Built from scratch. Built for this.
WhisperGraph is a purpose-built graph engine designed from first principles to handle billions of internet infrastructure data points with sub-millisecond query latency — and to serve AI agents natively.
Why we built it
Why we built our own graph engine
General-purpose graph databases couldn’t handle the scale. The query patterns we needed simply don’t work on existing solutions.
Billions of nodes and edges
Millions to low billions
Sub-millisecond average
Seconds to minutes at scale
Continuous streaming
Batch import only
IPv4, IPv6, CIDR, ASN — first-class types
Everything stored as strings
Built-in from day one
Not available
Architecture
Architecture: four layers
From raw data ingestion to AI-native delivery. Each layer is purpose-built.
Data Ingestion Layer
- •18 data source types ingested continuously — BGP, DNS, WHOIS, SSL/TLS, IP registries, passive DNS, blacklists, zone files, certificate transparency logs
- •Real-time BGP streaming — detects routing anomalies, hijacks, and ownership changes as they propagate
- •190+ threat intelligence feeds correlated against infrastructure data
- •Newly observed domains captured in real time
- •Batch + streaming hybrid: scheduled imports plus continuous feeds
Graph Engine
- •Custom graph database built from the ground up — designed specifically for internet infrastructure
- •Billions of nodes and edges, 20 entity types, all in memory
- •Zero garbage collection pauses — fully off-heap memory management
- •Storage format optimized for internet infrastructure traversal patterns
- •Custom Cypher engine: full parser, query planner, and physical operators
- •Native support for internet data types — IPv4, IPv6, CIDR ranges, ASN numbers, FQDNs
Intelligence Layer
- •Dual scoring model — not heuristics, not ML black boxes
- •Individual score: blacklist/whitelist history, ownership changes, domain age, certificate patterns
- •Structural score: network neighborhood health — what else lives on that ASN, how the surrounding infrastructure behaves
- •Predicts risk for zero-history domains based on organizational and infrastructure reputation
- •Full chain of evidence for every score — explainable by design, auditable for compliance
- •Continuous monitoring across 190+ countries
Delivery Layer
- •MCP Server — first threat intelligence platform with native MCP support for Claude, GPT, Gemini, and open-source agents
- •REST API with full Cypher query support — parameterized queries, built-in procedures (explain, history, quota)
- •Native integrations: Splunk, Microsoft Sentinel, OpenCTI, XSOAR
- •Visual Console — graph explorer, query studio, AI query generation, templates
Query Language
Why Cypher is the right query language for the AI era
We implemented a full Cypher engine from scratch — because Cypher has a decisive advantage in the age of AI agents: LLMs already understand it.
Every major LLM can generate syntactically correct Cypher queries from natural language descriptions. The result: any AI agent connected via MCP can immediately query the full graph without custom prompt engineering or fine-tuning.
This exponentially reduces context costs and development time compared to competitors who use proprietary query interfaces.
The Cypher-native approach means any MCP-connected agent can traverse the full internet graph using a query language it already knows. No training required.
-[:RESOLVES_TO]->(ip:IPV4)
<-[:RESOLVES_TO]-(cohosted:HOSTNAME)
WHERE cohosted.name <> h.name
RETURN cohosted.name AS domain,
ip.name AS shared_ip,
cohosted.threatScore AS risk
ORDER BY risk DESC
LIMIT 50
Engineering
Under the hood
What makes sub-millisecond traversal at billion-node scale actually possible.
Zero-GC Architecture
The entire graph lives off-heap, eliminating garbage collection pauses entirely — the #1 killer of latency in graph databases at scale. This is what enables predictable sub-millisecond latency at the 99th percentile.
Native Internet Data Types
IPv4, IPv6, CIDR ranges, ASN numbers, and FQDNs are first-class data types in the engine, not strings. Range queries, containment checks, and prefix matching execute at the storage layer, not in post-processing.
Real-Time Streaming
Continuous ingestion of BGP feeds, DNS changes, certificate transparency logs, and zone file updates. The engine processes routing announcements, withdrawals, and path changes in real time — detecting anomalies as they propagate, not hours later.
Explainable Scoring
The dual scoring model is built on mathematical foundations from information theory. Every risk score includes the complete chain of evidence — a deterministic, auditable explanation traceable to specific infrastructure signals.
Performance
Scale and efficiency
Differentiation
Where Whisper is different
BGP + Threat Intel Correlation
No other platform correlates real-time BGP routing data with threat intelligence feeds. This is how we score ASN reputation based on actual network behavior, not just blocklists.
Billion-Scale Graph + Sub-ms Queries
The combination doesn't exist elsewhere. General-purpose graph databases can't handle this scale at this speed. Custom solutions don't cover internet infrastructure.
Explainable Scoring from First Principles
Every risk score includes the complete chain of evidence. Not a black-box ML confidence score — a deterministic, auditable explanation traceable to specific infrastructure signals.
MCP-Native Threat Intelligence
First threat intelligence platform with built-in MCP support. AI agents get structured, real-time internet infrastructure context without custom integrations.
ASN Reputation from Network Behavior
We score ASNs based on what their networks actually do — hosting patterns, BGP behavior, tenant reputation — not just whether they appear on a list.
Native Internet Data Types
IPv4, IPv6, CIDR, ASN are first-class types in the engine. Range queries, containment checks, and prefix matching happen at the storage layer.
See the technology in action
Query billions of data points in under a millisecond. We’ll show you with your own infrastructure.