Faster in WhisperAttack surface & recon

Attack-Surface Mapper

Domain → its full external footprint, scored: subdomains (DNS + CT), nameservers, mail & SPF senders, registrar/registrant, the third-party SaaS/CNAME supply chain, registrant-email org expansion, the real origins behind any CDN, the serving IPs/ASN/TLS/threat posture, cloud region & hosting-network reputation, and registered look-alikes.

Try this in Console

Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.

Dig deeper

Read the how-to

The documentation for this flow — the queries explained, with variants you can adapt.

Open the documentation →

Related flows

All use cases →
Only in Whisper

Attack Path Analysis

From one foothold, finds the DNS and registrant choke points with the most dependents, the TLS/registrant pivots that survive IP churn, links to a second asset, and proximity to known-bad.

Faster in Whisper

Dependency Blast Radius

Maps shared-fate impact: who depends on this asset and how badly.

Faster in Whisper

Discover assets from Certificate Transparency

Reads the SEEN_IN_CT observations for a domain — every certificate (including wildcards) logged in CT, with firstSeen/lastSeen. A building block for asset discovery and takeover corroboration. CT coverage is a rolling feed, so absence is not proof of none.

Only in Whisper

Discover externally-visible AI / agent infrastructure

Enumerates the subdomain estate and filters to AI/agent-suggestive hostnames (api., mcp., ai., ml., vector., llm., agent., chat., copilot.), resolving each. This is a passive, naming-based heuristic — a signal of where to look, not a confirmed inventory.

Only in Whisper

Find Subdomains

Find Subdomains maps the full subdomain namespace of a domain — every host under the apex. It is the workhorse for attack-surface mapping, asset discovery and footprinting: enumerate what an organisation actually exposes (staging, mail, API, VPN, regional and forgotten hosts), then optionally resolve each to where it lives — its IP(s), GeoIP location and the network (ASN) announcing it. Retrieved via Cypher: the total is counted through the reverse-domain suffix index (`s.name ENDS WITH '.<domain>'`, a literal — the only form that does not time out); the names are walked from the `CHILD_OF` subtree anchored on the domain (paged in name order for a normal estate, a bounded sample for a very large one); and each name is enriched in the same page query via `RESOLVES_TO` → IPv4, `LOCATED_IN`/`HAS_COUNTRY` → GeoIP, and `ANNOUNCED_BY`→`ROUTES` → the announcing ASN (with `HAS_NAME` for the operator name).

Faster in Whisper

Indicator Investigation

Investigates an indicator across every connected graph layer — hosting, network, neighbourhood, ownership, history and more — and lists what it observes. No single verdict.

Only in Whisper

Digital Infrastructure Mapping

Infers an indicator's true operator (even behind privacy WHOIS), pivots to its estate, then traces every layer below — namespace, DNS/mail, routing, physical, cloud — and grades concentration.

Only in Whisper

M&A / VC digital-footprint diligence

A no-cooperation external read for diligence: the registered owner, the size of the subdomain estate, the geographic spread of its hosting, and a threat-exposure check. Whisper sees external/public infrastructure only — not an authenticated scan.