# Compare: honest, additive, and checkable before the contract

> Azure IoT DPS and AWS IoT enroll devices into one cloud; Matter's DAC attests
> provenance at commissioning; SPIFFE names workloads in a trust domain you
> operate; secure elements hold the key. Whisper is the layer that joins them
> to the public internet: an identity any third party verifies keylessly,
> revocation at DNS-TTL speed, a routable /128 with governed egress, and
> anchors that outlive any console.

- **2 gaps**: the two seams every device-impersonation attack walks through, both closed here
- **0** rip-and-replace: Whisper sits on top of your device cloud and SIEM
- **keyless**: any third party verifies a device with dig, RDAP and DANE; no tenant, no account
- **TTL**: revocation lands worldwide at DNS-TTL speed; no CRL/OCSP soft-fail
- **flat**: per-device, per-year; not per-message, not usage-metered

---

## The two seams

### Gap 1 · you can't follow them when the IP rotates

Known-indicator threat intel matches what's *already known*; a just-spun cloud
IP and a residential-proxy swarm are, by definition, not yet in anyone's feed.
**Only Whisper closes it:** a live internet-infrastructure graph,
**7.44B** nodes and **39.3B** relationships,
fingerprints the *operator*: infrastructure genealogy for cloud rotation, a
`JA4/JA3` client fingerprint for residential swarms, a replayable evidence
chain on every answer.

### Gap 2 · a credential that can be copied will be copied

Cloud device auth verifies *an artifact*: a key, a cert chain. Extract it from
one unit's flash and the copy is byte-identical to the original. And
revocation, when you finally need it, rides CRL/OCSP machinery most verifiers
silently soft-fail past. **Only Whisper closes it:** the device's /128 derives
from the IDevID key sealed in its secure element; the device proves control by
*signing*, checked against a public DANE-EE pin. Not detected late;
*structurally impossible*.

---

## vs cloud DPS (the one real overlap)

Azure IoT Hub DPS and AWS IoT fleet provisioning (JITP/JITR) are the state of
the art for X.509 enrollment at manufacturing scale. Use them. The identity
they establish is *tenant-scoped*: only that cloud can verify it, revocation is
that cloud's registry plus CRL/OCSP semantics, and the identity's lifetime is
bounded by the service's, a bound that stopped being hypothetical when Google
Cloud IoT Core retired in August 2023.

| Capability | Azure DPS / AWS IoT | Whisper |
|---|---|---|
| X.509 enrollment into that vendor's cloud at manufacturing scale | ✓ | *complements it* |
| Identity a third party verifies without a tenant account (dig / RDAP / DANE) | – | ✓ |
| Revocation at DNS-TTL, worldwide, no CRL/OCSP soft-fail | – | ✓ |
| The identity is a routable network endpoint (/128) with WireGuard egress | – | ✓ |
| Attribute an operator across cloud rotation (`JA4/JA3`) | – | ✓ |
| Identity survives the platform being retired | – | ✓ public DNS + registered space |
| Trustless verification: no need to trust the vendor's API | – | ✓ |
| Pricing model | per-message / per-operation | flat, per-device / year |

> **"DPS already gives every device a unique X.509 identity. What do I need you for?"**
> For everyone who isn't your cloud. The DPS identity authenticates the device
> *to one tenant*. Your partners, your customers' auditors, a peer's backend, a
> researcher who found your device in a botnet: none of them can check it. The
> Whisper /128 is the same device's *public* identity. Run both: enrollment
> stays exactly where it is.

## The rest of the landscape, honestly

| Capability | Matter DAC / DCL | SPIFFE / SPIRE | TPM / secure elements | Whisper |
|---|---|---|---|---|
| Device provenance attestation at commissioning | ✓ in-fabric | – | the root it rests on | *complements it* |
| Workload identity inside your own clusters | – | ✓ | – | *complements it* |
| Holds the device key in hardware | uses one | – | ✓ their whole job | *derives from it* |
| Operational identity a third party verifies on the public internet, keyless | – | trust-domain-scoped | – | ✓ |
| Revocation at DNS-TTL, worldwide | DCL updates | in-mesh only | – | ✓ |
| The identity is a routable address with governed egress | – | – | – | ✓ |
| Live attribution across rotating clouds + residential | – | – | – | ✓ |

**Read the rows as a division of labor.** Matter's DAC answers "was this device
made by whom it claims" *at commissioning, inside the Matter fabric*; Whisper
answers "is this network endpoint that device" *for the rest of its life, to
anyone on the internet*. SPIFFE/SPIRE is excellent workload identity *inside a
trust domain you operate*; a fielded device on someone's home network is
exactly what a trust domain isn't. And the secure-element vendors are the
foundation, not the competition: the ATECC608s, SE050s and OPTIGAs on your BOM
hold the key Whisper's derivation starts from.

**The one thing none of them offer:** every tool here, you must trust. Ours,
you don't have to. `whisper verify --trustless` checks the core claim against
the IANA DNS root with our own API deliberately outside the trust path.

---

## Where we don't play, and the limits we state

- **Silicon & firmware security**: secure boot, TrustZone, glitch hardening; that's the die and the firmware, it runs below us, and we never touch it.
- **SBOM & compliance automation**: the binder and the build; Whisper produces evidence *for* that process, it isn't that process.
- **The device cloud itself**: telemetry, twins, OTA orchestration; Whisper doesn't store your telemetry and doesn't move your firmware.

**And the limitations, stated plainly:** the device needs IPv6 routability, or
the gateway / egress-proxy path where carrier-grade NAT is the reality; the
smallest clients (8-bit MCUs) can't run TLS and work through a gateway, full
stop; the key belongs in a secure element, not in flash; DoH and DANE
verification are real work for the tightest RTOS budgets, which is why the
per-platform SDKs are labelled roadmap rather than hand-waved; and Whisper is
additive and **fails open**, so it hardens your auth path without ever becoming
the thing that bricks a fleet.

---

## Why additive is the safe bet

- **A feed, not another console**: Splunk, Sentinel and OpenCTI connectors today; CEF/ECS; STIX 2.1 over TAXII on the roadmap.
- **Speaks your compliance language**: EU CRA, IEC 62443, EN 303 645/PSTI, 802.1AR.
- **Flat, forecastable TCO**: per-device/year; no meter that spikes mid-incident. [See pricing →](/pricing)
- **On-prem or your own tenant**; the identity plane fails open.
- **Built to outlast consoles**: real routable space (AS219419), public DNS, open standards, run by people who ran the internet's regional address registry and operated one of its root DNS servers.
- **Keyless to prove, one call to adopt**: the claim is checkable before the contract.

> **"Will this still verify in fifteen years, and is my fleet's data yours?"**
> Public anchors, your tenant, your call. The identity's anchors are DNSSEC at
> the IANA root, RDAP, and registered address space. We hold no device
> telemetry; the identity plane fails open; and the trustless verify path means
> anyone can audit the core claim without trusting us at all.

Bring your devices home → <https://console.whisper.security/sign-up> · [For device makers →](/for-device-makers)

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
