Trace the attack path and its choke point

The attack path doesn't stop at your perimeter

Attack path analysis maps the steps an attacker takes from their entry point to a target, then finds the choke point that severs the most paths at once. The tools that do this today — BloodHound, XM Cyber, Cymulate, cloud IAM analyzers — model the inside of one organisation. They stop at the network edge. The attacker's real path runs across the open internet, between organisations, and no internal tool can see it.

On the external internet, the path is infrastructure. A phishing domain resolves to an IP that may host roughly 18 other organisations — each exposed when the IP is compromised. The nameserver that delegates DNS authority for that domain may serve around 188,000 other domains — a DNS choke point whose disruption cascades across a substantial share of the internet. The ASN announcing the IP peers with hundreds of other networks — the reach a BGP route hijack would achieve. Each of these is a node on the attack path, and each is a potential choke point.

Across the external layer the work currently falls back to manual pivoting: a reverse-IP lookup in one tab, a WHOIS query in another, a routing looking-glass in a third, a threat feed in a fourth. There is no single map of the route, and no automated way to ask where the choke point is.

One query from indicator to choke point

Whisper Graph pre-joins seven layers of the internet into one read-only Cypher graph: web hyperlinks, DNS resolution and hierarchy, WHOIS and registrant ownership, BGP routing and RPKI, GeoIP, threat intelligence across 43 feeds, and the physical layer of data centers and internet exchanges. Because the join is done on the server, the attacker's path is already drawn — you traverse it instead of reconstructing it.

The same graph surfaces the hidden link between two indicators: two apparently unrelated assets revealed to share infrastructure. The shortestPath algorithm returns the exact chain — a typosquat wired back to the real domain through one shared WHOIS registrant, or a campaign's C2 sharing a nameserver with the phishing kit's delivery domain. That hidden edge is the choke point candidate — block or sinkhole the shared node and the connection collapses.

The choke-point query pivots a single indicator to everything co-tenanted on its IP, the announcing prefix, and the ASN. A nameserver choke point reveals how many other domains depend on it — the blast radius of disrupting the shared DNS infrastructure. An ASN choke point shows the BGP peers a route hijack would reach. Each finding comes with an explain() verdict: a scored, feed-by-feed assessment of the shared node, so the choke point recommendation is evidence-backed, not just topological.

How it compares to internal attack-path tools

BloodHound maps the attack paths inside one organisation — Active Directory, privilege escalation, lateral movement across internal hosts. XM Cyber and Cymulate simulate breaches across internal infrastructure. Cloud IAM analyzers trace permission chains inside one tenant. All of them stop at the network perimeter. Whisper starts there.

External recon tools — Censys, Shodan, SecurityTrails, DomainTools, Maltego — see the DNS, certificate, and scan layers but have no BGP routing underneath and expose flat searches the analyst stitches by hand. Whisper joins routing, physical, web, and threat in the same query language, so the choke point becomes a query result, not a whiteboard exercise. The two categories are complementary: internal tools own the perimeter inward, Whisper owns the perimeter outward.