Whisper Graph

What the graph contains: seven layers of the internet pre-joined into one queryable graph, at what scale, and where to go deeper.

Updated July 2026

Whisper Graph Documentation

Whisper Graph maps the internet into one pre-joined graph: DNS, BGP and RPKI routing, WHOIS registration, GeoIP, the open-web link graph, email posture, threat intelligence, and the physical internet of data centers, internet exchanges, and submarine cables. Every domain, IP, ASN, registrant, prefix, and threat feed is a node; every relationship between them is an edge you can traverse.

The difference from a flat lookup tool is the pivot. Anchor on a hostname and you can walk to its IP, the prefix that announces it, the ASN that routes the prefix, the country it sits in, and any feed that lists it, in a single statement. The data is live: BGP announcements and MOAS conflicts update continuously, threat feeds refresh on hourly incremental and daily full cycles, and newly resolved domains stream in as they appear.

The layers of Whisper Graph: naming and web, routing, addressing and geo, ownership, email posture, threat intelligence, and the physical internet, joined into one graph.

The layers

A short tour, grouped by what each layer answers. The complete label, edge, and property model lives in the Graph Schema.

  • Naming, DNS & web — hostnames, TLDs and the subdomain hierarchy, resolution (RESOLVES_TO, ALIAS_OF), nameserver and mail-server relationships (NAMESERVER_FOR, MAIL_FOR), plus the open web's hyperlink graph (LINKS_TO, from Common Crawl).
  • Routing & RPKI — ASNs, announced prefixes, live BGP announcements, peering, MOAS conflicts (CONFLICTS_WITH, the early signal of a hijack), and RPKI ROAs for route-origin validation.
  • Addressing & geo — IPv4 and IPv6 addresses, the CIDR blocks they belong to, and GeoIP city and country for both IP location and ASN home jurisdiction.
  • Ownership & WHOIS — registrars, organizations, registrant emails and phones, and RDAP entities. Pivot from one bad domain to every other domain sharing its registrant.
  • Email posture — the full SPF authorization tree, DMARC report targets, DKIM signing vendors, and DNSSEC algorithms, zone by zone.
  • Threat intel & actors — 43 feeds in 25 categories via LISTED_IN, with each listed node carrying one blocking-aware reconciled verdict (verdictScore / verdictLevel / verdictBlocking) plus flags like isC2, isPhishing, and isTor. Named actors link to the MITRE ATT&CK techniques they use; Tor relays and TLS fingerprints round out the layer. Details in Threat Feeds & Categories.
  • The physical internet — facilities, internet exchanges, submarine cables and their landings, CDN PoPs, cloud regions, and DNS root instances.

The physical internet and the 10.85-billion-edge web link graph are layers DNS-only tools don't have at all.

Scale

LayerScale
Hostnames2.6 billion
IP addresses619M IPv4 · 820K IPv6
DNS resolution2.9B RESOLVES_TO
Web link graph10.85B LINKS_TO
Routing116K ASNs · 2.5M prefixes · 3.68B live announcements
WHOIS237M emails · 60M phones · 119M organizations
Threat intelligence~11.9M LISTED_IN across 43 feeds / 25 categories
Total~7.4B nodes · ~39B edges

Counts are a live snapshot and drift with every refresh. CALL db.labels() returns current per-label counts, and introspection calls don't count against your quota.

One query, every layer

Because the layers are already joined, a cross-layer question is one traversal. Start from an IP and get its announced prefix, the ASN that routes it, the network name, and the country in one round trip:

MATCH (ip:IPV4 {name: "8.8.8.8"})-[:ANNOUNCED_BY]->(ap:ANNOUNCED_PREFIX)-[:ROUTES]->(a:ASN)-[:HAS_NAME]->(n:ASN_NAME)
MATCH (ip)-[:HAS_COUNTRY]->(c:COUNTRY)
RETURN ap.name AS prefix, a.name AS asn, n.name AS network, c.name AS country
LIMIT 5

With flat lookup tools that is a WHOIS call, a BGP looking glass, a GeoIP service, and glue code to stitch them together.

Anonymous queries run up to 2 hops; this one goes deeper. A free API key raises the cap to 3 hops, enough for cross-layer traversals like this, and is passed in the X-API-Key header. Get a free key, then see the Whisper API for endpoints and auth details.

Go deeper