embed.whisper.online · the platform

Your fleet doesn't need another cloud enrollment. It needs an identity it can prove.

Device-security tooling stacks up, an enrollment service here, an anomaly detector there, and none of it stops a credential that was copied out of flash or a source that rotates across three clouds. Whisper isn't another console. It's one primitive, the address is the identity, expressed as three planes that plug into the stack you already run.

Derive a device's identity once from the key already in its secure element; verify it anywhere with dig. That one primitive becomes three planes: identity, an attribution graph that survives IP rotation, and per-device governance, standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.

whisper verify --trustless · anchored at the IANA DNS root. Our own API is not in the trust path.

7.44B nodes in the live attribution graph: BGP, DNS, WHOIS, TLS, hosting, threat intel
39.3B fused relationships across that graph
<300ms attribution answers, kept off the hot path
AS219419 our own autonomous system: real routable space
::/32 2a04:2a01::/32: every identity derives from here
1→3 one primitive, three planes, zero new silos

Everything below derives from one line: the address is the identity.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered: re-derivable and verifiable by anyone with dig.

Most device security starts from an observation, a packet, a log line, a source IP, and tries to infer what's behind it. Whisper starts from the other end: it gives the thing an identity that is its address, cryptographically bound to a key the hardware already holds, and publicly verifiable without trusting the issuer. Point it at a gateway, a sensor hub, an industrial controller, or an edge box running models, and the question "who is this?" stops being an inference and becomes a fact anyone can check. Three products fall out of that one primitive: not three integrations you wire together, three faces of the same address.

One address, three jobs: who is this, who's really behind that, and what may talk to what.

Identity answers who is this, provably. The attribution graph answers who's really behind a source that rotates. Device governance answers what may talk to what. Each plane is useful alone; together they close both gaps every device-impersonation attack leans on.

one address-is-identity primitive, expressed as three planes Identity who is this, provably: the device proves it by signing, no one copies it device /128 · DNSSEC · DANE-EE · per-identity CA Attribution graph who's really behind this: operator fingerprint across rotating clouds + residential identify · origins · walk · history · watch · Cypher Device governance what may talk to what: every gateway and edge agent on its own routable address per-device /128 · policy · logs · revoke · default-deny THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32
Three planes on one primitive. Nothing here is a bolt-on connector: each plane is the same address answering a different question, so the identity, the attribution and the policy all agree by construction.

A device identity your backend authorizes on, not an artifact anyone can copy out of flash.

This is the plane that closes the gap the device-impersonation attacks live in: credentials that can be extracted. Bind authority to the silicon, not to a string whoever holds can replay.

Point the primitive at devices. Derive each device's /128 from the 802.1AR IDevID key it already holds in its secure element (ATECC608, SE050, OPTIGA Trust M) or on-chip OTP/PUF storage, with the device serial or EUI-64 as the domain separator. The private key never leaves the chip; the address is a one-way function of its public half and the serial. The backend then authorizes on the device's pinned identity, and an extracted firmware image with no chip behind it authenticates to nothing.

"An extracted credential looks exactly like the real device's; how do you tell them apart after auth?"

You bind authority to the silicon, not the string. The device proves control by signing with the key that never leaves the secure element, checked against its public DANE-EE pin. A session that presents copied bytes but can't sign never had authority in the first place.

A per-identity CA, not a shared root. Each /128 carries its own leaf, deterministically derived and DANE-EE pinned: one key per device. There is no issuing intermediate whose compromise mints look-alikes, no fleet-wide certificate an attacker steals once to forge the line. Compromise one device and you've compromised that device: the one-dump-forges-everything failure mode is structurally removed.
This is the DANCE client-auth model, deployed. The IETF DANCE work (draft-ietf-dance-client-auth) turns a device's DNS name plus its DANE-TLSA record into the device's TLS client credential, designed for MQTT, CoAP and the machine-to-machine surfaces embedded fleets run. Whisper publishes exactly that: a name, a TLSA 3 1 1 pin on the device's key, and a DNSSEC chain to the IANA root, for every identity, so any broker or backend can authenticate the device against public DNS instead of a password or a private CA list. The passwordless-device story →
The lineage: CGA, completed. RFC 3972 (2005) derived an IPv6 address from a public key with no CA, and stopped there: unroutable in practice, unregistered, unrevocable. Whisper keeps the one-way derivation and supplies the missing three: real announced space, an RDAP registry object per /128, and revocation at DNS-TTL speed. Twenty years of good idea, finally operational.

