Sharing infrastructure-pivot Cypher patterns we use during investigations (46B-node graph, free tier)
We've been running a graph of public internet infrastructure as a research tool for the last ~3 years. 46B data points and 39B edges spanning DNS resolution, BGP routing, WHOIS registration, hosting, and GeoIP, plus 39 threat-intel feeds wired in. Today we opened it as an MCP server so analysts can query it from Claude, Cursor, or any MCP-compatible client.
What it does: ask infrastructure questions in plain English (or Cypher) and get traversal-grade answers in one round trip. Pivot from a suspicious hostname to its IPs, ASN, prefix, co-tenants, and registration history in a single agent turn. Audit per-edge evidence behind any threat score. Track BGP route changes within 5 seconds of them happening.
30-day free trial, no credit card, no query limits during the trial, full graph access. The trial is meant to be real working time, not a teaser.
The pivot I use most often: from a suspicious hostname to every other hostname that has ever shared an IP with it. In a traditional REST stack that's resolve, pull passive DNS, fan out, dedupe, score. Five calls minimum, agent context window gets shredded by call three. In Cypher it's one round trip:
MATCH (start:HOSTNAME {name: "your-target.com"})-[:RESOLVES_TO]->(ip:IPV4)
MATCH (sibling:HOSTNAME)-[:RESOLVES_TO]->(ip)
WHERE sibling <> start
RETURN sibling.name, ip.name
LIMIT 25
Tested live against six domains: 140ms to 275 ms across the full graph.
Two caveats worth naming before you try it:
The pivot returns infrastructure-shared hostnames, not behavioural-similarity ones. A CDN edge IP (CloudFront, Fastly) returns hundreds of co-tenants that aren't related. Filter on ASN, prefix age, or threat-feed presence to extract signal from noise.
Targets that own their infrastructure (large enterprises with their own ASN) return zero co-tenants. Absence is itself a signal; the graph makes it legible. We just ran news.ycombinator.com against the same pattern and it returned one IP on M5HOSTING (AS21581). Boutique-hoster signature.
Other patterns that have been useful:
- whisper.explain(identifier) returns the per-edge evidence chain behind any threat score: which feed, which signal, which timestamp. Not a composite ML number. Lets you audit the score before pivoting on it.
- BGP feed aggregated from ~1200 peers (RIPE RIS, RouteViews, plus our own sessions). Route changes propagate into the graph in under 5 seconds. Useful for tracking infrastructure rotation during an investigation in real time, not the next-morning snapshot.
- The MCP wrapper means agents can chain pivots: this domain to its IPs to ASN reputation to other prefixes from that ASN to fresh registrations on those prefixes runs in a single agent turn instead of dozens of API calls.
Background, since this sub fairly asks. I'm Kaveh Ranjbar, ex-ICANN Board, ran K-root, 15 years at RIPE NCC. My co-founder Soroush and I built this because we got tired of stitching DNS to BGP to WHOIS to GeoIP across multiple sources during real investigations.
Known limits worth knowing:
- Multi-hop queries land in 150ms to 400ms, not microsecond. Single-anchor lookups are much faster.
- WHOIS coverage is partial in some ccTLDs.
- Threat scoring exposes per-edge evidence; no composite black-box score.
Install instructions and the two-minute MCP setup are in the first comment below.
Curious what infrastructure-pivot patterns folks here use that aren't well-served by existing tools. We're building Cypher templates from real analyst workflows, so weird or specific pivots are the most useful feedback.