists | Domains used for ads and behavioural tracking |
| Anonymization Infrastructure | VPN exit nodes, proxies, anonymizing relays |
| Attack Sources | IPs observed scanning or attacking |
| Brute Force | SSH/RDP/credential brute-force sources |
| C2 Servers | Confirmed command-and-control infrastructure |
| General Blacklists | Catch-all reputation lists from operators |
| Malicious Domains | Domains involved in malware or attack chains |
| Malicious Infrastructure | Hosting providers and ASNs hosting badness |
| Malware Distribution | URLs/IPs serving malware payloads |
| Phishing | Domains and URLs used for credential theft |
| Popularity/Trust | Top-N domain lists used for whitelisting and reputation |
| Proxies | HTTP/SOCKS proxy infrastructure |
| Reference Data | Public infrastructure datasets (e.g. Bitcoin nodes) |
| Reputation | General reputation aggregators |
| Spam | Mail spam sources |
| TOR Network | Tor relays and exit nodes |
| Threat Intelligence | Curated threat-intel from intel providers |
| VPNs | Commercial VPN egress IPs |
Querying by category
A FEED_SOURCE is connected to its CATEGORY by the BELONGS_TO edge — there is no IN_CATEGORY edge.
// All feeds in a category
MATCH (cat:CATEGORY {name: "C2 Servers"})<-[:BELONGS_TO]-(f:FEED_SOURCE)
RETURN f.name
// Which categories a specific feed is classified under
MATCH (f:FEED_SOURCE {name: "Feodo Tracker"})-[:BELONGS_TO]->(cat:CATEGORY)
RETURN cat.name
// Categories an indicator falls under. LISTED_IN and BELONGS_TO are both
// virtual edges — chaining them needs a WITH in between to materialise the
// feed nodes before the second hop.
MATCH (ip:IPV4 {name: "185.220.101.1"})-[:LISTED_IN]->(f:FEED_SOURCE)
WITH DISTINCT f
MATCH (f)-[:BELONGS_TO]->(cat:CATEGORY)
RETURN DISTINCT cat.name