Attaches to what you already ship: the secure element, 802.1AR IDevID, BRSKI onboarding, the X.509 mTLS your device cloud runs, as the publicly verifiable, DNSSEC/DANE-anchored layer on top. No bespoke CA trust store to push to every unit; revocation at DNS-TTL speed instead of CRL/OCSP soft-fail. Standards mapping →

Attribution that survives IP rotation, because it fingerprints the operator, not the exit.

This is the plane that closes the other gap: the operator who presents your fleet's credentials from Amazon, then Google, then Azure, then a residential-proxy swarm, until your SOC only ever logs a meaningless last IP.

A live internet-infrastructure graph, 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms, pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm, where a subscriber IP gives an infra graph nothing to grab, a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.

"When they rotate residential proxies and fresh cloud IPs, can you actually attribute them, or just rate-limit an IP and move on?"

Track them. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible evidence chain: signed, replayable JSON your SOC, your auditors and a regulator can hand around.

identify(ip)

Who really operates a host, even behind a CDN, across any cloud.

origins(prefix) + walk(node,depth)

Cluster rotating IPs into one infrastructure genealogy.

history / watch

A timeline of an operator and a standing sentinel, plus variants(domain) to catch typosquat OTA and device-cloud domains before they activate.

read-only Cypher

Express "one source presenting N distinct device-identities in a window" as a query your agent runs, not a ticket your analyst files.

Additive to the SOC and SIEM: the same fingerprints power external attack-surface mapping and dependency blast-radius (if a cloud region goes dark, which fleets lose telemetry). Trace the full back-trace →

The same primitive governs what your devices are turning into: agents that call APIs on their own.

An OTA client fetches firmware, a telemetry daemon streams to three clouds, an edge box calls LLM APIs with a paid key. Each is an agent making network calls, and today "which device did this" is a shrug at a shared NAT address. Whisper does it with identity instead of trust.

Which device did this is the source address

Every gateway, edge box and update client egresses from its own routable /128: attribution, not a guess.

Every query and connection is logged per-device

Queryable live via op:logs: a per-identity record, not a shared firehose. The record an incident review, or a regulator, actually needs.

Policy on every query

A graph-first resolver and bound egress enforce category, geography, ownership and routing: default deny, allow or block by name or subdomain. A camera that should only ever reach its own cloud simply can't reach anything else.

Inbound devices are verifiable

FCrDNS, RDAP, whisper verify: "trust the bearer token" becomes a checkable fact. Per-device budgets, a kill-switch, one revoke.

The device-to-cloud, MQTT, OTA and edge-agent surface, governed by the same address-is-identity primitive, from day one.

What each class of device can do, stated plainly. No page here will tell you an 8-bit part speaks DoH.

The verification half is deliberately light: any client with a TLS + HTTPS stack can call the keyless verify endpoint today. A DoH client itself is tiny (RFC 8484 is a small HTTP exchange); the real cost is the TLS engine, roughly 20–60KB of flash and 25–63KB of peak RAM during the handshake. That budget draws the honest line below.

