# For device makers & product-security teams

> Your device cloud, your PSIRT, your SIEM, and the extracted credential still
> speaks for your fleet. We ship the two missing capabilities as a feed:
> durable attribution that survives IP rotation, and post-auth identity where
> the address is the device. Mapped to the EU CRA, IEC 62443, EN 303 645/PSTI
> and 802.1AR; fail-open in your auth path; on-prem; flat per device.

- **Splunk**, Microsoft Sentinel & OpenCTI SIEM connectors ship today
- **STIX 2.1** signed, replayable findings: CEF/ECS today, TAXII export on the roadmap
- **EU CRA** evidence mapped to the regulation your roadmap already answers to
- **fail-open**: a Whisper outage never bricks a device in the field
- **per-device** flat pricing: not per-message, forecastable at BOM time
- **on-prem**: graph & per-device logs stay in your jurisdiction

---

## The attack, mapped to your org

No layer of your program is wrong. The attack is engineered to fall in the
seams between them.

- **DEVICE AUTH (cloud)**: the extracted key or cert is *real*, so enrollment and auth say yes. To the cloud the impostor *is* a device.
- **SIEM (correlation)**: egress hops Amazon → Google → Azure, or a residential-proxy swarm. Each event carries a fresh source IP; correlation yields a rotating fog.
- **PSIRT (response)**: by the time the pattern is triaged, the poisoned telemetry is in your data products, and the only fix on the table is the one you can't do: rotate a secret soldered into the field.

## The two gaps

### Gap 1 · you can't follow them when the IP rotates

**The answer: the graph.** A live internet-infrastructure graph,
**7.44B** nodes and **39.3B** relationships of
fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under
300 ms, fingerprints the *operator*, not the IP. Cloud rotation collapses into
one infrastructure genealogy; a residential swarm collapses on a `JA4/JA3`
client fingerprint. Every answer returns a reproducible evidence chain your
SOC, your auditors and a regulator can replay.

### Gap 2 · a credential that can be copied will be copied

**The answer: identity.** Bind the session to the device's own forge-proof
**/128**: an address derived from the IDevID key sealed in the secure element,
one the device can prove by signing and no dump can extract. A copied
credential without the chip behind it simply *fails*, and the failure is a
first-class, loggable event your PSIRT can act on.

---

## What you're actually buying

Three planes on one primitive (**the address is the identity**), and all three
exit into the stack you already run:

1. **Identity**: each device's /128 derived from its 802.1AR IDevID key, serial/EUI-64 domain-separated. *Who is this, provably.*
2. **Attribution graph**: the operator fingerprint across rotating clouds and residential proxies. *Who's really behind this.*
3. **Device governance**: per-device /128 egress, per-device logs, default-deny policy, one `revoke`. *What may talk to what.*

**Additive, never a replacement.** Whisper complements the secure element on
the BOM, the X.509 device certificate your cloud already issues over mTLS,
802.1AR IDevID and BRSKI onboarding where you run them. It adds an identity a
regulator, a partner, or a customer's auditor can verify *outside* that cloud's
tenancy, plus per-device egress attribution. One leaf key per identity, never a
shared root. And it rides the standards track your architects already follow:
the IETF DANCE work makes a device's DNS name and DANE-TLSA record its TLS
client credential; Whisper's identity plane is that model, live.

---

## Into your SOC and PSIRT, not around them

Every attribution and identity finding is a reproducible, replayable JSON evidence
chain. It fans out into your SIEM (Splunk CIM, Sentinel KQL; CEF and ECS
fields), into peer sharing, and into your compliance file, from the same
object.

```
# STIX 2.1 sighting: one operator behind a rotating egress (TAXII export: roadmap)
{
  "type": "sighting", "spec_version": "2.1",
  "sighting_of_ref": "indicator--device-impersonation",
  "count": 41,
  "x_whisper_operator": "<fingerprinted>",
  "x_whisper_ja4": "t13d1516h2_8daaf6152771_…",
  "x_whisper_scope": { "distinct_devices": 3412, "window": "15m" },
  "x_whisper_evidence": "https://verify… (signed, replayable)"
}
```

**The Splunk, Microsoft Sentinel and OpenCTI connectors ship today**; STIX 2.1
over TAXII is on the roadmap. And the raw material is already on your side of
the wire: per-/128 egress logs plus the attribution graph are ready-made
continuous-monitoring and forensics evidence for the EU CRA's
vulnerability-handling and incident-reporting duties.

