Whisper

What is Whisper?

Whisper is an infrastructure intelligence platform for security teams that maps internet infrastructure into a single, queryable graph. It connects entities such as IPs, domains, certificates, ASNs, and routing paths, so analysts can explore how internet components relate to each other and how they change over time.

The platform is designed to answer infrastructure questions faster than stitched-together research across separate sources. It ingests large-scale data continuously and exposes it through a graph and query interface intended for investigative workflows and AI-assisted research.

Key Features

• Unified infrastructure knowledge graph: A single knowledge graph connects IP, domain, certificate, ASN, and routing path information rather than treating DNS, routing, and ownership data as separate silos.
• Graph-powered querying: The platform supports direct graph queries (described as “Cypher queries”) that return results in milliseconds.
• Multi-source enrichment in one schema: DNS, BGP, WHOIS, GeoIP, DNSSEC, SPF policy, and reputation are presented under one schema to reduce manual cross-referencing.
• Broad feed coverage and continuously updated mapping: The page describes real-time mapping at scale, including a continuously refreshed graph that is updated continuously.
• Multiple access paths: Users can query via API, use native connectors to enrich existing platforms, or allow AI agents to access it through MCP (Model Context Protocol) for investigation workflows.
• Predefined investigation-style questions: Examples include tracing routing changes, shared infrastructure signals (like nameservers and registrants), and reputation signals across multiple threat feeds.

How to Use Whisper

1. Explore the platform or request a demo to see the graph and query workflow.
2. Connect your tooling by choosing one access method: API queries, native connectors for your existing stack, or MCP access for AI agents.
3. Run targeted graph queries to retrieve infrastructure context, such as ownership, hosting context, routing behavior, and historical changes.
4. Use the results for investigation output—for example, by having an AI agent generate an investigation report using the infrastructure context returned by the graph.

Use Cases

• Instant alert enrichment: When an alert triggers on an IP, Whisper can show associated ownership, other services hosted there, ASN abuse history, and changes over a recent time window (the page gives an example of “in the last 30 days”) before an analyst opens a ticket.
• Adversary infrastructure mapping: Starting from a single C2 domain, teams can trace related infrastructure such as shared nameservers, overlapping registrants, ASN migrations, and hosting patterns to map an entire campaign.
• Off-chain investigation context: For cryptocurrency flows, teams can trace from a custodial exit point to see what infrastructure sits behind it, including hosting context, DNS, BGP routing, and ownership history.
• External attack surface mapping: Teams can identify domains, subdomains, IPs, and ASNs associated with an organization to find infrastructure such as staging systems, test subdomains still pointing to decommissioned hosts, and shadow infrastructure.
• Compliance and takedown tracking: For a regulator-provided list of domains, Whisper can be used to identify whether those domains were ever on the organization’s infrastructure and where they moved over time.

FAQ

• What kinds of internet data does Whisper connect? The page describes connections across entities like IPs, domains, certificates, ASNs, and routing paths, and enrichment that includes DNS, BGP, WHOIS, GeoIP, DNSSEC, SPF policy, and reputation.

• How do users access the graph? Whisper supports access via direct API queries, native connectors for existing platforms, and MCP so AI agents can retrieve infrastructure context.

• How fast are queries? The page states that the example live queries against the Whisper graph return in milliseconds.

• Can Whisper help with AI-generated investigation reports? The page describes an AI-assisted workflow where an AI agent uses MCP to access infrastructure context and then writes an investigation report including ownership, hosting context, risk scoring, and historical changes.

• Is Whisper deployed only in the cloud? The page states Whisper is available as cloud-hosted or on-prem deployment.

Alternatives

• Security enrichment stacks built from multiple APIs: Many teams stitch together separate DNS/routing/WHOIS/GeoIP/reputation services. Compared with Whisper, these approaches often require manual correlation and separate workflows instead of one graph and one query language.
• Graph database solutions used for threat intelligence: General-purpose graph databases can model relationships, but they don’t inherently provide the same purpose-built internet infrastructure mapping and feed aggregation described on the Whisper page.
• Domain/ASN reputation platforms: Tools focused primarily on reputation and indicator lookups can support parts of the workflow, but they may not expose end-to-end infrastructure relationships (like routing changes and cross-layer connections) as a unified, queryable graph.
• Threat intel enrichment via SIEM/SOAR connectors: SIEM/SOAR-based enrichment can help automate context retrieval, but the alternative remains tied to whatever signals those systems already bring, rather than a single infrastructure graph designed for investigative pivots.