WhisperGraph
OfficialWhisperGraph is a read-only MCP server providing access to the world's largest internet infrastructure graph database (46B nodes and edges) covering DNS, IPs, ASNs, BGP, WHOIS, web links, and threat intelligence.
Core Tools
Cypher Queries (
query): Explore 20+ node types (hostnames, IPs, ASNs, prefixes, orgs, emails, etc.) and dozens of relationship types — DNS resolution, BGP routing, WHOIS ownership, web hyperlinks, GeoIP, and more.Threat Assessment (
explain_indicator): Get a threat score, level (NONE→CRITICAL), factors, and source breakdown for any IPv4, IPv6, hostname, CIDR, or ASN across ~40 feeds in 18 categories (C2, malware, phishing, spam, Tor, proxies, VPNs, scanners, etc.).Historical Data (
whisper_history): Retrieve historical WHOIS snapshots or BGP routing data (origin ASN, prefix announcements, peer visibility) for domains, IPs, prefixes, and ASNs.Typosquat & Brand Protection (
domain_variants): Generate and check up to 14 classes of domain mutations (omissions, transpositions, homoglyphs, TLD-swap, Unicode confusables, etc.) against the live graph.Schema Exploration (
list_labels,describe_label): List all node labels with counts and inspect their properties before writing queries.
Resources & Workflows
MCP resources include the full schema, relationship map, Cypher function reference, query cookbook, and live stats/quota.
8 pre-built prompt templates cover workflows like
investigate-ip,map-attack-surface,compare-domains,blast-radius,threat-triage,whois-pivot,bgp-investigation, andtyposquat-sweep.Supports DNS chain analysis, ASN/BGP history, WHOIS pivoting, email infrastructure mapping (SPF/DKIM/DNSSEC), web hyperlink graph analysis (10.9B links), and attack surface/incident response attribution.
WhisperGraph is an MCP server backed by the world's largest internet-infrastructure graph database — 46 billion nodes and edges across 20 entity types, mapping every domain, IP, ASN, prefix, organization, Web link and threat-intelligence listing into a single Cypher-queryable graph. Used by security teams, incident responders, and AI agents for investigation, attribution, brand protection, and infrastructure forensics.
Built for agents from day one.
Programmatic signup in 2 HTTP calls. No browser, no CAPTCHA, no human-in-the-loop. Email verification only. Working API key in ~5 seconds.
Free trial for everyone, including agents. Paid tiers for higher quotas.
What you can ask:
DNS: resolution, nameservers, MX, SPF chains, DNSSEC
Routing: ASN ownership, BGP origin history, MOAS conflicts, peering
Hosting & ownership: registrar, WHOIS contacts, organization mapping
Threat intel: ~40 feeds across 18 categories,
CALL explain()for full threat scoringHistorical: WHOIS history, BGP route changes
Web: 10.9B hyperlinks for inter-domain analysis
Learn more: Agent signup · WhisperGraph intro · Cypher API reference · Query guide · Cypher syntax · Functions · Best practices · MCP setup
Quick start
You need a WhisperGraph API key. Get one either:
Programmatically (recommended for agents) — see Agent quickstart below.
Via the dashboard (recommended for humans) — console.whisper.security/sign-up.
Hosted remote server (no install)
Whisper runs a hosted MCP server at https://mcp.whisper.security. Point any MCP client that supports remote servers at it and authenticate with your API key:
{
"mcpServers": {
"whisper": {
"url": "https://mcp.whisper.security",
"headers": { "Authorization": "Bearer <your_api_key>" }
}
}
}Claude Desktop / Claude Code / Cursor (stdio)
For local stdio transport, add this to your MCP client config:
{
"mcpServers": {
"whisper-graph": {
"command": "npx",
"args": ["-y", "@whisper-security/whisper-graph-mcp"],
"env": { "WHISPER_API_KEY": "your-api-key" }
}
}
}Or with Claude Code:
claude mcp add whisper-graph -e WHISPER_API_KEY=your-api-key -- npx -y @whisper-security/whisper-graph-mcpSelf-hosting this repo is for teams who want to run the MCP layer in their own environment. See How to set up.
Related MCP server: Lookup-Domain
Agent quickstart
Get a working API key in two HTTP calls — no browser, no CAPTCHA, no waiting list.
Step 1 — start signup (Whisper emails a verification code):
POST https://console.whisper.security/api/signup
Content-Type: application/json
{"email":"your-agent@example.com","attribution":{"agent_name":"your-agent","source":"<registry-name>"}}Step 2 — verify with the emailed code:
POST https://console.whisper.security/api/signup/verify
Content-Type: application/json
{"signup_id":"...","code":"..."}The response contains api_key, mcp_url, dashboard_url, and docs_url. Use api_key in the MCP config snippet above. Full docs: whisper.security/docs/agent-signup.
Tools
All six tools are read-only.
Tool | What it does |
| Execute a Cypher query against WhisperGraph. Validated against a safety rule set before it reaches the backend. |
| List every node label with counts. Call it before writing a query when you're unsure which label to anchor on. |
| Confirm a label exists and enumerate its property keys. |
| Threat assessment for an IP, hostname, CIDR, or ASN — score, level, factors, sources. |
| Historical WHOIS or BGP data for an indicator. |
| Typosquatting / brand-protection variants of a domain, checked against the graph. |
Resources
Six MCP resources: the full schema, the relationship map, a Cypher function reference, a query cookbook, plus live whisper://stats and whisper://quota.
Prompts
Eight investigation-workflow prompt templates: investigate-ip, map-attack-surface, compare-domains, blast-radius, threat-triage, whois-pivot, bgp-investigation, typosquat-sweep.
Self-hosting (Docker / HTTP)
For remote or team deployments, run the server over Streamable HTTP:
docker run -p 8080:8080 -e MCP_TRANSPORT=http \
ghcr.io/whisper-sec/whisper-graph-mcp:latestOr with Docker Compose:
docker compose upIn HTTP mode the server does not authenticate inbound requests — it relays the
caller's X-API-Key or Authorization: Bearer header to the hosted WhisperGraph
API, falling back to the WHISPER_API_KEY environment variable when no header is
present. Put it behind your own gateway if you need access control.
Configuration
All configuration is via environment variables.
Variable | Default | Description |
| (none) | Your WhisperGraph API key. Get one programmatically in 2 HTTP calls or via the dashboard. |
|
|
|
|
| Bind host for the HTTP transport. |
|
| Bind port for the HTTP transport. |
| (none) | Comma-separated |
|
| Base URL of the hosted WhisperGraph API. |
|
| Hard per-query deadline forwarded to the API. |
|
| HTTP timeout for non-query calls. |
|
|
|
Development
npm install
npm run dev # run from source over stdio
npm test # unit + integration tests (no secrets needed)
npm run build # bundle to dist/
npm run lint # eslint
npm run typecheck # tsc --noEmitContributing
Contributions are welcome. See CONTRIBUTING.md and our Code of Conduct. Security issues: see SECURITY.md.
License
Apache-2.0. "Whisper", the Whisper logo, and "WhisperGraph" are trademarks of Whisper Security — see NOTICE.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/whisper-sec/whisper-graph-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server