AI Context

Give your AI agent eyes on the internet

Out of the box, an AI assistant can't tell you who owns an IP, whether a domain is on a threat feed, or what an ASN routes — it guesses from stale training data. Connect it to Whisper over MCP and every answer comes back grounded in a live graph of 7.39 billion infrastructure nodes. Ask in plain language; the agent runs the queries.

Get started free
Read the setup guide
7.39B
Infrastructure nodes in the graph
1 connection
Works with any MCP client
Claude Desktop + Whisper MCP
U
Map the infrastructure for cloudflare.com. Who hosts it and how is it connected globally?
whisper-graphquerying…

cloudflare.com resolves to 104.16.123.96, in prefix 104.16.112.0/20.

The prefix is routed by AS13335 (CLOUDFLARENET — Cloudflare, Inc.), which globally routes 5,498 prefixes and peers with 1,258 ASNs.

Live Whisper data · 4 Cypher queries · 11 ms total

MCP connected · sse://mcp.whisper.security
live graph

Your AI agent is flying blind

Ask any assistant who owns an IP, whether a domain is weaponized, or what infrastructure a threat actor shares — and it improvises from months-old training data, or admits it can't reach that. It has no live view of DNS, BGP, WHOIS, or hosting. Whisper closes that gap: one MCP connection turns “I don't have access to that” into a real, sourced answer.

In action — incident response

From alert to attribution in one question

An analyst drops a suspicious IP into Claude. No dashboards, no Cypher by hand — the agent calls Whisper and walks the infrastructure itself.

Claude + Whisper MCP
U

An alert flagged 185.220.101.42. Who owns it, where is it, is it on any threat feeds, and what else sits near it?

explain_indicator · 185.220.101.42
query · co-hosted infrastructure in 185.220.101.0/24

185.220.101.42 is a Tor exit node — listed on 4 threat feeds (Dan Tor Exit, Tor Exit Nodes, FireHOL Level 2, Spamhaus DROP). It's routed by AS208294 (M247 Europe SRL) and geolocates to Frankfurt, DE.

The /24 it sits in has 19 other threat-listed IPs. I'd treat any traffic to this address as high-risk and pivot on the ASN next.

Every fact pulled live from the Whisper graph — nothing from training data.

In action — brand protection

Catch the typosquat before the phishing email lands

Ask once. The agent generates lookalike domains, checks which are actually registered, and tells you which ones are already dangerous.

Cursor + Whisper MCP
U

Find registered typosquats of our domain, acme-pay.com, and tell me which ones look like active threats.

domain_variants · acme-pay.com
explain_indicator · 3 suspicious lookalikes

Of 14 mutation patterns, 6 lookalikes are registered. Three stand out: acme-pay.co and acmepay-secure.com resolve to live IPs and share a registrant email; acme-pay-support.com is already on a phishing feed.

The other three are parked. I'd open a takedown on the phishing domain now and watch the two that share a registrant — that's the next move.

domain_variants + threat intel, in one conversation.

Built for the people who chase infrastructure

SOC Analysts

Triage alerts without leaving your chat window. Drop in an IP or domain and get ownership, threat-feed status, and co-hosted infrastructure in a single pass.

Threat Hunters & IR

Pivot from one indicator to a whole campaign — shared registrants, nameservers, hosting — in a conversation instead of a dozen browser tabs.

Brand & Fraud Teams

Generate typosquats, see which are registered, and flag the ones already weaponized — before the phishing email goes out.

Builders & Platform Teams

Wire Whisper into your own agents, pipelines, and internal tools. One MCP connection, full Cypher access, read-only and safe by default.

Ask in plain language

No Cypher, no dashboards — the agent translates your question into graph queries.

  • 6 read-only tools the agent calls for you
  • query for anything; explain_indicator + whisper_history for depth
  • domain_variants surfaces registered typosquats
Tool reference

Grounded in the live graph

Every answer is sourced from real infrastructure data, not model memory.

  • 7.39B nodes — DNS, BGP, WHOIS, GeoIP, web links, threat intel
  • Current and queryable, never a stale training snapshot
  • Sub-10ms queries against the live graph
Explore the graph

Investigation playbooks built in

8 prompts that run multi-step investigations on command.

  • threat-triage, investigate-ip, map-attack-surface
  • whois-pivot, bgp-investigation, typosquat-sweep
  • Curated patterns — invoke by name, no setup
See all 8 prompts
Compatibility

Works with the tools you already use

Whisper speaks standard MCP over Streamable HTTP — point any compatible client at one URL and you're connected.

ClaudeDesktop, Code & claude.ai
OpenAIChatGPT & Codex
CursorAI code editor
VS CodeGitHub Copilot
WindsurfCodeium
AntigravityGoogle

…and any other MCP-compatible client — Claude Code, Continue, Cline, LangChain, CrewAI, and STDIO-only clients via the mcp-remote bridge.

Setup

Add Whisper to your client

Point your MCP client at https://mcp.whisper.security. OAuth handles authentication — or drop in an API key. The setup guide has copy-paste config for every major client.

Option 1: CLI command
$ claude mcp add \
    --transport http \
    whisper-graph \
    https://mcp.whisper.security
claude_desktop_config.json
{
  "mcpServers": {
    "whisper-graph": {
      "url": "https://mcp.whisper.security"
    }
  }
}
Open the full setup guide

Questions, answered

No. You ask in plain language and the agent writes and runs the queries. Cypher is there if you want it, but most investigations never touch it.

Yes — it's the main reason to use it. Instead of wiring up a dozen REST tools and having the agent reason over walls of intermediate JSON, it runs one query against the graph and gets back a clean result set. A multi-hop investigation that would take 10+ API calls collapses into a single traversal, so the agent spends its context budget reasoning instead of bookkeeping.

No. Any MCP-compatible client works — Claude, ChatGPT, Cursor, VS Code, Windsurf, and others. The setup guide has per-client instructions.

No. Every tool is read-only. The agent can query and read the graph; it cannot modify it. Connections are token-scoped per agent or workspace.

Every edge in the graph carries its source feed and first-seen / last-seen timestamps. The explain_indicator tool returns the full chain of evidence behind any threat assessment — which feeds flagged it, which rules fired, how recent the sightings are — not a single opaque score. The agent can bring the evidence back, not just a verdict.

The Direct API is for code you write. AI Context (MCP) is for AI agents — the same graph, but the agent discovers and calls the tools itself, mid-conversation. Many teams use both.

The graph ingests continuously from live BGP, DNS, WHOIS, and threat feeds — not periodic crawls. Changes propagate to every affected node as they land.

The full Whisper graph: DNS, BGP routing, IP allocation, GeoIP, WHOIS, email infrastructure, DNSSEC, web links, and ~40 threat-intel feeds — 7.39 billion nodes in total.

AI Context is included on every plan, including the free Trial. Start with a free API key — no credit card required.

Building something with AI + infrastructure data?

We're actively building AI Context into a full service — structured graph context for any LLM workflow, not just MCP. If you're building AI-powered security tools, we'd love to talk.

Get in touch →

Connect your AI agent

One command. Full internet infrastructure context. Start in under a minute.

MCP Setup GuideGet a free API keyTalk to us