Introduction to Whisper Knowledge Graph

Whisper Knowledge Graph maps the global internet into a single queryable graph. DNS records, IP addresses, BGP routing, WHOIS registration, web links, threat intelligence feeds -- all connected, all searchable, all in one place.

You query it with Cypher over a REST API at https://graph.whisper.security. See the Getting Started guide to run your first query, the Cypher Language Reference for the full schema and syntax, or the Query Cookbook for ready-to-run recipes by use case.

How It Works

Every entity on the internet becomes a node. Every observed relationship becomes an edge. A hostname resolves to an IP. That IP sits inside a network prefix. That prefix is routed by an autonomous system. That AS peers with others, operates in a country, and may show up in threat feeds. Whisper Graph captures all of it.

Whisper Graph Overview

The graph contains billions of nodes and tens of billions of edges, covering DNS, BGP routing, WHOIS registration, GeoIP, web hyperlinks, SPF/DNSSEC configurations, and 40+ threat intelligence feeds.

What's in the Graph

Node types

DNS & Web: HOSTNAME, TLD, TLD_OPERATOR

IP & Routing: IPV4, IPV6, PREFIX, ASN, ASN_NAME, RIR

Registration: REGISTRAR, ORGANIZATION, EMAIL, PHONE

Geography: COUNTRY, CITY

Threat Intel: FEED_SOURCE, CATEGORY

BGP (live): REGISTERED_PREFIX, ANNOUNCED_PREFIX

DNSSEC: DNSSEC_ALGORITHM

Relationships

DNS: RESOLVES_TO, CHILD_OF, NAMESERVER_FOR, MAIL_FOR, ALIAS_OF, SIGNED_WITH

SPF: SPF_INCLUDE, SPF_IP, SPF_A, SPF_MX, SPF_EXISTS, SPF_REDIRECT

IP & Routing: BELONGS_TO, ANNOUNCED_BY, ROUTES, PEERS_WITH, HAS_NAME

Registration: HAS_REGISTRAR, PREV_REGISTRAR, REGISTERED_BY, HAS_EMAIL, HAS_PHONE, OPERATES

Geography: LOCATED_IN, HAS_COUNTRY

Web: LINKS_TO

Threat Intel: LISTED_IN

Threat Intelligence

The graph indexes 40+ threat intelligence feeds across 18 categories. IPs and hostnames that appear in threat feeds are connected to FEED_SOURCE nodes via LISTED_IN edges. Each FEED_SOURCE belongs to one or more categories (e.g., "C2 Servers", "Phishing", "General Blacklists").

The CALL explain() procedure gives a full threat and reputation assessment for any IP, domain, ASN, or CIDR prefix. It computes a composite score that factors in feed count, feed weights, recency, and network-level threat density.

-- Check which threat feeds list an IP
MATCH (ip:IPV4 {name: "185.220.101.1"})-[:LISTED_IN]->(f:FEED_SOURCE)
RETURN ip.name, f.name

-- Get a scored threat assessment
CALL explain("185.220.101.1")

ASN nodes also carry aggregate threat statistics across all their routed prefixes, so you can quickly gauge the reputation of an entire network with CALL explain("AS60729").

Historical Data

The CALL whisper.history() procedure gives you WHOIS and BGP routing history for any indicator. For domains, that means registrar changes, nameserver changes, and registration dates over time. For IPs, prefixes, and ASNs, it returns BGP origin changes, prefix announcements, and withdrawals.

Use Cases

SOC analysts and incident responders -- Triage suspicious IPs, trace network ownership, check threat feeds, and build evidence chains for incident reports.

Threat intelligence analysts -- Map campaign infrastructure through shared hosting, WHOIS pivots, nameserver clustering, and domain history analysis.

Penetration testers and red teams -- Passive reconnaissance: subdomain enumeration, IP range discovery, mail server mapping, SPF chain analysis, and CNAME following.

Brand protection teams -- Find lookalike domains, map phishing clusters, check threat feed status, and trace shared infrastructure.

DNS and email security engineers -- Audit nameserver configurations, trace SPF authorization chains, check DNSSEC deployment, and batch-audit domain portfolios.

Network and BGP engineers -- Profile ASN routing footprints, analyze peering relationships, track prefix announcements, and investigate allocation blocks.

Compliance and risk teams -- Verify domain registrars, check jurisdictional exposure, build security profiles, and pull WHOIS history for audit trails.

Cyber insurance and third-party risk -- External posture snapshots, threat exposure checks, hosting provider identification, and standardized threat scores.

Law enforcement investigators -- Document IP attribution chains, ownership records, related domain discovery, and timestamped evidence for legal process.

Security researchers -- Explore graph schema, study internet topology, analyze peering degree distributions, and measure web graph properties.

Getting Started

Ready to start querying? Check out the Getting Started guide to get an API key and run your first query. Then explore the Cypher Language Reference for the full schema and syntax, or jump straight to the Query Cookbook for ready-to-run recipes. If you prefer natural language queries, set up the MCP Client to query WhisperGraph directly from Claude, Cursor, or your favorite AI tool.