Graph Schema Reference
Node labels, edge types, multi-hop patterns, and the ER diagram for WhisperGraph. Used by every Cypher query.
Graph Schema Reference Documentation
Reference for the WhisperGraph schema: every node label, every edge type, and the multi-hop patterns that connect them. Use this alongside the Cypher syntax reference when writing queries.
Schema guide
WhisperGraph has two kinds of structure. Most nodes and edges are stored directly. A second set — the virtual infrastructure and threat-intelligence layers — is synthesized at query time from live data. Virtual edges behave like stored edges in almost every way, with one rule that matters: you must anchor the source node before traversing a virtual edge. More on that under Edge types.
There is no DOMAIN or FQDN label. Every DNS name — including nameservers and mail servers — is a HOSTNAME.
Node labels
| Label | Description | Example values |
|---|---|---|
| HOSTNAME | Fully-qualified domain names, subdomains, mail server names | www.google.com, ns1.cloudflare.com |
| IPV4 | IPv4 addresses | 1.1.1.1, 142.250.64.100 |
| IPV6 | IPv6 addresses | 2606:4700::6810:84e5 |
| PREFIX | IP CIDR blocks from DNS and RIR imports | 142.250.64.0/24 |
| REGISTERED_PREFIX | RIR-allocated IP blocks (virtual, resolved at query time) | 1.1.1.0/24 |
| ANNOUNCED_PREFIX | BGP-announced prefixes (virtual, resolved at query time) | 104.16.128.0/20 |
| ASN | Autonomous system numbers | AS13335, AS15169 |
| ASN_NAME | Human-readable AS organization names | CLOUDFLARENET - Cloudflare, Inc. |
| TLD | Top-level domains | com, net, org, io |
| TLD_OPERATOR | TLD registry operators | VeriSign Global Registry Services |
| REGISTRAR | Domain registrars (IANA ID format) | iana:292 (MarkMonitor) |
| WHOIS contact email addresses | domains@cloudflare.com | |
| PHONE | WHOIS contact phone numbers (E.164) | +14158675825 |
| ORGANIZATION | Organizations from WHOIS or RIR records | cloudflare hostmaster |
| CITY | GeoIP city with country code | Mountain View, US |
| COUNTRY | ISO 3166-1 alpha-2 country codes | US, DE, AU |
| RIR | Regional Internet Registries | ARIN, RIPENCC, APNIC, LACNIC, AFRINIC |
| DNSSEC_ALGORITHM | DNSSEC signing algorithms | ECDSAP256SHA256, RSASHA256 |
| FEED_SOURCE | Threat intelligence feed sources (virtual) | Spamhaus DROP, Feodo Tracker |
| CATEGORY | Threat feed categories (virtual) | C2 Servers, Phishing |
CALL db.labels() returns all 20 labels with live row counts.
Edge types
Edges have a direction. A wrong-direction traversal returns zero rows with no error, so direction matters — you can always traverse an edge backwards by writing <-[:TYPE]-. The tables below give the storage direction.
DNS resolution
| Edge type | From | To | Description |
|---|---|---|---|
| RESOLVES_TO | HOSTNAME | IPV4/IPV6 | DNS A/AAAA records |
| CHILD_OF | HOSTNAME | HOSTNAME/TLD | Domain hierarchy (sub.example.com → example.com → com) |
| ALIAS_OF | HOSTNAME | HOSTNAME | CNAME records |
| NAMESERVER_FOR | HOSTNAME | HOSTNAME | NS delegation (the nameserver serves the target domain) |
| MAIL_FOR | HOSTNAME | HOSTNAME | MX records (the mail server handles mail for the target domain) |
| SIGNED_WITH | HOSTNAME | DNSSEC_ALGORITHM | DNSSEC signing algorithm |
BGP and routing
| Edge type | From | To | Description |
|---|---|---|---|
| ANNOUNCED_BY | IPV4/IPV6 | ANNOUNCED_PREFIX | The IP falls inside a BGP-announced prefix (virtual) |
| ROUTES | ASN | PREFIX/ANNOUNCED_PREFIX | The ASN routes the prefix (virtual) |
| BELONGS_TO | IPV4/IPV6 | PREFIX/REGISTERED_PREFIX | The IP belongs to an allocation block |
| PEERS_WITH | ASN | ASN | BGP peering relationship (virtual) |
| HAS_NAME | ASN | ASN_NAME | Network operator name (virtual) |
