Use Case Examples

Nine security jobs, each with guided workflows you can run in the browser and copy-paste Cypher recipes.

Updated July 2026

Use Case Examples Documentation

WhisperGraph looks different depending on the job in front of you. A SOC analyst starts from an indicator, a brand team starts from a company name, a routing engineer starts from an ASN. This section organizes the docs around nine of those jobs. Each use case gives you two things: guided workflows you can run in the browser, and copy-paste Cypher recipes you can adapt for your own indicators and run against the Whisper API.

Every domain below has a sub-landing that explains how the graph helps with that job and lists its runnable workflows in a "Run it" table. Under each sub-landing sit recipe pages: self-contained, validated queries with a "Run it live" callout linking the matching workflows. If you are new to the graph, run the single example on Getting Started first.

Nine use cases entering the same pre-joined graph at different layers

The nine domains

DomainWhat it covers
Threat InvestigationTriage an indicator, map the adversary infrastructure around it, and trace a blast radius — every pivot on one pre-joined graph.
Threat Actors & TTPsPivot from a named actor or MITRE technique into the live hosting, domains, and TLS fingerprints behind it.
Attack Surface & ReconInventory an org footprint, de-cloak origins behind a CDN, and surface shadow IT — from passive data, with no packets sent.
Brand ProtectionCatch live lookalike domains, tell a parked squat from one wired into phishing infrastructure, and build takedown evidence.
Network & RoutingDetect MOAS hijacks, audit RPKI coverage, and profile an ASN — routing anomaly and threat signal in the same query.
DNS & Email SecurityGrade SPF, DMARC, DNSSEC, and mail posture crossed with the live infrastructure behind them, and catch nameserver drift early.
Infrastructure & Supply ChainMap dependency and concentration risk down to datacenters, IXPs, and submarine cables — the evidence NIS2, DORA, and sanctions screening ask for.
AI Agent GroundingGround an autonomous agent in live internet infrastructure over MCP, so it can tell "no data" from "known clean".
Research & OSINTStudy how the internet is wired in a region or for an org, replay it at a point in time, and build attribution.

Run workflows in the browser

The guided workflows live at /use-cases on this site: 56 workflows, each broken into steps you execute against the live graph, with the Cypher behind every step visible and editable. They are the fastest way to see what a use case looks like end to end before you write your own queries. Anonymous runs are capped at 2 traversal hops; a free API key raises the depth cap to 3. See Getting Started for how to get a key.

Cross-layer patterns

The pivots behind these use cases repeat across domains: hostname to IP to prefix to ASN, WHOIS email to every domain it registered, certificate to its SAN siblings. Cross-Layer Patterns collects ten of these reusable patterns as validated queries you can adapt anywhere. For the query language itself, see the Cypher Reference and the one-page Cheat Sheet.