Device class Typical parts On-device Whisper? The path, honestly labelled
8-bit MCU AVR / ATmega328 (Arduino Uno) no: no TLS budget Gateway pattern. The gateway holds the /128 and speaks for the nodes behind it; the 8-bit node authenticates locally to the gateway. An ATmega328 does not speak DoH, and we won't pretend it does.
Wi-Fi SoC ESP32 / ESP-IDF ESP-IDF ships mbedTLS, and Espressif's own esp_dns component already does DoH natively, so the resolver half works with what the vendor ships today. A packaged Whisper ESP-IDF component is roadmap.
Cortex-M4/M33 + RTOS Zephyr · Nordic nRF Connect SDK · STM32Cube The TLS budget fits (mbedTLS at ~20–60KB flash, 25–63KB handshake RAM); the DoH client on top is small. A Whisper Zephyr module (which also covers nRF Connect) is roadmap. One caution: don't start a new design on Arm Mbed OS; Arm has set its end of life for July 2026.
Embedded Linux Raspberry Pi · Yocto · OpenWrt · Zynq · PolarFire SoC ✓ today Shipped. The whisper CLI and the control plane run as-is: provision the /128, bring up WireGuard so every packet sources from the device's own identity, set default-deny policy, pull per-device logs. This is the class where the full product works right now.

Two tiers everywhere, per Postel's Law: the keyless verify surface (verify-identity, RDAP, DANE, reverse-DNS) is reachable from anything with TLS today, key or no key; the control plane and routed /128 egress unlock with your key, live today on Linux-class devices and gateways, with the MCU-native SDKs shipping as labelled roadmap items. The full integration matrix →

The three planes drop into the systems your fleet already uses, at the IP boundary, never inside the silicon.

Whisper anchors the wire, not the die. Each row below is a proposed integration onto a system you already operate; the device-identity /128 is the capability that is shipped and live today. Every one is additive: it complements whatever authenticates the message, and it never reaches into secure boot, the RTOS, or a radio protocol's own security layer.

Surface / standard you run Where a plane plugs in: identity /128 · attribution graph · egress governance Complements, does not replace
Secure element / TPM (ATECC608, SE050, OPTIGA, on-chip OTP) · shipped & live Identity. Derives the routable /128 from the non-exportable IDevID key, and publishes a globally resolvable, DANE-verifiable, RDAP-registered name bound to it: silicon projected onto the public namespace. Complements the hardware root of trust; it makes an otherwise un-routable, un-discoverable key resolvable and verifiable.
Azure IoT Hub + DPS Identity + attribution. Devices keep enrolling exactly as they do; each also carries a Whisper /128 your backend and any partner can verify outside the tenant, and the graph back-traces whoever presented copied credentials before. Complements DPS enrollment and the hub's X.509 auth; authorization inside the tenant stays exactly where it is.
AWS IoT Core (fleet provisioning, JITP/JITR) Identity + attribution. Same pattern: the AWS-side cert authorizes into AWS; the Whisper /128 is the out-of-tenancy identity a third party checks with dig, and the revoke that doesn't depend on CRL distribution. Complements fleet provisioning; Whisper never touches the AWS policy or shadow model.
Matter (DAC + the CSA DCL) Identity. The Device Attestation Certificate proves provenance at commissioning, inside the Matter fabric. The Whisper /128 is the same device's operational, internet-facing identity: verifiable by parties outside the fabric, for the device's whole service life. Complements DAC/DCL attestation; Whisper issues no Matter credentials and never touches commissioning.
MQTT brokers & device APIs Identity + governance. The DANCE pattern: the broker checks the client's DANE-TLSA pin instead of a password list; the device's egress is policy-bound and attributable per /128. The MQTT-DANCE recipe is a labelled roadmap item; the TLSA records it checks are published today. Complements the broker's own auth; adds the public, per-device check it never had.
LPWAN / gateway concentrators (LoRaWAN, cellular) Identity + egress governance. The gateway that concentrates a thousand sensors gets one provable /128 with default-deny egress, so a hijacked concentrator can't quietly talk to anything but its own platform. Complements LoRaWAN's OTAA keys; Whisper anchors the gateway↔cloud IP boundary above them.

