Query the internet graph withCypher over REST
Send a Cypher graph query to one REST endpoint and get structured JSON back, usually in single-digit milliseconds over a graph of about 7.4 billion nodes and 39 billion edges. You write standard Cypher, POST it, and read the columns and rows in the response. Try a real query in the box below, then see what the API can do in the features underneath.
Run a real query against the live graph, then copy the exact request for your own stack in cURL, TypeScript, Python or Go.
DNS — a hostname to its live IP addresses
curl -s -X POST https://graph.whisper.security/api/query \
-H "Content-Type: application/json" \
-H "X-API-Key: $WHISPER_API_KEY" \
-d "{\"query\":\"MATCH (h:HOSTNAME {name: \\\"github.com\\\"})-[:RESOLVES_TO]->(ip:IPV4) RETURN ip.name AS ip LIMIT 5\"}"One endpoint, the whole graph
Standard Cypher, read-only
Query the internet with the Cypher you already know: MATCH, WHERE, WITH, UNWIND, UNION, CALL{} subqueries, shortestPath, and EXPLAIN/PROFILE. It’s read-only, so there’s no way to change the graph.
Read the Cypher guideOne graph, every layer
DNS, IP and BGP routing, WHOIS, geolocation, certificates and threat intel sit in one graph of ~7.4B nodes and ~39B edges, across 39 node types you can join in a single query.
Browse the schemaMulti-hop cross-layer traversals
Pivot from a hostname to its IPs, to the ASN that announces them, to the datacenter behind it — all in one query. A HOSTNAME → IPV4 → ASN chain runs server-side in single-digit milliseconds.
See query recipesWhisper procedures, built in
Procedures add capabilities you’d otherwise hand-build: threat scoring (explain), typosquat discovery (whisper.variants), CDN origin de-cloaking (whisper.origins), and time-travel to past WHOIS/BGP (whisper.history). One CALL, structured rows back.
Procedures & functionsThreat-feed enrichment
43 threat feeds across 25 categories — Spamhaus, abuse.ch, FireHOL, OpenPhish, OFAC SDN and more — attach to IPs, hostnames and ASNs as edges you can filter and score in the query.
See the feed catalogCurrent BGP, DNS and routing data
Continuous domain ingestion and hourly threat-intel sync keep resolution, BGP announcements, peering and RPKI data fresh, so routing and DNS answers match what’s live.
What’s in the graph
Heavy lifting, one CALL away
Common investigations are packaged as procedures you call from Cypher — no need to write the traversal by hand. Each returns structured rows like any other query.
explain(indicator)A reconciled threat verdict for an IP, hostname, ASN or CIDR — a score, a severity level, and the exact feeds and factors behind it.
whisper.assess(indicator)A fast risk read on an indicator when you don’t need the full evidence breakdown.
whisper.identify(value)Tells you what an opaque string is: IP, hostname, ASN, CIDR or email.
whisper.variants(domain)Generates typosquat and lookalike variants of a domain and keeps the ones that exist.
whisper.origins(hostname)Finds the true origin IPs behind a CDN- or proxy-fronted host.
whisper.walk(indicator)Expands an indicator across its connected infrastructure in a single call.
whisper.history.whois(indicator)Dated historical WHOIS snapshots for a domain or IP.
whisper.history.bgp(indicator)Dated historical BGP and routing state for a prefix or ASN.
whisper.quota()Your plan, traversal depth and remaining query quota — checking it doesn’t count against your quota.
db.labels() · db.relationshipTypes()Introspect the node and edge types in the graph before you query.
See call signatures and return shapes in the procedures & functions reference.
Run your first query in five minutes
Run real queries against the live graph right now, no key required. A free key takes you deeper, on the same endpoint.