Glossary

ASN (Autonomous System Number) — A unique number identifying a network operator on the public internet. ASNs route IP prefixes via BGP. WhisperGraph stores ASNs as ASN nodes connected to prefixes via ROUTES. See SOC recipes. See also: Autonomous System (ASN) — full glossary entry.

ANNOUNCED_PREFIX — A CIDR block that an ASN is currently announcing on BGP. (IPV4)-[:ANNOUNCED_BY]->(ANNOUNCED_PREFIX)-[:ROUTES]->(ASN) is the current routing chain.

REGISTERED_PREFIX — A CIDR block allocated to an organization by a RIR. Static; doesn't change as the network re-routes.

BGP (Border Gateway Protocol) — The internet's path-vector routing protocol. Operators announce prefixes; ASNs choose paths. See also: BGP Routing — full glossary entry.

BGP hijack — When an ASN announces a prefix it doesn't own, redirecting traffic. WhisperGraph detects MOAS conflicts — see BGP recipes.

MOAS conflict — Multiple Origin AS: two different ASNs announcing the same prefix. WhisperGraph surfaces these as the CONFLICTS_WITH edge (PREFIX → ASN). Often a sign of hijack; sometimes legitimate (e.g. anycast).

RPKI (Resource Public Key Infrastructure) — Cryptographic system that validates BGP announcements. WhisperGraph tracks RPKI status on prefixes — isRpkiValid and rpkiStatus properties.

RIR (Regional Internet Registry) — One of five regional bodies (ARIN, RIPE, APNIC, LACNIC, AFRINIC) that allocate IP and ASN resources.

Anycast — One IP announced from many physical locations. CDN networks (Cloudflare, Fastly) use it. GeoIP results for anycast IPs are unreliable — see Known Limitations.

A record / AAAA record — DNS record mapping a hostname to an IPv4 / IPv6. (:HOSTNAME)-[:RESOLVES_TO]->(:IPV4|:IPV6) in the graph. See also: DNS — full glossary entry.

CNAME — DNS alias from one hostname to another. Often chained 2–3 hops deep.

MX record — Mail exchanger record. Points a domain at the host that accepts its email. See also: DNS — full glossary entry.

SPF (Sender Policy Framework) — DNS TXT record listing IPs allowed to send mail for a domain. Often includes other SPF records via include: directives.

SPF include chain — The transitive set of all SPF records reachable from a starting domain's include: directives. WhisperGraph traces these — see DNS/email recipes.

DNSSEC — Cryptographic authentication of DNS responses. WhisperGraph stores the signing algorithm via the SIGNED_WITH edge. See also: DNSSEC — full glossary entry.

Dangling DNS record — A DNS record pointing to infrastructure the owner no longer controls (e.g. a deleted S3 bucket). Vector for subdomain takeover.

FEED_SOURCE — A graph node representing one threat-intel feed (e.g. "ThreatFox IOCs"). Indicators connect via LISTED_IN; the feed is classified under a category via BELONGS_TO. See Feed Catalog.

CATEGORY — A grouping of feed sources (e.g. "C2 Servers", "Phishing"). 18 total. See Feed Categories.

LISTED_IN — Virtual edge connecting an indicator (IP, hostname, domain) to a FEED_SOURCE.

explain() — Stored procedure that scores an indicator using feed count, weights, recency, and network density. Returns a composite score, a normalized level, and a human-readable explanation. Works on IPs, domains, ASNs, CIDR ranges, and file hashes. See Cypher Functions & Procedures.

Threat score — The composite numeric score returned by explain(). Higher means more confidently bad; the value is a weighted composite, not a fixed 0–10 scale (a heavily-listed network can score well into the dozens). Computed from listed feeds, feed weight, recency boost, and network neighborhood density. For automated rules, branch on the level tier (NONE … CRITICAL) rather than the raw score.

Node label — The "type" of a node, e.g. HOSTNAME, IPV4, ASN. See Graph Schema.

Edge type — The "type" of a relationship between nodes, e.g. RESOLVES_TO, ANNOUNCED_BY, LISTED_IN.

Physical edge — An edge backed by an actual stored row (e.g. RESOLVES_TO from a DNS observation). Traversable with full predicate support.

Virtual edge — An edge computed at query time from indexed properties (e.g. LISTED_IN, ANNOUNCED_BY, OPERATES). Traversable like any other edge, but the source node must be anchored, and a virtual edge cannot be used inside a variable-length pattern.

Anchor — The starting node of a traversal, identified by an indexed property like {name: "..."}. Always anchor — unanchored MATCH (n:LABEL) scans every node of that label.

Multi-hop traversal — A pattern with multiple edges, e.g. (a)-[:E1]->(b)-[:E2]->(c). Plan tier sets the maximum hop count — anonymous requests are capped at 2; higher tiers go deeper (see the pricing page). See Error Codes.

TA (Technology Add-on) — A Splunk add-on package. WhisperGraph ships TA-whisper-graph.

SPL (Search Processing Language) — Splunk's query language. WhisperGraph adds custom commands like whisperlookup and whisperquery.

KV Store — Splunk's key-value store. Used by WhisperGraph for enrichment caching and threat-intel populators.

SHC (Search Head Cluster) — A clustered Splunk search-head deployment. The WhisperGraph TA supports SHC bundle deployments.

RBA (Risk-Based Alerting) — Splunk Enterprise Security feature that correlates risk events into investigations. WhisperGraph populators feed into RBA. See ES Integration.

CIM (Common Information Model) — Splunk's standard schema for normalized fields (src, dest, user, etc.). See CIM Mapping.

AppInspect — Splunk's automated review for Cloud-eligible apps. The WhisperGraph TA passes AppInspect requirements documented in Requirements.

Modular input — A Splunk input that runs on a schedule. WhisperGraph uses modular inputs for owned-domain monitoring and KV-store population. See Modular Inputs.

Cypher — A query language for graph databases, originally from Neo4j. WhisperGraph supports a subset focused on read queries. See Cypher Syntax.

MCP (Model Context Protocol) — Anthropic's open protocol for connecting AI assistants to tools and data sources. WhisperGraph runs an MCP server. See MCP Client Setup.

RFC 7807 — IETF standard for HTTP problem-detail responses. WhisperGraph error responses follow this format. See Error Codes.

Anonymous tier — The unauthenticated tier of the WhisperGraph API. Requests without a valid X-API-Key header run here. For limits and pricing see the pricing page.

If a term is missing or ambiguous, open a docs issue or email docs@whisper.security.