Read together, these land exactly where the EU Cyber Resilience Act is pushing every maker of connected products: provable identity, controllable connectivity, evidence you can file. Standards mapping →

Five things you can't stand up overnight, and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap.

what a point solution can't replicate AS219419 our own AS + real routable 2a04:2a01::/32 can't hand out space you don't hold The graph 7.44B nodes, years accreted BGP·DNS·WHOIS ·TLS·JA4, not spun up overnight Per-identity CA one leaf per device / agent no shared root compromise one device, not the fleet RDAP · WHOIS every /128 a real registered object public account- ability, not a self- asserted claim DNSSEC anchored at the IANA root, not at us our API is never in the trust path FIVE LOAD-BEARING PILLARS · ONE PLATFORM
None of these is a feature you configure: they're properties of real address space, an accreted graph, and open, root-anchored standards. That's the difference between a platform and a console.

Real routable space, not a namespace we invented

AS219419 and 2a04:2a01::/32 are announced to the global routing table. You cannot allocate verifiable identities from address space you don't hold and can't announce, which is why this can't be reproduced with a database and a domain.

A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

A per-identity CA, so blast radius is one

One deterministically-derived leaf per device or agent: DANE-EE pinned, never a shared intermediate. The single-CA-breach failure mode is removed by construction, not by policy.

Registry-anchored and root-anchored

Every /128 is a real RDAP/WHOIS object, and the whole chain validates through DNSSEC to the IANA root. whisper verify --trustless checks an identity without trusting Whisper: public accountability and a trust anchor you already run.

"IoT platforms get retired and strand their fleets. Will this still verify in fifteen years, when my devices are still in the field?"

It's anchored in the things that don't retire. Public DNS, DNSSEC at the IANA root, registered address space, RDAP: the identity's anchors are internet infrastructure, not a product's console, and they're run by people who operated the internet's regional address registry and one of its root DNS servers. You can verify every claim on this page yourself, today, without an account.

Exercise all three planes yourself; our API isn't in the trust path.

Two tiers, by design. No key: verify a device's identity, the identity plane, trustless, anchored at the IANA root. Your key: back-trace a suspicious host across any cloud, register a device, govern its egress, revoke it worldwide.

identity: no key · attribution: one API call
# plane 1: re-derive and verify any device's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::e51d
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted

# the address is the device: reverse DNS names it
$ dig -x 2a04:2a01:1c0::e51d +short
  sn-04d0c85f3a1b.fleet.example-maker.whisper.online.

# plane 2: with your key, attribute who really operates a host via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
identity + governance: with your key
# plane 1: give a device a name it can prove
$ export WHISPER_API_KEY=whisper_live_xxx
# --serial/--from-secure-element are on the roadmap; today provisioning is the live control-plane call (see docs)
$ whisper register --serial 04D0C85F3A1B --from-secure-element
  → identity 2a04:2a01:1c0::e51d   DNSSEC + DANE live
# plane 3: govern what it may reach, and read the per-device log
$ whisper policy set --default deny --allow ota.example-maker.com,telemetry.example-maker.com
$ whisper logs --identity 2a04:2a01:1c0::e51d --tail
$ whisper revoke 2a04:2a01:1c0::e51d   # owner-thrown, publicly verifiable, at DNS-TTL

Three planes, and all three exit into the stack you already run, not a new silo.

Feeds your SIEM, not another console

A machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain, with STIX 2.1 over TAXII export on the roadmap.

Speaks your compliance language

Maps to EU CRA, IEC 62443, ETSI EN 303 645 / PSTI and 802.1AR evidence. Usable in your risk assessment and your certification file, not just a dashboard.

In your auth path, and safe there

If your backend authorizes against the DANE/verify path, that plane is built to fail open: a Whisper outage never bricks a device; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

Flat, predictable pricing

Per-device/year and flat: not per-message, not per-MB, not usage-metered. A line item you can forecast at BOM time. See pricing →

On-prem or your own tenant

Data residency and GDPR by construction: the graph and the per-device logs stay where your regulator, and your customers, need them.

Where it fits vs. what you run

Depth on top of your device cloud and your SIEM: it makes them sharper, it doesn't replace them. See the comparison →

One primitive. Three planes. Give every device an identity it can prove.

Identity, an attribution graph that survives IP rotation, and per-device governance: additive to your stack, mapped to your standards, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.