Glossary
What Is Attack Path Analysis?
Attack path analysis maps the chain of steps an attacker takes from an entry point to a target, then identifies the choke point that severs the most paths. Whisper extends it across the open internet — web, DNS, routing, and physical layers — rather than inside one organisation.
What attack path analysis is
Attack path analysis is the practice of mapping every route an attacker could take from an entry point to a high-value target, then finding the single choke point whose removal cuts off the most of those routes. It underpins the Continuous Threat Exposure Management (CTEM) framework that security teams are adopting, on the premise that fixing the few choke points beats chasing thousands of individual vulnerabilities.
Traditional attack path tools operate inside a single organisation. Identity-graph tools like BloodHound trace privilege-escalation paths through Active Directory; breach-and-attack-simulation platforms model lateral movement across internal hosts; cloud tools follow IAM permission chains inside one tenant. All of them stop at the network perimeter.
How Whisper extends it to the open internet
The real attacker path doesn't stay inside one perimeter. A phishing hyperlink leads to a lookalike domain, which resolves to an IP, which sits on a routed prefix announced by an ASN, which occupies data centers wired to submarine cables. That route crosses organisational boundaries and every layer of internet infrastructure — exactly the territory internal tools cannot see.
Whisper Graph pre-joins web hyperlinks, DNS, WHOIS, BGP routing, GeoIP, threat intelligence, and the physical layer into one Cypher graph. A single query can walk a hostname down through RESOLVES_TO, ANNOUNCED_BY, ROUTES, AS_PRESENT_AT, and CABLE_LANDS_AT — from a web link to a subsea cable in one statement. Because the join is pre-computed on the server, the path is already drawn; the analyst traverses it instead of stitching results from a dozen separate tools.
Finding the choke point
The payoff of attack path analysis is the choke point: the one node that, when removed, collapses the most paths. On the external graph, choke points are shared-infrastructure nodes — a common IP, prefix, ASN, nameserver, registrant, or data center that ties an attacker's domains and IPs together.
Whisper surfaces these as query results. A two-hop join can show a brand and its lookalike sharing one IP, or a cluster of typosquats sharing one bulletproof ASN. Severing that shared node breaks the cluster. The explain() procedure scores each node on the path with feed-by-feed evidence, so the choke point comes with a defensible verdict rather than a black-box number.
See it in practice
Run it live in these use cases: Trace the external attack path.