Whispergraph Mcp Server
The internet's largest queryable infrastructure graph — 7.39 billion nodes, 39 billion edges, 5.6 million threat-intelligence relationships. Pivot from any IP, domain, or ASN across DNS, BGP, WHOIS, GeoIP, and threat intel in a single Cypher query.
Why WhisperGraph Most threat-intel and OSINT APIs are point lookups: you ask about one indicator, you get one record. Investigations don't work that way — you start from one suspicious domain and need to trace its hosting, its sibling domains, its registrar, its email infrastructure, the ASN announcing its IP, and which feeds have flagged anything nearby.
WhisperGraph stores all of that as a single connected graph and lets you traverse it natively. One query can answer questions that would take dozens of API calls anywhere else.
What's in the graph Layer Coverage DNS Full resolution graph — hostnames, A/AAAA/CNAME/MX/NS/TXT records, DNSSEC chains BGP Announced and registered prefixes, ASN relationships, RIR allocations, routing conflicts GeoIP IP → city → country, with point geometry for distance queries WHOIS Registrars, registrant emails (237M), phones (65M), nameservers, timestamped history Email MX records, SPF includes, DKIM, DMARC policies Web Hyperlink graph between hostnames Threat Intel 5.6M edges from 40+ feeds across 18 categories — malware, phishing, C2, scanning, abuse 20 node labels, 29 edge types, updated continuously.
Who uses it Threat hunters & SOC analysts — enrich IOCs, find related infrastructure, triage alerts in seconds CTI teams — build campaign maps, attribute infrastructure clusters, track actor TTPs OSINT investigators & journalists — uncover ownership patterns, map shell-domain networks Security researchers — measure phishing kit reuse, study BGP hijacks, trace bulletproof hosting Bug bounty & red team — map external attack surfaces of target organizations Vendor risk & compliance — assess vendor infrastructure exposure Academics — internet measurement research at full-graph scale Tools Tool What it does query Execute a validated Cypher query. Returns structured JSON. explain_indicator One-call threat assessment of any IP, hostname, ASN, or CIDR — returns score, level, factors, sources whisper_history Timestamped WHOIS or BGP snapshots for an indicator list_labels All node labels with counts describe_label Properties and count for a given label Plus 5 MCP resources (schema, query guide, stats, quota) and 7 prompt templates for common investigations: investigate-ip, map-attack-surface, compare-domains, blast-radius, threat-triage, whois-pivot, bgp-investigation.
Example questions you can ask "What's the threat reputation of 45.142.213.55, and what feeds flagged it?" "Show every domain sharing this domain's MX records and registrant email." "Map the full DNS and BGP attack surface of example.com." "Which ASNs in Russia have the highest concentration of phishing-flagged IPs this quarter?" "Find all domains registered within 24 hours of suspicious-domain.com using the same registrar." "What's the historical WHOIS for disputed-domain.com going back 5 years?" "Which prefixes does AS13335 currently announce, and were any of them previously announced by a different ASN?"
Server Config
{
"mcpServers": {
"whisper-graph": {
"command": "npx",
"args": [
"-y",
"@whisper-security/whisper-graph-mcp"
],
"env": {
"WHISPER_API_KEY": "your-api-key"
}
}
}
}Recommend Servers
View AllWrite notes to Flomo
Playwright MCP server