Direct API · REST + Cypher

Query the internet graph withCypher over REST

Send a Cypher graph query to one REST endpoint and get structured JSON back, usually in single-digit milliseconds over a graph of about 7.4 billion nodes and 39 billion edges. You write standard Cypher, POST it, and read the columns and rows in the response. Try a real query in the box below, then see what the API can do in the features underneath.

Run a real query against the live graph, then copy the exact request for your own stack in cURL, TypeScript, Python or Go.

Live · graph.whisper.security
POST /api/query

DNS — a hostname to its live IP addresses

Call it from your codeX-API-Key
curl -s -X POST https://graph.whisper.security/api/query \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $WHISPER_API_KEY" \
  -d "{\"query\":\"MATCH (h:HOSTNAME {name: \\\"github.com\\\"})-[:RESOLVES_TO]->(ip:IPV4) RETURN ip.name AS ip LIMIT 5\"}"

One endpoint, the whole graph

  • Standard Cypher, read-only

    Query the internet with the Cypher you already know: MATCH, WHERE, WITH, UNWIND, UNION, CALL{} subqueries, shortestPath, and EXPLAIN/PROFILE. It’s read-only, so there’s no way to change the graph.

    Read the Cypher guide
  • One graph, every layer

    DNS, IP and BGP routing, WHOIS, geolocation, certificates and threat intel sit in one graph of ~7.4B nodes and ~39B edges, across 39 node types you can join in a single query.

    Browse the schema
  • Multi-hop cross-layer traversals

    Pivot from a hostname to its IPs, to the ASN that announces them, to the datacenter behind it — all in one query. A HOSTNAME → IPV4 → ASN chain runs server-side in single-digit milliseconds.

    See query recipes
  • Whisper procedures, built in

    Procedures add capabilities you’d otherwise hand-build: threat scoring (explain), typosquat discovery (whisper.variants), CDN origin de-cloaking (whisper.origins), and time-travel to past WHOIS/BGP (whisper.history). One CALL, structured rows back.

    Procedures & functions
  • Threat-feed enrichment

    43 threat feeds across 25 categories — Spamhaus, abuse.ch, FireHOL, OpenPhish, OFAC SDN and more — attach to IPs, hostnames and ASNs as edges you can filter and score in the query.

    See the feed catalog
  • Current BGP, DNS and routing data

    Continuous domain ingestion and hourly threat-intel sync keep resolution, BGP announcements, peering and RPKI data fresh, so routing and DNS answers match what’s live.

    What’s in the graph

Heavy lifting, one CALL away

Common investigations are packaged as procedures you call from Cypher — no need to write the traversal by hand. Each returns structured rows like any other query.

  • explain(indicator)

    A reconciled threat verdict for an IP, hostname, ASN or CIDR — a score, a severity level, and the exact feeds and factors behind it.

  • whisper.assess(indicator)

    A fast risk read on an indicator when you don’t need the full evidence breakdown.

  • whisper.identify(value)

    Tells you what an opaque string is: IP, hostname, ASN, CIDR or email.

  • whisper.variants(domain)

    Generates typosquat and lookalike variants of a domain and keeps the ones that exist.

  • whisper.origins(hostname)

    Finds the true origin IPs behind a CDN- or proxy-fronted host.

  • whisper.walk(indicator)

    Expands an indicator across its connected infrastructure in a single call.

  • whisper.history.whois(indicator)

    Dated historical WHOIS snapshots for a domain or IP.

  • whisper.history.bgp(indicator)

    Dated historical BGP and routing state for a prefix or ASN.

  • whisper.quota()

    Your plan, traversal depth and remaining query quota — checking it doesn’t count against your quota.

  • db.labels() · db.relationshipTypes()

    Introspect the node and edge types in the graph before you query.

See call signatures and return shapes in the procedures & functions reference.

Run your first query in five minutes

Run real queries against the live graph right now, no key required. A free key takes you deeper, on the same endpoint.