The Internet Has a Map. Most Defenders Can't Read It.
Kaveh Azarhoosh
Community & Research Lead
The Internet Has a Map. Most Defenders Can't Read It.
Every domain has a registration record. Every IP belongs to an announced prefix. Every prefix is originated by an autonomous system. DNS queries return records pointing to other infrastructure. Certificates are logged publicly. Routing tables are published. None of this is secret.
The internet's infrastructure is transparent by design. The protocols require public coordination: you can't route traffic without announcing your prefixes, can't serve HTTPS without a logged certificate, can't receive email without publishing MX records. The raw material for understanding how the internet is wired together is available to anyone who asks.
The problem is that nobody assembled it into something you can actually use.
Eighteen sources, no picture
Security teams already query this data. They run a WHOIS lookup on a suspicious domain. They check DNS to see where it points. They look up the IP in a geolocation database, maybe check the ASN, maybe run a certificate search. Each query returns a fragment from a different source, in a different format, with a different update cycle. Between BGP routing, DNS, WHOIS, SSL certificates, IP registries, passive DNS, threat feeds, zone files, and peering data, an analyst might need eighteen distinct data types for a single investigation.
Their job is to stitch those fragments together under time pressure. A domain resolves to an IP. That IP sits in a prefix announced by an ASN. The registration was created three days ago through a registrar tied to previous campaigns. The certificate was issued by a CA that also signed three lookalike domains. The DNS configuration matches a pattern you've seen before.
All of those connections exist. But they live in different tools, different interfaces, different query languages. When the investigation is time-sensitive (and it almost always is), the stitching doesn't get done. The analyst checks two or three sources, makes a call, and moves on. The relationships that would have revealed a wider campaign stay buried. Not because the data is unavailable, but because it was never connected.
Fragments versus relationships
Individual lookups return data points. The useful part is what connects them. A domain on its own is a string. Connect it to its IP, its nameserver, its registrar, the ASN that routes it, the other domains sharing its infrastructure, and you start to see whether you're looking at an isolated indicator or the edge of something larger.
The traditional tools don't surface those connections because they were never meant to. WHOIS was built for registration management. DNS was built for resolution. BGP was built for routing. Each protocol publishes data for its own purpose. There is no layer in the internet's architecture that ties them together and makes them queryable as a whole. Defenders have been building that layer themselves, manually, one investigation at a time, in spreadsheets and notebooks and half-finished scripts. It works right up until the investigation gets complex enough that the connections actually matter. Then it doesn't.
One graph, whole map
Whisper assembles internet infrastructure into a single knowledge graph: 3.7 billion nodes, 31 billion edges. Domains, IPs, ASNs, DNS records, routing data, certificates, registration metadata, all eighteen source types. We built a custom graph database because nothing we tried could handle the scale. When a defender queries a domain, they don't get a data point. They get the neighbourhood.
Here's what that looks like in practice. An analyst flags one suspicious domain. Within seconds they're looking at the campaign behind it: related domains registered through the same infrastructure, shared hosting, overlapping certificates, the ASN that ties them together, five or six levels deep. Most tools stop at two or three. In one investigation, a single starting domain led to fifty-four connected domains. Thirty-eight were confirmed malicious. The rest hadn't appeared on any threat feed yet.
The infrastructure was always public. The relationships were always there. They just needed to be connected.
Whisper's gives you access to the graph directly from your own tools. Plug it into your SIEM, your scripts, your AI agents. There's a free API key if you want to try it.
