Graph Schema Reference

Node labels, edge types, multi-hop patterns, and the ER diagram for WhisperGraph. Used by every Cypher query.

Updated May 2026

Graph Schema Reference Documentation

Reference for the WhisperGraph schema: every node label, every edge type, and the multi-hop patterns that connect them. Use this alongside the Cypher syntax reference when writing queries.

Schema guide

Node labels

LabelDescriptionExample values
HOSTNAMEFully-qualified domain names, subdomains, mail server nameswww.google.com, ns1.cloudflare.com
IPV4IPv4 addresses1.1.1.1, 142.250.64.100
IPV6IPv6 addresses2606:4700::6810:84e5
PREFIXIP CIDR blocks142.250.64.0/24
REGISTERED_PREFIXRIR-allocated IP blocks (virtual, resolved at query time)1.1.1.0/24
ANNOUNCED_PREFIXBGP-announced prefixes (virtual, resolved at query time)104.16.128.0/20
ASNAutonomous system numbersAS13335, AS15169
ASN_NAMEHuman-readable AS organization namesCLOUDFLARENET - Cloudflare, Inc.
TLDTop-level domainscom, net, org, io
TLD_OPERATORTLD registry operatorsVeriSign, Inc.
REGISTRARDomain registrars (IANA ID format)iana:292 (MarkMonitor)
EMAILWHOIS contact email addressesdomains@cloudflare.com
PHONEWHOIS contact phone numbers (E.164)+14158675825
ORGANIZATIONOrganizations from WHOIS recordscloudflare hostmaster
CITYGeoIP city with country codeMountain View, US
COUNTRYISO 3166-1 alpha-2 country codesUS, DE, AU
RIRRegional Internet RegistriesARIN, RIPENCC, APNIC, LACNIC, AFRINIC
DNSSEC_ALGORITHMDNSSEC signing algorithmsECDSAP256SHA256, RSASHA256
FEED_SOURCEThreat intelligence feed sources (virtual)Spamhaus DROP, Feodo Tracker
CATEGORYThreat feed categories (virtual)C2 Servers, Phishing

Edge types

DNS resolution

Edge typeFromToDescription
RESOLVES_TOHOSTNAMEIPV4/IPV6DNS A/AAAA records
CHILD_OFHOSTNAMEHOSTNAME/TLDDomain hierarchy (sub.example.com -> example.com -> com)
ALIAS_OFHOSTNAMEHOSTNAMECNAME records
NAMESERVER_FORHOSTNAMEHOSTNAMENS delegation (nameserver serves the target domain)
MAIL_FORHOSTNAMEHOSTNAMEMX records (mail server handles mail for the target domain)
SIGNED_WITHHOSTNAMEDNSSEC_ALGORITHMDNSSEC signing algorithm

BGP and routing

Edge typeFromToDescription
ANNOUNCED_BYIPV4/PREFIXANNOUNCED_PREFIXBGP announcement (virtual, resolved at query time)
ROUTESASNANNOUNCED_PREFIXASN routes this prefix (virtual)
BELONGS_TOIPV4PREFIX/REGISTERED_PREFIX/ANNOUNCED_PREFIXIP membership in a prefix block
PEERS_WITHASNASNBGP peering session (virtual)
HAS_NAMEASNASN_NAMENetwork operator name (virtual)
HAS_COUNTRYASN/PREFIXCOUNTRYCountry assignment

WHOIS and registration

Edge typeFromToDescription
HAS_REGISTRARHOSTNAMEREGISTRARCurrent domain registrar
PREV_REGISTRARHOSTNAMEREGISTRARPrevious domain registrar
REGISTERED_BYHOSTNAME/REGISTERED_PREFIXORGANIZATIONWHOIS registrant organization
HAS_EMAILHOSTNAMEEMAILWHOIS contact email
HAS_PHONEHOSTNAMEPHONEWHOIS contact phone

GeoIP

Edge typeFromToDescription
LOCATED_INIPV4CITYGeoIP city location
LOCATED_INCITYCOUNTRYCity to country mapping

Threat intelligence

Edge typeFromToDescription
LISTED_INIPV4/HOSTNAMEFEED_SOURCEIP or hostname appears in this threat feed (virtual)
BELONGS_TOFEED_SOURCECATEGORYFeed classified under this category

Web

Edge typeFromToDescription
LINKS_TOHOSTNAMEHOSTNAMEHyperlink between hostnames (from web crawl data)

SPF

Edge typeFromToDescription
SPF_INCLUDEHOSTNAMEHOSTNAMESPF include: mechanism
SPF_IPHOSTNAMEPREFIXSPF ip4: / ip6: mechanism
SPF_AHOSTNAMEHOSTNAMESPF a: mechanism
SPF_MXHOSTNAMEHOSTNAMESPF mx: mechanism
SPF_REDIRECTHOSTNAMEHOSTNAMESPF redirect= modifier
SPF_EXISTSHOSTNAMEHOSTNAMESPF exists: mechanism

Other

Edge typeFromToDescription
OPERATESTLD_OPERATORTLDRegistry operator manages this TLD (virtual)

Entity relationship diagram

Entity Relationship DiagramEntity Relationship Diagram

Solid lines are physical edges stored on disk. Dashed lines are virtual edges computed at query time from live infrastructure and threat intelligence data.

Solid lines are physical edges stored on disk. Dashed lines are virtual edges computed at query time from live infrastructure and threat intelligence data.

Multi-hop path patterns

These are the most common traversal chains through the graph.

Domain to network owner:

HOSTNAME -[:RESOLVES_TO]-> IPV4 -[:ANNOUNCED_BY]-> ANNOUNCED_PREFIX -[:ROUTES]-> ASN -[:HAS_NAME]-> ASN_NAME

Domain to nameservers:

HOSTNAME(ns) -[:NAMESERVER_FOR]-> HOSTNAME(domain)

Domain to mail servers:

HOSTNAME(mx) -[:MAIL_FOR]-> HOSTNAME(domain)

IP to GeoIP location:

IPV4 -[:LOCATED_IN]-> CITY -[:LOCATED_IN]-> COUNTRY

IP to threat feeds:

IPV4 -[:LISTED_IN]-> FEED_SOURCE -[:BELONGS_TO]-> CATEGORY

Domain WHOIS chain:

HOSTNAME -[:HAS_REGISTRAR]-> REGISTRAR
HOSTNAME -[:HAS_EMAIL]-> EMAIL
HOSTNAME -[:REGISTERED_BY]-> ORGANIZATION

DNS hierarchy:

HOSTNAME -[:CHILD_OF]-> HOSTNAME(parent) -[:CHILD_OF]-> TLD

RIR allocation chain:

IPV4 -[:BELONGS_TO]-> REGISTERED_PREFIX -[:REGISTERED_BY]-> ORGANIZATION
NextFeed Catalog