Use casesThreat investigation
Threat hunting & IR

Map a blast radius

If this asset falls, what else is exposed? Expand one IP or domain to every organisation co-tenanted on its address, the sibling IPs those tenants reach, and the network that routes them all. Lateral movement across shared internet infrastructure, bounded so the traversal never runs away.

Layer by layer

  • Seed asset
  • Shared IP
  • Prefix siblings
  • Downstream hosts

How far a compromise reaches — each layer bounded so the traversal never explodes.

Ask your own AI— paste into any LLM with the WhisperGraph MCPNew here? Set up MCP →

Using WhisperGraph (over MCP), treat 100.50.108.88 as a compromised asset and map its blast radius: every domain co-tenanted on it (compromise one, expose all), the other IPs those co-tenants spread to, and the network it sits in. Show me how far the damage reaches if this host falls.

Swap in any IP you own or are investigating.

Run it with your own value.
Run the flow to query the live graph.

Shared infrastructure is the exposure the perimeter never shows you

Inside a network, blast radius is familiar: if this host falls, what else can the attacker reach? Segments, ACLs, and trust relationships bound the answer. On the open internet the same question has a different answer, and a different threat model.

On shared hosting, one IP address can front around 18 separate organisations. Compromise one and its neighbours share the same address, the same upstream routes, the same nameservers. A university health portal might sit next to a few small businesses and a hobby blog, none of them aware of the others. Whoever controls the infrastructure sees every tenant; each defender sees only their own.

That cross-tenant exposure is invisible to any tool that treats an IP as single-tenant. Whisper maps it. From one seed asset, a query expands to every hostname co-hosted on its IP, the adjacent IPs those tenants also use, and the ASN that routes the whole prefix. That is the external blast radius: everything a shared-infrastructure compromise touches beyond the first victim.

What a bounded traversal returns

A query starts from a known seed — a compromised IP, a suspect domain, an indicator from an alert — and expands one hop at a time. The first hop finds every hostname resolving to the same IP: the co-tenants. The second follows those tenants to any other IPs they resolve to, showing the wider footprint the campaign touches. A third reaches the announced prefix and ASN for the routing context that ties the cluster together.

Every layer is bounded. The query returns counts and samples rather than unbounded result sets, so a dense shared-hosting IP with thousands of neighbours won't flood the response. You get a legible shape — how many co-tenants, how many secondary IPs, which network — instead of an overwhelming flat list.

Why it beats a flat reverse-IP lookup

A reverse-IP lookup lists the domains on one IP. A blast-radius traversal goes three steps further. It follows the co-tenants to their other IPs, so a suspect domain that also lives on a second IP shows up. It joins the routing layer, so the owning ASN and its peers are part of the result. And it carries the threat layer, so each neighbour and each new IP arrives with its own explain() verdict. That turns a list of neighbours into a ranked set of findings — the move from enumeration to triage.

Dig deeper

Key concepts

Go deeper

The full how-to — every recipe in this category, runnable, with the Cypher explained.

Open the full how-to →

Moves you can run

All use cases →
Faster in Whisper

Map a blast radius

Take one compromised asset and trace how far the damage reaches — co-tenants on its IP, the IPs they spread to, and the network behind it.

Frequently asked

What does 'blast radius' mean in infrastructure terms?

The set of assets exposed when one asset is compromised because they share underlying infrastructure — the co-tenants on a shared IP, the sibling IPs those co-tenants spread to, and the announcing network. On shared hosting, a single IP can front ~18 distinct organisations, so the blast radius of one compromised tenant extends to all of them.

How is this different from a flat reverse-IP lookup?

A reverse-IP lookup returns the domains on one address. A blast-radius traversal follows co-tenants to their other IPs, joins the routing layer (prefix and ASN), and layers in a threat verdict for every discovered node. It's the difference between a list of neighbours and a bounded, scored map of the full shared-infrastructure exposure.

Why bound the layers?

High-density shared-hosting IPs can have thousands of co-tenants. Without bounds, a single-hop expansion returns an unusable flat list. Whisper's traversal returns counts and representative samples at each layer, then lets you drill into specific segments — so the blast radius stays legible at any density.

Try it on your own infrastructure

Run anonymous queries against the live graph, or connect your AI agent over MCP — free, no credit card.

Get a free keyRead the docs