Glossary

Definitions for terms used across WhisperGraph documentation. Terms are grouped roughly by domain. Click any term to jump to the doc page where it's used in context.

---

Network and routing

ASN (Autonomous System Number) — A unique number identifying a network operator on the public internet. ASNs route IP prefixes via BGP. WhisperGraph stores ASNs as ASN nodes connected to prefixes via ROUTES. See SOC recipes.

ANNOUNCED_PREFIX — A CIDR block that an ASN is currently announcing on BGP. (IPV4)-[:ANNOUNCED_BY]->(ANNOUNCED_PREFIX)-[:ROUTES]->(ASN) is the current routing chain.

REGISTERED_PREFIX — A CIDR block allocated to an organization by a RIR. Static; doesn't change as the network re-routes.

BGP (Border Gateway Protocol) — The internet's path-vector routing protocol. Operators announce prefixes; ASNs choose paths.

BGP hijack — When an ASN announces a prefix it doesn't own, redirecting traffic. WhisperGraph detects MOAS conflicts — see BGP recipes.

MOAS conflict — Multiple Origin AS: two different ASNs announcing the same prefix. Often a sign of hijack; sometimes legitimate (e.g. anycast).

RPKI (Resource Public Key Infrastructure) — Cryptographic system that validates BGP announcements. WhisperGraph tracks RPKI status on prefixes — isRpkiValid and rpkiStatus properties.

RIR (Regional Internet Registry) — One of five regional bodies (ARIN, RIPE, APNIC, LACNIC, AFRINIC) that allocate IP and ASN resources.

Anycast — One IP announced from many physical locations. CDN networks (Cloudflare, Fastly) use it. GeoIP results for anycast IPs are unreliable — see Known Limitations.

---

DNS and email

A record / AAAA record — DNS record mapping a hostname to an IPv4 / IPv6. (:HOSTNAME)-[:RESOLVES_TO]->(:IPV4|:IPV6) in the graph.

CNAME — DNS alias from one hostname to another. Often chained 2–3 hops deep.

MX record — Mail exchanger record. Points a domain at the host that accepts its email.

SPF (Sender Policy Framework) — DNS TXT record listing IPs allowed to send mail for a domain. Often includes other SPF records via include: directives.

SPF include chain — The transitive set of all SPF records reachable from a starting domain's include: directives. WhisperGraph traces these — see DNS/email recipes.

DNSSEC — Cryptographic authentication of DNS responses. WhisperGraph stores algorithm, key tag, and signing details.

Dangling DNS record — A DNS record pointing to infrastructure the owner no longer controls (e.g. a deleted S3 bucket). Vector for subdomain takeover.

---

Threat intel

FEED_SOURCE — A graph node representing one threat-intel feed (e.g. "ThreatFox IOCs"). Indicators connect via LISTED_IN. See Feed Catalog.

CATEGORY — A grouping of feed sources (e.g. "C2 Servers", "Phishing"). 18 total. See Feed Categories.

LISTED_IN — Virtual edge connecting an indicator (IP, hostname, domain) to a FEED_SOURCE.

explain() — Stored procedure that scores an indicator using feed count, weights, recency, and network density. Returns a composite score and human-readable explanation. See Cypher Functions & Procedures.

Threat score — A 0–10 numeric score from explain(). Higher = more confidently bad. Computed from listed feeds, feed weight, recency boost, and network neighborhood density.

---

Graph mechanics

Node label — The "type" of a node, e.g. HOSTNAME, IPV4, ASN. See Graph Schema.

Edge type — The "type" of a relationship between nodes, e.g. RESOLVES_TO, ANNOUNCED_BY, LISTED_IN.

Physical edge — An edge backed by an actual stored row (e.g. RESOLVES_TO from a DNS observation). Traversable with full predicate support.

Virtual edge — An edge computed at query time from indexed properties (e.g. LISTED_IN, ANNOUNCED_BY). Traversable like any other edge but cannot be filtered by edge properties (because there are none).

Anchor — The starting node of a traversal, identified by an indexed property like {name: "..."} or {id: ...}. Always anchor — unanchored MATCH (n:LABEL) scans every node of that label.

Multi-hop traversal — A pattern with multiple edges, e.g. (a)-[:E1]->(b)-[:E2]->(c). Plan tier sets max hops (Anonymous 2, Free 3, Pro 5). See Error Codes.

---

Splunk integration

TA (Technology Add-on) — A Splunk add-on package. WhisperGraph ships TA-whisper-graph.

SPL (Search Processing Language) — Splunk's query language. WhisperGraph adds custom commands like whisperlookup and whisperquery.

KV Store — Splunk's key-value store. Used by WhisperGraph for enrichment caching and threat-intel populators.

SHC (Search Head Cluster) — A clustered Splunk search-head deployment. The WhisperGraph TA supports SHC bundle deployments.

RBA (Risk-Based Alerting) — Splunk Enterprise Security feature that correlates risk events into investigations. WhisperGraph populators feed into RBA. See ES Integration.

CIM (Common Information Model) — Splunk's standard schema for normalized fields (src, dest, user, etc.). See CIM Mapping.

AppInspect — Splunk's automated review for Cloud-eligible apps. The WhisperGraph TA passes AppInspect requirements documented in Requirements.

Modular input — A Splunk input that runs on a schedule. WhisperGraph uses modular inputs for owned-domain monitoring and KV-store population. See Modular Inputs.

---

API and protocol

Cypher — A query language for graph databases, originally from Neo4j. WhisperGraph supports a subset focused on read queries. See Cypher Syntax.

MCP (Model Context Protocol) — Anthropic's open protocol for connecting AI assistants to tools and data sources. WhisperGraph runs an MCP server. See MCP Client Setup.

RFC 7807 — IETF standard for HTTP problem-detail responses. WhisperGraph error responses follow this format. See Error Codes.

Anonymous tier — The unauthenticated tier of the WhisperGraph API. Requests without a valid X-API-Key header run here. For limits and pricing see the pricing page.

---

If a term is missing or ambiguous, open a docs issue or email docs@whisper.security.