embed.whisper.online · for device makers & product-security teams

Your device cloud, your PSIRT, your SIEM, and the extracted credential still speaks for your fleet.

It never breaks anything. It presents a credential your own factory flashed, so device auth sees a device; it rotates across Amazon, Google and Azure, so your SIEM correlates a meaningless last IP; and by the time PSIRT has an advisory, the poisoned telemetry is in your data products and the copied units are on the market. Two capabilities are missing from every connected-device program, and neither of them is a new console.

We ship both as a feed. Durable attribution that survives IP rotation, and post-auth identity where the address is the device. Mapped to the EU CRA, IEC 62443, EN 303 645/PSTI and 802.1AR; fail-open in your auth path; on-prem; flat per device. Additive depth on the stack you already run, never another silo.

whisper verify --trustless · anchored at the IANA DNS root. Our own API is not in the trust path.

Splunk, Microsoft Sentinel & OpenCTI SIEM connectors ship today
STIX 2.1 signed, replayable findings: CEF/ECS today, TAXII export on the roadmap
EU CRA evidence mapped to the regulation your roadmap already answers to
fail-open a Whisper outage never bricks a device in the field
per-device flat pricing: not per-message, forecastable at BOM time
on-prem graph & per-device logs stay in your jurisdiction

No layer of your program is wrong. The attack is engineered to fall in the seams between them.

You put a secure element on the BOM, stood up device auth in the cloud, ran a PSIRT, and route it all into the SIEM. Here is what each layer sees when a device-impersonation campaign runs, and why the fleet still gets worn like a mask.

DEVICE AUTH · CLOUD

A genuine credential, wrong holder

The extracted key or cert is real, so enrollment and auth say yes. Nothing anomalous fires until the impersonation is already at scale, because to the cloud the impostor is a device.

SIEM · CORRELATION

A last IP that means nothing

Egress hops Amazon → Google → Azure, or a residential-proxy swarm, every few requests. Each event carries a fresh source IP, so correlation across them yields a rotating fog, and a block on noise.

PSIRT · RESPONSE

An advisory after the harvest

By the time the pattern is triaged, the poisoned telemetry is in your data products, the credential is republished, and the only fix on the table is the one you can't do: rotate a secret soldered into the field.

Two structural gaps live in that seam, and every connected-device program shares both. Close them and the attack has nowhere left to stand.

Strip the incident down and it isn't a hundred bugs. It's two.

Both are the kind a red-teamer names on sight, not a compliance checkbox. Here they are, and here's exactly how each closes.

Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So you block noise while the operator keeps working.

The answer: the graph. A live internet-infrastructure graph, 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms, fingerprints the operator, not the IP. For cloud rotation the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm, a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your SOC, your auditors and a regulator can replay.

"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them, or just rate-limit an IP and move on?"

Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on, and every finding lands in your SIEM as a reproducible, replayable evidence chain, not a hunch.

Gap 2 · a credential that can be copied will be copied

A shared key or an extracted per-device cert is a valid credential. Behaviorally it's a device. Nothing at the perimeter separates the copy from the original, because they are byte-identical, and flash memory is not a vault.

The answer: identity. Bind the session to the device's own forge-proof /128: an address derived from the IDevID key already sealed in the secure element, one the device can prove by signing and no dump can extract. A copied credential without the chip behind it simply fails, and the failure is a first-class, loggable event your PSIRT can act on.

"An extracted credential is byte-identical to the real device's; how do you catch abuse that passes auth?"

You bind authority to the silicon, not the string. The device proves control by signing with the key that never leaves the secure element, checked against a DANE-EE pin anyone can read from public DNS. A request that passes auth but can't sign never had authority in the first place.

Gap 1 is detection made durable. Gap 2 is the root cause. Both arrive where your analysts already work; read on for the wiring.

Three planes on one primitive, and all three exit into the stack you already run.

The primitive is one line: the address is the identity: a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), DNSSEC-anchored, DANE-EE pinned, verifiable by anyone with dig. Point it at your fleet and you get three planes, no new silo.

Identity

Each device's /128 is derived from the 802.1AR IDevID key it already holds in its secure element, with the device serial or EUI-64 as the domain separator. The backend authorizes on the device's pinned identity, not a copyable artifact. Who is this, provably.

Attribution graph

The operator fingerprint across rotating clouds and residential proxies, infrastructure genealogy plus JA4/JA3, with a reproducible evidence chain on every answer. Who's really behind this, when the IP rotates.

Device governance

Every gateway and edge agent egresses from its own /128; every query and connection logged per-device; a graph-first resolver enforces default-deny policy per query; one revoke and a kill-switch. What may talk to what.

