Introduction to Whisper Knowledge Graph

Last updated: March 2026

Whisper Knowledge Graph maps the global internet into a single queryable graph. DNS records, IP addresses, BGP routing, WHOIS registration, web links, threat intelligence feeds -- all connected, all searchable, all in one place.

You query it with Cypher over a REST API at https://graph.whisper.security. See the Cypher Query Guide for the full API reference and query patterns.

How It Works

Every entity on the internet becomes a node. Every observed relationship becomes an edge. A hostname resolves to an IP. That IP sits inside a network prefix. That prefix is routed by an autonomous system. That AS peers with others, operates in a country, and may show up in threat feeds. Whisper Graph captures all of it.

Whisper Graph Entity Relationship MapWhisper Graph Entity Relationship Map

What's in the Graph

Node types

DNS & Web: HOSTNAME, TLD, TLD_OPERATOR

IP & Routing: IPV4, IPV6, PREFIX, ASN, ASN_NAME, RIR

Registration: REGISTRAR, ORGANIZATION, EMAIL, PHONE

Geography: COUNTRY, CITY

Threat Intel: FEED_SOURCE, CATEGORY

BGP (live): REGISTERED_PREFIX, ANNOUNCED_PREFIX

Relationships

DNS: RESOLVES_TO, CHILD_OF, NAMESERVER_FOR, MAIL_FOR, ALIAS_OF, SIGNED_WITH

SPF: SPF_INCLUDE, SPF_IP, SPF_A, SPF_MX, SPF_EXISTS, SPF_REDIRECT

IP & Routing: BELONGS_TO, CONTAINS, ROUTES, PEERS_WITH, HAS_NAME

Registration: HAS_REGISTRAR, PREV_REGISTRAR, REGISTERED_BY, HAS_EMAIL, HAS_PHONE, OPERATES

Geography: LOCATED_IN, HAS_COUNTRY

Web: LINKS_TO

Threat Intel: LISTED_IN

Where the Data Comes From

The graph is built from a combination of public and proprietary sources spanning DNS, web, routing, registration, geolocation, and threat intelligence. Data is continuously refreshed to keep the graph current.

Threat Intelligence

Multiple threat feeds are integrated into the graph. When an IP, domain, or hostname shows up in a feed, the node gets enriched with properties like threatScore, threatLevel, and boolean flags such as isC2, isTor, isMalware, and isPhishing.

The CALL explain() procedure gives a full threat and reputation assessment for any IP, domain, ASN, or CIDR prefix. It factors in feed reliability, number of independent sources, and how recently the indicator was seen.

ASN nodes also carry aggregate threat statistics across all their routed prefixes, so you can quickly gauge the reputation of an entire network.

Historical Data

The CALL whisper.history() procedure gives you WHOIS and BGP routing history for any indicator. For domains, that means registrar changes, nameserver changes, and registration dates over time. For IPs, prefixes, and ASNs, it returns BGP origin changes, prefix announcements, and withdrawals.

Use Cases

DNS intelligence -- Map out a domain's full DNS footprint: IPs, nameservers, mail servers, SPF chain.

IP attribution -- Trace any IP to its network prefix, ASN, and owning organization.

ASN mapping -- See what prefixes an AS routes, who it peers with, and what runs on it.

Threat correlation -- Cross-reference indicators against multiple feeds to separate noise from real threats.

Phishing and fraud detection -- Identify suspicious domains by examining registration patterns, hosting infrastructure, and threat feed presence.

Incident response enrichment -- Given an IP or domain from a security alert, pull its full context in one shot: ASN, geolocation, registrar, related domains, threat feed presence.

Threat hunting and pivoting -- Start from a known malicious indicator and walk the graph to discover related infrastructure that hasn't been flagged yet. Same IP? Same nameserver? Same registrar? Same ASN?

Attack surface mapping -- Starting from an organization, trace all their ASNs, prefixes, IPs, and hostnames to map their external footprint.

Domain campaign tracking -- Cluster domains that share registration patterns, nameservers, IPs, or hosting to identify coordinated malicious campaigns.

Supply chain risk -- Map which third-party providers a domain depends on via nameservers, mail servers, and SPF includes. If a shared provider is compromised, find every domain affected.

BGP hijack detection -- Identify prefixes announced by multiple origin ASNs, which can signal route hijacking.

Brand protection -- Find domains resembling a brand name using string search, then check their registration and hosting to assess typosquatting risk.

Takedown support -- Identify the registrar, hosting provider, and upstream network for malicious infrastructure to route takedown requests to the right parties.

Email security posture -- Audit an organization's email infrastructure by tracing MX records, SPF authorization chains, and the reputation of the IPs authorized to send mail.

Geolocation -- Resolve IPs to cities and countries.

WHOIS research -- Look up current and historical registrars, organizations, and contacts.

Web graph analysis -- Follow host-level hyperlinks to find who links to whom.

Shared infrastructure detection -- Find domains on the same IP or nameserver to uncover related infrastructure.

Getting Started

Ready to start querying? Check out the Cypher Query Guide for the full API reference, graph schema, and practical query patterns. If you prefer natural language queries, set up the MCP Client to query WhisperGraph directly from Claude, Cursor, or your favorite AI tool.