| CONFLICTS_WITH | PREFIX | ASN | A multi-origin AS (MOAS) conflict — the same prefix announced by more than one ASN (virtual) |
WHOIS and registration
| Edge type | From | To | Description |
|---|---|---|---|
| HAS_REGISTRAR | HOSTNAME | REGISTRAR | Current domain registrar |
| PREV_REGISTRAR | HOSTNAME | REGISTRAR | A historical, superseded registrar |
| REGISTERED_BY | HOSTNAME/ASN/PREFIX | ORGANIZATION | WHOIS / RIR registrant organization |
| HAS_EMAIL | HOSTNAME | WHOIS contact email | |
| HAS_PHONE | HOSTNAME | PHONE | WHOIS contact phone |
Geo
| Edge type | From | To | Description |
|---|---|---|---|
| LOCATED_IN | IPV4/IPV6 | CITY | GeoIP city for the IP. LOCATED_IN never targets COUNTRY — chain through HAS_COUNTRY to reach a country |
| HAS_COUNTRY | ASN/CITY/IPV4/HOSTNAME/PHONE/ANNOUNCED_PREFIX/REGISTERED_PREFIX | COUNTRY | The entity's country |
Threat intelligence
| Edge type | From | To | Description |
|---|---|---|---|
| LISTED_IN | IPV4/IPV6/HOSTNAME | FEED_SOURCE | The indicator appears in this threat feed (virtual) |
| BELONGS_TO | FEED_SOURCE | CATEGORY | The feed is classified under this category |
Web
| Edge type | From | To | Description |
|---|---|---|---|
| LINKS_TO | HOSTNAME | HOSTNAME | A web hyperlink from one site to another (from web crawl data) |
SPF
| Edge type | From | To | Description |
|---|---|---|---|
| SPF_INCLUDE | HOSTNAME | HOSTNAME | SPF include: mechanism |
| SPF_IP | HOSTNAME | IPV4/IPV6/PREFIX | SPF ip4: / ip6: mechanism |
| SPF_A | HOSTNAME | HOSTNAME | SPF a: mechanism |
| SPF_MX | HOSTNAME | HOSTNAME | SPF mx: mechanism |
| SPF_REDIRECT | HOSTNAME | HOSTNAME | SPF redirect= modifier |
| SPF_EXISTS | HOSTNAME | HOSTNAME | SPF exists: mechanism |
Registry
| Edge type | From | To | Description |
|---|---|---|---|
| OPERATES | TLD_OPERATOR | TLD | The registry operator runs the top-level domain (virtual) |
Virtual edges must be anchored
Some edges are physical (stored directly), some are virtual (synthesized at query time), and a few are a mix. The virtual and mixed edges — ANNOUNCED_BY, ROUTES into ANNOUNCED_PREFIX, HAS_NAME, BELONGS_TO into REGISTERED_PREFIX, LISTED_IN, CONFLICTS_WITH, and OPERATES — are only produced when the source node of the traversal is anchored. An unanchored probe like MATCH (a:ASN)-[:HAS_NAME]->(n) returns nothing; the anchored form MATCH (a:ASN {name: "AS13335"})-[:HAS_NAME]->(n) returns CLOUDFLARENET - Cloudflare, Inc. Always anchor before traversing a virtual edge, and never put a virtual edge inside a variable-length pattern. To chain two virtual edges (for example LISTED_IN into BELONGS_TO), insert a WITH between them so the intermediate node is materialised before the second hop.
Entity relationship diagram
Entity Relationship Diagram
Solid lines are physical edges stored on disk. Dashed lines are virtual edges computed at query time from live infrastructure and threat intelligence data.
Multi-hop path patterns
These are the most common traversal chains through the graph.
Domain to network owner:
HOSTNAME -[:RESOLVES_TO]-> IPV4 -[:ANNOUNCED_BY]-> ANNOUNCED_PREFIX -[:ROUTES]-> ASN -[:HAS_NAME]-> ASN_NAME
Domain to nameservers:
HOSTNAME(ns) -[:NAMESERVER_FOR]-> HOSTNAME(domain)
Domain to mail servers:
HOSTNAME(mx) -[:MAIL_FOR]-> HOSTNAME(domain)
IP to GeoIP location:
IPV4 -[:LOCATED_IN]-> CITY -[:HAS_COUNTRY]-> COUNTRY
IP to threat feeds:
IPV4 -[:LISTED_IN]-> FEED_SOURCE -[:BELONGS_TO]-> CATEGORY
Domain WHOIS chain:
HOSTNAME -[:HAS_REGISTRAR]-> REGISTRAR
HOSTNAME -[:HAS_EMAIL]-> EMAIL
HOSTNAME -[:REGISTERED_BY]-> ORGANIZATION
DNS hierarchy:
HOSTNAME -[:CHILD_OF]-> HOSTNAME(parent) -[:CHILD_OF]-> TLD
RIR allocation chain:
IPV4 -[:BELONGS_TO]-> REGISTERED_PREFIX -[:REGISTERED_BY]-> ORGANIZATION
Registry operator:
TLD_OPERATOR -[:OPERATES]-> TLD