Additive to what you already ship; it does not replace it. Whisper complements the anchors you already trust: the secure element on the BOM, the X.509 device certificate your cloud already issues over mTLS (where the cloud vendor is the CA and device registry), 802.1AR IDevID and BRSKI onboarding where you run them. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top: it adds an identity a regulator, a partner, or a customer's auditor can verify outside that cloud's tenancy, without the vendor's account, plus per-device egress attribution from the device's own /128. One leaf key per identity, never a shared root: compromise one device and you've compromised that device, not the fleet. And it rides the standards track your architects already follow: the IETF DANCE work makes a device's DNS name and DANE-TLSA record its TLS client credential; Whisper's identity plane is that model, live.

Findings arrive where your analysts already work, as evidence, not another alert to babysit.

Every attribution and identity finding is a reproducible, replayable JSON evidence chain. It fans out into your SIEM, into a form your peers can ingest, and into the artifacts your certification file needs, from the same object.

Attribution graph operator · JA4 · genealogy Identity plane /128 · DANE-EE · verify Evidence chain signed · replayable JSON Your SIEM Splunk (CIM) · Sentinel (KQL) CEF / ECS · STIX 2.1 roadmap Peer sharing your ISAC / partner channels machine-readable, not a PDF Compliance evidence EU CRA · 62443 · EN 303 645 file it, don't screenshot it one object · three destinations · no new silo
The same signed evidence chain drives your SOC, your peer sharing, and your compliance file. Nothing is retyped, and nothing is a screenshot.
a finding: the STIX 2.1 shape (TAXII export on the roadmap)
# STIX 2.1 sighting: one operator behind a rotating egress
{
  "type": "sighting", "spec_version": "2.1",
  "sighting_of_ref": "indicator--device-impersonation",
  "count": 41,                          # 41 exit IPs → 1 operator
  "x_whisper_operator": "<fingerprinted>",
  "x_whisper_ja4": "t13d1516h2_8daaf6152771_…",   # tooling, not exit
  "x_whisper_scope": { "distinct_devices": 3412,
            "window": "15m" },
  "x_whisper_evidence": "https://verify… (signed, replayable)"
}

# the matching Microsoft Sentinel analytics rule: one line of KQL
# WhisperFindings | where OperatorConfidence > 0.9 | where DistinctDevices > 25

The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map cleanly onto CEF and ECS fields, with STIX 2.1 over TAXII export on the roadmap; a Splunk CIM mapping and a sample Sentinel analytics rule ship in the docs. For PSIRT, a finding is not a raw alert: it is an attributed operator plus a signed evidence chain your triage can act on, and hand to a regulator, or a customer whose fleet you run, unchanged.

And the raw material is already on your side of the wire: the per-/128 egress logs, every query and connection a device made, keyed to its own address, together with the attribution graph are ready-made continuous-monitoring and forensics evidence for the EU CRA's vulnerability-handling and incident-reporting duties, and the per-device record IEC 62443's identification controls presuppose. Continuous monitoring and post-incident forensics come out of the same signed object your SIEM already ingests, not a second collection you have to stand up.

In your auth path, and safe there

If your backend authorizes against the DANE/verify path, that plane is built to fail open. A Whisper outage never bricks a device: the check degrades to the anchors you already ship, and connectivity is preserved. Conservative in what we emit, liberal in what we accept: a device is never denied because we were unreachable, and a fielded product doesn't wait for anyone's uptime.

Device request telemetry · OTA · command Backend checks identity is Whisper reachable? reachable Bind to the device's /128 · DANE + verify identity-enforced: impostor sessions fail unreachable Fail open → your existing anchors vendor mTLS · secure element: connectivity preserved
Anycast on AS219419, no single node in the path. When the identity plane is reachable it hardens auth; when it isn't, it steps aside: a Whisper outage degrades to your anchors, never a bricked device.

Mapped to the EU CRA, IEC 62443, EN 303 645/PSTI and 802.1AR, as evidence you can file, not a dashboard you screenshot.

Every capability lands on a clause and produces an artifact. The timing matters: the EU Cyber Resilience Act entered into force in December 2024 and its main obligations apply from 11 December 2027, which is inside the design cycle of hardware you're speccing now. The program you evidence today is the CE-marking file you submit then.

CapabilityFramework / clauseEvidence artifact
Per-device identity from a hardware root of trust, no shared secrets shippedEU CRA essential requirements (secure by default) · ETSI EN 303 645 §5.1 / UK PSTI (no universal default passwords)Identity register · DANE-EE pin per device · verify transcript
Post-auth identity binding (the device co-signs)IEC 62443-4-2 identification & authentication controls · IEEE 802.1ARDANE-EE pin · signed verify evidence
Attributed operator across rotating infrastructureEU CRA vulnerability-handling & incident-reporting dutiesSigned, replayable evidence chain · STIX 2.1 sighting export (roadmap)
Per-device revocation at DNS-TTL, owner-thrownEU CRA security-update & end-of-support handling · IEC 62443 lifecycleRevoke log, publicly checkable in DNS
Per-device egress logs + default-deny policyIEC 62443 network segmentation intent · NIST IR 8259A device-security baselinePer-/128 query & connection logs · policy snapshots
For medical-adjacent devices: monitoring + SBOM-era postmarket dutiesFDA §524B cyber-device requirements (premarket since Oct 2023)Continuous-monitoring record · attributable device telemetry
on the roadmap: STIX 2.1 export, shareable to your sector channel
# ROADMAP: STIX 2.1 (JSON) export · the shape a finding will take
{
  "framework": "stix-2.1",
  "findings": [
    { "pattern": "device-impersonation",
      "operator": "<fingerprinted>", "distinct_devices": 3412,
      "evidence": "signed · replayable",
      "cra_ref": "vulnerability handling / incident report",
      "iec62443_ref": "identification & authentication control" }
  ]
}
# hand it to your peers and your sector ISAC unchanged: machine-readable, not a PDF

