Attack-Surface Mapper
Domain → its full external footprint, scored: subdomains (DNS + CT), nameservers, mail & SPF senders, registrar/registrant, the third-party SaaS/CNAME supply chain, registrant-email org expansion, the real origins behind any CDN, the serving IPs/ASN/TLS/threat posture, cloud region & hosting-network reputation, and registered look-alikes.
Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.
Dig deeper
Read the how-to
The documentation for this flow — the queries explained, with variants you can adapt.
Open the documentation →Related flows
All use cases →Attack Path Analysis
From one foothold, finds the DNS and registrant choke points with the most dependents, the TLS/registrant pivots that survive IP churn, links to a second asset, and proximity to known-bad.
Dependency Blast Radius
Maps shared-fate impact: who depends on this asset and how badly.
Discover assets from Certificate Transparency
Reads the SEEN_IN_CT observations for a domain — every certificate (including wildcards) logged in CT, with firstSeen/lastSeen. A building block for asset discovery and takeover corroboration. CT coverage is a rolling feed, so absence is not proof of none.
Discover externally-visible AI / agent infrastructure
Enumerates the subdomain estate and filters to AI/agent-suggestive hostnames (api., mcp., ai., ml., vector., llm., agent., chat., copilot.), resolving each. This is a passive, naming-based heuristic — a signal of where to look, not a confirmed inventory.
Find Subdomains
Find Subdomains maps the full subdomain namespace of a domain — every host under the apex. It is the workhorse for attack-surface mapping, asset discovery and footprinting: enumerate what an organisation actually exposes (staging, mail, API, VPN, regional and forgotten hosts), then optionally resolve each to where it lives — its IP(s), GeoIP location and the network (ASN) announcing it. Retrieved via Cypher: the total is counted through the reverse-domain suffix index (`s.name ENDS WITH '.<domain>'`, a literal — the only form that does not time out); the names are walked from the `CHILD_OF` subtree anchored on the domain (paged in name order for a normal estate, a bounded sample for a very large one); and each name is enriched in the same page query via `RESOLVES_TO` → IPv4, `LOCATED_IN`/`HAS_COUNTRY` → GeoIP, and `ANNOUNCED_BY`→`ROUTES` → the announcing ASN (with `HAS_NAME` for the operator name).
Indicator Investigation
Investigates an indicator across every connected graph layer — hosting, network, neighbourhood, ownership, history and more — and lists what it observes. No single verdict.
Digital Infrastructure Mapping
Infers an indicator's true operator (even behind privacy WHOIS), pivots to its estate, then traces every layer below — namespace, DNS/mail, routing, physical, cloud — and grades concentration.
M&A / VC digital-footprint diligence
A no-cooperation external read for diligence: the registered owner, the size of the subdomain estate, the geographic spread of its hosting, and a threat-exposure check. Whisper sees external/public infrastructure only — not an authenticated scan.