Labsco
whisper-sec logo

WhisperGraph MCP

β˜… 1

from whisper-sec

Open-source, self-hostable MCP server for WhisperGraph β€” a graph of 7.39B nodes / 39B edges mapping DNS, BGP, GeoIP, WHOIS, and threat intelligence. Six read-only tools (Cypher query + schema introspection + threat assessment), six resources, eight investigation prompts. stdio and Streamable HTTP transports.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedPaid serviceAdvanced setup
<p align="center"> <img src="./assets/whisper-logo.svg" alt="WhisperGraph" width="120" /> </p> <h1 align="center">WhisperGraph MCP Server</h1> <p align="center"> The internet's infrastructure graph for AI agents β€” 46B nodes and edges mapping DNS, IPs, ASNs, BGP, WHOIS, Web links and threat intel. Sign up programmatically in 2 HTTP calls. </p> <p align="center"> <a href="https://www.npmjs.com/package/@whisper-security/whisper-graph-mcp"><img src="https://img.shields.io/npm/v/@whisper-security/whisper-graph-mcp.svg" alt="npm version" /></a> <a href="./LICENSE"><img src="https://img.shields.io/badge/license-Apache--2.0-blue.svg" alt="License: Apache-2.0" /></a> <img src="https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg" alt="Node >= 20" /> </p>

WhisperGraph is an MCP server backed by the world's largest internet-infrastructure graph database β€” 46 billion nodes and edges across 20 entity types, mapping every domain, IP, ASN, prefix, organization, Web link and threat-intelligence listing into a single Cypher-queryable graph. Used by security teams, incident responders, and AI agents for investigation, attribution, brand protection, and infrastructure forensics.

Built for agents from day one.

  • Programmatic signup in 2 HTTP calls. No browser, no CAPTCHA, no human-in-the-loop. Email verification only. Working API key in ~5 seconds.
  • Free trial for everyone, including agents. Paid tiers for higher quotas.

What you can ask:

  • DNS: resolution, nameservers, MX, SPF chains, DNSSEC
  • Routing: ASN ownership, BGP origin history, MOAS conflicts, peering
  • Hosting & ownership: registrar, WHOIS contacts, organization mapping
  • Threat intel: ~40 feeds across 18 categories, CALL explain() for full threat scoring
  • Historical: WHOIS history, BGP route changes
  • Web: 10.9B hyperlinks for inter-domain analysis

Learn more: Agent signup Β· WhisperGraph intro Β· Cypher API reference Β· Query guide Β· Cypher syntax Β· Functions Β· Best practices Β· MCP setup

Tools

All six tools are read-only.

ToolWhat it does
queryExecute a Cypher query against WhisperGraph. Validated against a safety rule set before it reaches the backend.
list_labelsList every node label with counts. Call it before writing a query when you're unsure which label to anchor on.
describe_labelConfirm a label exists and enumerate its property keys.
explain_indicatorThreat assessment for an IP, hostname, CIDR, or ASN β€” score, level, factors, sources.
whisper_historyHistorical WHOIS or BGP data for an indicator.
domain_variantsTyposquatting / brand-protection variants of a domain, checked against the graph.

Resources

Six MCP resources: the full schema, the relationship map, a Cypher function reference, a query cookbook, plus live whisper://stats and whisper://quota.

Prompts

Eight investigation-workflow prompt templates: investigate-ip, map-attack-surface, compare-domains, blast-radius, threat-triage, whois-pivot, bgp-investigation, typosquat-sweep.

Self-hosting (Docker / HTTP)

For remote or team deployments, run the server over Streamable HTTP:

docker run -p 8080:8080 -e MCP_TRANSPORT=http \
  ghcr.io/whisper-sec/whisper-graph-mcp:latest

Or with Docker Compose:

docker compose up

In HTTP mode the server does not authenticate inbound requests β€” it relays the caller's X-API-Key or Authorization: Bearer header to the hosted WhisperGraph API, falling back to the WHISPER_API_KEY environment variable when no header is present. Put it behind your own gateway if you need access control.

Development

npm install
npm run dev       # run from source over stdio
npm test          # unit + integration tests (no secrets needed)
npm run build     # bundle to dist/
npm run lint      # eslint
npm run typecheck # tsc --noEmit

Contributing

Contributions are welcome. See CONTRIBUTING.md and our Code of Conduct. Security issues: see SECURITY.md.

License

Apache-2.0. "Whisper", the Whisper logo, and "WhisperGraph" are trademarks of Whisper Security β€” see NOTICE.