Live data

A graph, not a snapshot.

The data behind an investigation goes stale fast. A blocklisted address, a new route conflict, a domain registered an hour ago — Whisper takes them in continuously, so a query reflects the internet as it is now.

43
threat feeds
25
threat categories
12.5M
live feed listings
Why it matters

Yesterday's feed is a liability

In threat hunting and incident response, a day-old answer can be worse than no answer — it reads as confirmation while the ground has already shifted. An address gets added to a blocklist, a campaign rotates to fresh infrastructure, a prefix is suddenly announced by a second network. If your data was captured last week, you’ll miss all of it and feel certain you didn’t.

So the graph isn’t a periodic dump. New indicators, routing changes and resolutions flow in through the day and become queryable as they land. Ask “is this in any feed?” and the answer reflects the most recent updates, not a monthly export.

A live threat pivot — a hostname resolves to an IP on a bulletproof host, co-hosted with C2 and phishing domains, every node listed in threat feeds such as Feodo Tracker.
From one domain to its hosting, its co-tenants, and the feeds that flag them — answered against the most recent data, not last week's.
What's live

The feeds behind the graph

Threat intelligence
Dozens of feeds across two-dozen categories — C2, malware, phishing, scanners, Tor exits and more — attached to the exact addresses, hostnames and networks they describe.
BGP routing
Live announcements, peering, and multi-origin (MOAS) conflicts where a prefix is announced by more than one network — the first signal of a route hijack.
DNS
Freshly resolved domains stream in continuously, so a name registered and pointed at infrastructure this morning is already in the graph.
WHOIS & ownership
Registration and contact records, refreshed so a change of registrant or registrar shows up rather than lingering as a stale record.
RPKI
Route Origin Authorizations kept current against live routing, so authorization checks reflect today’s state, not last month’s.
Certificate transparency
Certificate observations tying hostnames to the addresses they were seen on — another independent channel for connecting infrastructure.
BGP hijack detection: RPKI authorizes AS-A to originate a prefix; a second origin AS-B announcing the same prefix is a multi-origin (MOAS) conflict — a possible hijack.
Live routing joined to RPKI — when a prefix is announced by an unexpected network, the conflict surfaces as a row you can query.
Looking back

And what changed, and when

Live state is half the picture; the other half is history. Whisper keeps timelined WHOIS and BGP records, so you can ask how a domain’s registration or a prefix’s routing looked at a point in the past — and watch it change. That’s the difference between “this network announces the prefix” and “this network started announcing the prefix the day before the incident.”

Freshness tells you what’s true now. History tells you what moved to get there. See investigations that use both →

More on the technology