Attack Surface & Recon
Inventory an org footprint, de-cloak CDN origins, and surface shadow IT from passive data, no packets sent.
Attack Surface & Recon Documentation
De-cloaking an origin behind a CDN or enumerating an org footprint usually means active scans, and active scans leak your intent and trip defenses. WhisperGraph maps the surface from passive data instead: every subdomain, resolving IP, and announcing ASN, with no packets sent. You see the exposure an attacker would, including the shadow IT and forgotten infrastructure a clean asset inventory never shows.
Recon tools answer one question each, a reverse-IP here, a subdomain brute-force there, and none of them join the results into a footprint. The hosting diversity that signals shadow IT, the origin hiding behind a proxy, the ASN that ties it all together: each is a separate, noisy lookup. WhisperGraph reads a graph that has already joined DNS, Certificate Transparency, routing, and ownership, so one hop-bounded query expands a domain to its whole footprint and keeps going where scanners stop.
Everything here is passive. You are querying Whisper's index of public DNS, BGP, WHOIS, Certificate Transparency, and TLS-fingerprint data, not the target's infrastructure. No DNS queries hit their nameservers, no ports get scanned, nothing lands in their logs.
Run it
Each workflow below opens with a live result you can run on your own indicator. Anonymous runs go two hops deep; a free key raises you to three.
| Workflow | What it does |
|---|---|
| Attack-Surface Mapper | Domain to its full external footprint, scored: subdomains, nameservers, mail and SPF senders, registrant, the SaaS/CNAME supply chain, real origins behind a CDN, serving IPs and their threat posture. |
| Find Subdomains | Map a domain's full subdomain namespace: every host under the apex, counted via the suffix index and listed from the CHILD_OF subtree, each optionally resolved to its IP, location, and announcing network. |
| Find the real infrastructure behind the CDN | De-cloak a CDN-fronted domain to its real origin IPs, ranked by confidence and corroborated by Certificate Transparency. |
| Discover assets from Certificate Transparency | Surface a domain's certificates, wildcards included, seen in Certificate Transparency, with a first/last-seen timeline. |
| Detect subdomain takeover | Enumerate a domain's subdomains and flag dangling CNAMEs that point at deprovisioned targets. |
| Audit shadow-IT hosting diversity | Spread an org's subdomain estate across distinct providers, ASNs, and countries to surface fragmented, unmanaged hosting. |
| Discover externally-visible AI infrastructure | Map an org's externally-visible AI and agent footprint (api, mcp, ai, vector, llm, and agent subdomains) from the outside. |
| CT-SAN sibling-asset discovery | One domain in, the other hostnames issued certs alongside it: pivoting from CT observations to sibling assets, each enriched with resolving IP, owning ASN, and threat verdict. |
Recipes
The copy-paste Cypher for this work lives in External Recon: subdomain enumeration, Certificate Transparency discovery, IP-footprint mapping, CDN de-cloaking, and TLS-fingerprint pivots, each a read against the graph.
For cross-layer techniques that apply across every domain, see Cross-Layer Patterns. To ground an AI agent in the same graph and let it walk the surface itself, see AI & Agents.