Whisper Graph
What the graph contains: seven layers of the internet pre-joined into one queryable graph, at what scale, and where to go deeper.
Whisper Graph Documentation
Whisper Graph maps the internet into one pre-joined graph: DNS, BGP and RPKI routing, WHOIS registration, GeoIP, the open-web link graph, email posture, threat intelligence, and the physical internet of data centers, internet exchanges, and submarine cables. Every domain, IP, ASN, registrant, prefix, and threat feed is a node; every relationship between them is an edge you can traverse.
The difference from a flat lookup tool is the pivot. Anchor on a hostname and you can walk to its IP, the prefix that announces it, the ASN that routes the prefix, the country it sits in, and any feed that lists it, in a single statement. The data is live: BGP announcements and MOAS conflicts update continuously, threat feeds refresh on hourly incremental and daily full cycles, and newly resolved domains stream in as they appear.
The layers of Whisper Graph: naming and web, routing, addressing and geo, ownership, email posture, threat intelligence, and the physical internet, joined into one graph.
The layers
A short tour, grouped by what each layer answers. The complete label, edge, and property model lives in the Graph Schema.
- Naming, DNS & web — hostnames, TLDs and the subdomain hierarchy, resolution (
RESOLVES_TO,ALIAS_OF), nameserver and mail-server relationships (NAMESERVER_FOR,MAIL_FOR), plus the open web's hyperlink graph (LINKS_TO, from Common Crawl). - Routing & RPKI — ASNs, announced prefixes, live BGP announcements, peering, MOAS conflicts (
CONFLICTS_WITH, the early signal of a hijack), and RPKI ROAs for route-origin validation. - Addressing & geo — IPv4 and IPv6 addresses, the CIDR blocks they belong to, and GeoIP city and country for both IP location and ASN home jurisdiction.
- Ownership & WHOIS — registrars, organizations, registrant emails and phones, and RDAP entities. Pivot from one bad domain to every other domain sharing its registrant.
- Email posture — the full SPF authorization tree, DMARC report targets, DKIM signing vendors, and DNSSEC algorithms, zone by zone.
- Threat intel & actors — 43 feeds in 25 categories via
LISTED_IN, with each listed node carrying one blocking-aware reconciled verdict (verdictScore/verdictLevel/verdictBlocking) plus flags likeisC2,isPhishing, andisTor. Named actors link to the MITRE ATT&CK techniques they use; Tor relays and TLS fingerprints round out the layer. Details in Threat Feeds & Categories. - The physical internet — facilities, internet exchanges, submarine cables and their landings, CDN PoPs, cloud regions, and DNS root instances.
The physical internet and the 10.85-billion-edge web link graph are layers DNS-only tools don't have at all.
Scale
| Layer | Scale |
|---|---|
| Hostnames | 2.6 billion |
| IP addresses | 619M IPv4 · 820K IPv6 |
| DNS resolution | 2.9B RESOLVES_TO |
| Web link graph | 10.85B LINKS_TO |
| Routing | 116K ASNs · 2.5M prefixes · 3.68B live announcements |
| WHOIS | 237M emails · 60M phones · 119M organizations |
| Threat intelligence | ~11.9M LISTED_IN across 43 feeds / 25 categories |
| Total | ~7.4B nodes · ~39B edges |
Counts are a live snapshot and drift with every refresh. CALL db.labels() returns current per-label counts, and introspection calls don't count against your quota.
One query, every layer
Because the layers are already joined, a cross-layer question is one traversal. Start from an IP and get its announced prefix, the ASN that routes it, the network name, and the country in one round trip:
MATCH (ip:IPV4 {name: "8.8.8.8"})-[:ANNOUNCED_BY]->(ap:ANNOUNCED_PREFIX)-[:ROUTES]->(a:ASN)-[:HAS_NAME]->(n:ASN_NAME)
MATCH (ip)-[:HAS_COUNTRY]->(c:COUNTRY)
RETURN ap.name AS prefix, a.name AS asn, n.name AS network, c.name AS country
LIMIT 5
With flat lookup tools that is a WHOIS call, a BGP looking glass, a GeoIP service, and glue code to stitch them together.
Anonymous queries run up to 2 hops; this one goes deeper. A free API key raises the cap to 3 hops, enough for cross-layer traversals like this, and is passed in the X-API-Key header. Get a free key, then see the Whisper API for endpoints and auth details.
Go deeper
- Graph Schema — the model in three references: Entities (node labels and properties), Connection Types (edge types), and Pivoting Examples (cross-layer chains).
- Threat Feeds & Categories — how feeds enter the graph, the 43-feed catalog, and the 25-category taxonomy.
- Procedures —
explain()for threat verdicts,whisper.variants()for lookalike domains,whisper.history()for point-in-time WHOIS and BGP records, andwhisper.origins()for origin discovery behind CDNs. - Use Case Examples — the same layers applied to real investigations, with runnable workflows and recipes.