Use Case Examples
Nine security jobs, each with guided workflows you can run in the browser and copy-paste Cypher recipes.
Use Case Examples Documentation
WhisperGraph looks different depending on the job in front of you. A SOC analyst starts from an indicator, a brand team starts from a company name, a routing engineer starts from an ASN. This section organizes the docs around nine of those jobs. Each use case gives you two things: guided workflows you can run in the browser, and copy-paste Cypher recipes you can adapt for your own indicators and run against the Whisper API.
Every domain below has a sub-landing that explains how the graph helps with that job and lists its runnable workflows in a "Run it" table. Under each sub-landing sit recipe pages: self-contained, validated queries with a "Run it live" callout linking the matching workflows. If you are new to the graph, run the single example on Getting Started first.
Nine use cases entering the same pre-joined graph at different layers
The nine domains
| Domain | What it covers |
|---|---|
| Threat Investigation | Triage an indicator, map the adversary infrastructure around it, and trace a blast radius — every pivot on one pre-joined graph. |
| Threat Actors & TTPs | Pivot from a named actor or MITRE technique into the live hosting, domains, and TLS fingerprints behind it. |
| Attack Surface & Recon | Inventory an org footprint, de-cloak origins behind a CDN, and surface shadow IT — from passive data, with no packets sent. |
| Brand Protection | Catch live lookalike domains, tell a parked squat from one wired into phishing infrastructure, and build takedown evidence. |
| Network & Routing | Detect MOAS hijacks, audit RPKI coverage, and profile an ASN — routing anomaly and threat signal in the same query. |
| DNS & Email Security | Grade SPF, DMARC, DNSSEC, and mail posture crossed with the live infrastructure behind them, and catch nameserver drift early. |
| Infrastructure & Supply Chain | Map dependency and concentration risk down to datacenters, IXPs, and submarine cables — the evidence NIS2, DORA, and sanctions screening ask for. |
| AI Agent Grounding | Ground an autonomous agent in live internet infrastructure over MCP, so it can tell "no data" from "known clean". |
| Research & OSINT | Study how the internet is wired in a region or for an org, replay it at a point in time, and build attribution. |
Run workflows in the browser
The guided workflows live at /use-cases on this site: 56 workflows, each broken into steps you execute against the live graph, with the Cypher behind every step visible and editable. They are the fastest way to see what a use case looks like end to end before you write your own queries. Anonymous runs are capped at 2 traversal hops; a free API key raises the depth cap to 3. See Getting Started for how to get a key.
Cross-layer patterns
The pivots behind these use cases repeat across domains: hostname to IP to prefix to ASN, WHOIS email to every domain it registered, certificate to its SAN siblings. Cross-Layer Patterns collects ten of these reusable patterns as validated queries you can adapt anywhere. For the query language itself, see the Cypher Reference and the one-page Cheat Sheet.