Usable in your risk assessment and your certification file, and shareable in whatever cross-industry channel you already sit in. Note the honest labels: the connectors that ship today are Splunk, Sentinel and OpenCTI; STIX/TAXII is roadmap; and the per-platform device SDKs are phase-2 items, each labelled as such in the docs. See the full mapping in the docs →

On-prem or your own tenant, and a vendor whose own posture survives your review.

Data residency & sovereignty by construction

Run the graph and the per-device logs on-prem or in your own tenant, in the jurisdiction your regulator requires. Nothing about your fleet leaves where you put it; there is no shared multi-tenant lake your telemetry lands in by default.

No external dependency on the hot path

Resolution, identity verification and RDAP are answered by self-contained nodes: no chatty third-party call at serve time. If an upstream is slow or down, we fail open and keep serving. That's an availability property your assessors can test, not a promise.

A minimal, published attack surface

Standard ports, standard tooling (dig, kdig, curl), and a wire format that is strict in what it emits and liberal in what it accepts. The identity primitive is verifiable without trusting us: whisper verify --trustless anchors at the IANA root.

Real address space, operated as such

The identities live in production IPv6 (2a04:2a01::/32, AS219419) that we announce and run. This isn't a lab allocation: it's registry-anchored, RDAP-resolvable space, treated with the discipline that implies.

Priced so you can forecast it at BOM time, from infrastructure built to outlast consoles.

And the timing isn't yours to choose. The EU Cyber Resilience Act obliges every maker of products with digital elements to ship secure-by-default and handle vulnerabilities for the support period, with main obligations from 11 December 2027; EN 303 645 and the UK PSTI Act have already outlawed the default-password era. That is the procurement forcing function: the regulations make you prove device identity and control connectivity; Whisper is the layer that makes both a checkable network fact.

Flat, predictable pricing

Per-device per-year and flat: not per-message, not per-MB, not usage-metered. Against always-on telemetry economics that's a line item you can put in the unit economics before the product ships. See pricing →

ROI your CFO can read

Analyst-hours saved not correlating disposable IPs. Incident blast radius cut when a compromised device is one revoke, not a fleet-wide credential rotation you cannot physically perform. A recall-grade impersonation incident avoided is the whole year's budget.

Identity that outlives consoles

Devices live 10–20 years; consoles don't. Whisper anchors identity in public DNS and registered address space, run by people who ran the internet's regional address registry and operated one of its root DNS servers: built to outlast the question.

Feeds the SIEM you already run

Depth on top of the stack you own: a machine-readable feed that makes your SIEM and threat intel sharper. It doesn't replace them, and it doesn't add a console your analysts babysit. See the full comparison →

Spec it into your supply chain

Write Whisper identity into your module and ODM specifications so every sourced gateway and radio module ships identity-ready from the supplier: the secure element is already on the BOM; this is what it's for.

A procurement path with an off-ramp

Keyless POC today: verify and attribute with no account, no contract, no risk. Then a paid pilot on one product line, then enterprise across the fleet. Every stage is verifiable before the next, because our API is never in the trust path.

Don't take our word for it; our API isn't in the trust path.

Two tiers, by design. No key: anyone on your team can verify a device's identity, trustless, anchored at the IANA root. Your key: back-trace a suspicious host through the graph API, provision a device, govern its egress, feed the findings into your SIEM, and revoke it worldwide.

verify a device: keyless · attribute a host: graph API
# keyless: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# who really operates a suspicious host: the public graph API (with your key)
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
provision, govern & hand your SOC the evidence: with your key
# give a device a name it can prove, and wire the findings into your stack
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper logs 2a04:2a01:1c0::e51d                            # per-/128 evidence for your SOC
# STIX/TAXII → your SIEM: on the roadmap; Splunk/Sentinel/OpenCTI ship today
$ whisper revoke 2a04:2a01:1c0::e51d                          # owner-thrown, publicly verifiable

Additive to your stack. Mapped to your standards. Priced so you can say yes.

Durable attribution and post-auth identity, fed into the SOC, PSIRT and SIEM you already run: on-prem, mapped to the EU CRA / IEC 62443 / EN 303 645 / 802.1AR, from infrastructure built to outlast the console era. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.