Query language

A query language for the internet.

The internet is relationships, not rows. Whisper is queried in Cypher, where you write those relationships as patterns and follow them the way you'd reason about them.

Why a graph language

The question, written down

A relational JOINor a flat API can tell you what a single record holds. Neither can express “follow this domain to its addresses, to the networks that announce them, to the networks those peer with.” That’s a path, and paths are what graphs are for.

Cypher lets you draw the path. The query on the right reads almost like the sentence you’d say out loud, and it returns every co-hosted domain on a shared address in one statement. There’s a second advantage that matters more every month: language models already write Cypher. An agent can express a hunt in the same language a human would, with no bespoke integration in between.

MATCH (h:HOSTNAME {name:"example.com"})
      -[:RESOLVES_TO]->(ip:IPV4)
      <-[:RESOLVES_TO]-(other:HOSTNAME)
WHERE other.name <> h.name
RETURN ip.name AS shared_ip,
       collect(other.name)[0..20] AS co_hosted
Co-hosting in one statement — every domain sharing a resolution IP.
Graph design

Cross-layer is the fast path

A query language is only half of it. The graph itself is shaped around the questions security teams actually ask, so the traversals that cross layers are the ones that run fastest.

An address links straight to the prefix announcing it, so “who routes this?” is one hop, not an IP-in-CIDR scan. Cloud and vendor attribution is resolved when the data is loaded, so “who actually operates this address?” is a lookup, not a guess. The work that would otherwise be a deep scan is folded into an indexed edge ahead of time. You get the depth without paying for it at query time.

The WhisperGraph schema — entity types across DNS, addressing, BGP routing, RPKI, WHOIS, geo, threat intelligence, threat actors and physical infrastructure, and the relationships that join them.
The model behind the speed — a curated core of the entity types and the relationships that connect them, all reachable in a single traversal.
Procedures

The hardest pivots, as one call

On top of plain Cypher, a small set of procedures package the multi-step traversals that come up again and again. They return data and the evidence behind it.

originswhisper.origins
Reconstruct the likely real IPs behind a CDN or proxy from passive evidence, each scored and named to the network that announces it — no scanning.
variantswhisper.variants
Generate look-alike domains with more than a dozen algorithms and keep only the ones that are actually registered — the shortlist worth investigating.
identifywhisper.identify
Resolve a batch of hosts to the vendor and tenancy class behind them, with a confidence band and the evidence for each.
assesswhisper.assess
Return a threat verdict with explicit coverage, so "no data" is never mistaken for "clean" — the grounding read an agent runs before it acts.
walkwhisper.walk
For a host the graph has not seen before, find the nearest known infrastructure through independent channels — shared nameserver, same network, certificate co-observation.
explainCALL explain
Return a verdict with the factors behind it and every source feed, dated — a sourced evidence chain you can put in a ticket, not a number.
Try it

Run a real query

This runs live against the production graph. Edit it, or start from an example.

Live · graph.whisper.security
read-only Cypher

DNS: a hostname to its live IP addresses

Copy as
Open it in the Console

The full language and procedure reference lives in the docs, and there’s a direct REST surface on the API page.

More on the technology