**In your auth path, and safe there.** If your backend authorizes against the
DANE/verify path, that plane is built to **fail open**: a Whisper outage never
bricks a device; the check degrades to the anchors you already ship. Anycast on
AS219419, no single node in the path.

---

## Mapped to your standards

| Capability | Framework / clause | Evidence artifact |
|---|---|---|
| Per-device identity from a hardware root of trust, no shipped shared secrets | EU CRA essential requirements (secure by default) · ETSI EN 303 645 §5.1 / UK PSTI | Identity register · DANE-EE pin per device · verify transcript |
| Post-auth identity binding (the device co-signs) | IEC 62443-4-2 identification & authentication · IEEE 802.1AR | DANE-EE pin · signed verify evidence |
| Attributed operator across rotating infrastructure | EU CRA vulnerability-handling & incident-reporting duties | Signed evidence chain · STIX 2.1 export (roadmap) |
| Per-device revocation at DNS-TTL, owner-thrown | EU CRA security-update & end-of-support handling · IEC 62443 lifecycle | Revoke log, publicly checkable in DNS |
| Per-device egress logs + default-deny policy | IEC 62443 segmentation intent · NIST IR 8259A baseline | Per-/128 query & connection logs · policy snapshots |
| Medical-adjacent devices: postmarket monitoring | FDA §524B cyber-device requirements (premarket since Oct 2023) | Continuous-monitoring record · attributable telemetry |

Honest labels: the connectors that ship today are Splunk, Sentinel and OpenCTI;
STIX/TAXII is roadmap; the per-platform device SDKs are phase-2 items, labelled
as such in the docs. [Full mapping →](/docs/embedded-compliance)

---

## Where the data lives, and how we're built

- **Data residency & sovereignty by construction**: the graph and per-device logs run on-prem or in your own tenant.
- **No external dependency on the hot path**: self-contained nodes; if an upstream is slow or down, we fail open and keep serving.
- **A minimal, published attack surface**: standard ports, standard tooling (`dig`, `kdig`, `curl`); the identity primitive is verifiable without trusting us.
- **Real address space, operated as such**: `2a04:2a01::/32` on AS219419, registry-anchored and RDAP-resolvable.

## TCO, longevity, procurement

- **Flat, predictable pricing**: per-device/year; a number for the BOM sheet. [See pricing →](/pricing)
- **ROI your CFO can read**: analyst-hours saved, one `revoke` instead of a fleet-wide rotation you can't physically do, a recall-grade incident avoided.
- **Identity that outlives consoles**: devices live 10-20 years; Whisper anchors identity in public DNS and registered space.
- **Spec it into your supply chain**: write Whisper identity into module and ODM specifications; the secure element is already on the BOM.
- **A procurement path with an off-ramp**: keyless POC → paid pilot on one product line → enterprise across the fleet. Every stage is verifiable before the next.

---

## Prove it in 60 seconds · no account

```sh
# keyless: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted
```

```sh
# provision, govern & hand your SOC the evidence: with your key
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper logs 2a04:2a01:1c0::e51d      # per-/128 evidence for your SOC
$ whisper revoke 2a04:2a01:1c0::e51d    # owner-thrown, publicly verifiable
```

Bring your devices home → <https://console.whisper.security/sign-up> · [See pricing →](/pricing) · [Compare →](/compare)

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
