Frequently Asked Questions

Whisper is a real-time infrastructure intelligence platform. It maps the internet — BGP routing, DNS, hosting, WHOIS, DNSSEC, certificate transparency, and 40+ threat-intel feeds — into one queryable knowledge graph of billions of nodes and edges. Security teams pivot from any domain, IP, or ASN to its full footprint in milliseconds.

A custom-built graph engine ingests internet infrastructure data continuously and stores it as typed nodes (hostnames, IPs, ASNs, certificates) connected by typed edges (resolves to, announced by, registered by). Analysts query via Cypher over REST, AI agents query via MCP, and SIEM/SOAR tools query via native connectors. The graph engine itself runs in the EU.

SOC analysts enriching alerts, threat hunters mapping adversary infrastructure, brand-protection teams tracking typosquats, incident responders investigating breaches, and AI agents (via MCP) producing investigation reports. The common thread: anyone whose work depends on knowing how internet infrastructure actually connects.

Most platforms publish flat lists of IOCs. Whisper publishes the graph underneath — every relationship between every entity, queryable in any direction. The difference shows up in pivots: from one domain to its full campaign in one query, instead of bouncing between three vendor consoles. The MCP server makes Whisper natively callable by any AI agent, which most competitors do not offer.

No — they are completely unrelated. Whisper Security is a real-time internet-infrastructure intelligence platform. OpenAI Whisper is an open-source speech-to-text model. The names are coincidental.

Hostnames, IPv4 and IPv6 addresses, CIDR prefixes, ASNs, TLS certificates, threat-feed indicators, DNSSEC posture, WHOIS records, and the full set of relationships between them — RESOLVES_TO, ANNOUNCED_BY, REGISTERED_BY, SHARES_NAMESERVER, LISTED_IN_FEED, and more. The schema covers ~20 entity types and is documented in the knowledge graph docs.

Anchored Cypher queries against the graph typically return in single-digit milliseconds server-side. Multi-hop traversals across billions of edges still complete inside a request lifecycle — measured in tens of milliseconds, not seconds. The custom engine has zero garbage-collection pauses, which is what keeps tail latency tight.

The REST API accepts a Cypher query and returns JSON: columns, rows, and execution statistics. Each row contains the matched nodes and edges with their full property sets. Results stream when the response is large. You can also use the SDKs (Python, JavaScript) or query through the visual Console.

Yes. The graph is time-aware. Edges carry validFrom and validTo timestamps for resolutions, BGP announcements, and certificate validity, so analysts can replay the past — "what did this domain resolve to on March 14?" or "which ASN announced this prefix six months ago?" — without leaving the graph.

Yes. Whisper is available as cloud, dedicated cloud, or on-premises / air-gapped deployment for organisations with data-residency or isolation requirements. The graph engine and ingestion pipelines are the same in every deployment mode. Talk to us via the contact page.

Yes. Sign up on the Console for the free Trial plan, which includes API and Console access with a monthly query allowance suitable for evaluation. Paid plans (Starter, Professional, Business, Enterprise) add higher quotas, MCP access, SIEM/SOAR connectors, and dedicated support. See the pricing page for current tiers.

Yes — every API and MCP request is authenticated. Generate a key from the Console after signing up. The MCP server uses the same key, passed as a bearer token. The Console also issues short-lived session tokens for browser use.

One Cypher query against the API or MCP server counts as one query. The result size does not affect the count. Read-only operations and metadata calls are also counted. Quota and rate limits per plan are listed on the pricing page; operations that read large result sets are billed by row volume on higher tiers.

You can run a few example queries against the public live demos on the homepage and the product page. Everything else — your own queries, MCP access, the API — requires a free account. Sign-up takes under a minute.

A graph database stores entities as nodes and the relationships between them as first-class edges. Traversals — "everything connected to X within N hops along these edges" — are cheap, where the same query in a relational database would force expensive recursive joins. Internet infrastructure is fundamentally a graph problem, which is why Whisper is built on one.

Cypher is purpose-built for graph queries. Its pattern syntax ((a)-[:EDGE]->(b)) maps directly to how analysts think about pivots. SQL forces graph problems through self-joins that get expensive fast. Cypher also has a structural advantage in the AI era: every major LLM already understands it, so AI agents connected via MCP generate correct queries from natural language with no fine-tuning.

Yes — the engine is custom. General-purpose graph databases could not handle the scale (~7B+ nodes, ~39B+ edges) at the latency we needed (single-digit milliseconds). The Whisper engine is in-memory, zero-GC, with native data types for IPv4, IPv6, CIDR, and ASN — no string-based work-arounds. Read more on the technology page.

Continuous BGP feeds, DNS observation (active and passive), WHOIS / RDAP, DNSSEC zone state, certificate transparency logs, Common Crawl, and 40+ threat-intelligence partners across 18 categories. Sources are joined into the graph in near-real-time so the picture stays current.

The default cloud deployment runs in the EU (Germany), under European data jurisdiction. Dedicated cloud and on-premises deployments are available in other regions on request.

Any MCP client — Claude Desktop, Cursor, VS Code, Continue, Windsurf, custom MCP-aware agents — can connect to the Whisper MCP server at mcp.whisper.security. The agent gains real-time access to the knowledge graph and can run Cypher queries, pivot between entities, and produce investigation reports.

Add the Whisper MCP server to your client's configuration with your API key. The full step-by-step guide is in the MCP client setup docs. Most clients connect in under a minute.

Native connectors are available for Splunk Enterprise (and Splunk Cloud), Microsoft Sentinel, OpenCTI, and Cortex XSOAR. The connectors handle authentication, query templates, and bidirectional data flow. Other SIEM/SOAR platforms can integrate via the REST API. See the integrations page.

Yes — mcp.whisper.security is a public MCP endpoint, callable by any authenticated MCP client. Authentication uses the same API key as the REST API.

Yes. Some teams prefer to run a self-hosted MCP relay that forwards queries to the Whisper API — useful when you need to add custom prompts, audit logging, or per-team scoping. The hosted MCP server works for most cases.