Your control room doesn't need another console. Your DER fleet needs an identity it can prove.
Detection tools stack up — each one another dashboard your OT SOC babysits, and none of them stops a stolen aggregator token that passes auth or an operator that rotates across three clouds. Whisper isn't another console. It's one primitive — the address is the identity — expressed as three planes that plug into the IEEE 2030.5 head-end, the DERMS, the OT sensors and the SIEM you already run.
LFDI it already carries; verify it anywhere with dig. That one primitive becomes three planes — identity, an attribution graph that survives IP rotation, and per-DER egress governance — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
Everything below derives from one line: the address is the identity.
A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.
Most security tooling starts from an observation — a Modbus write, a log line, a source IP — and tries to infer who is behind it. Whisper starts from the other end: it gives the thing an identity that is its address, cryptographically bound to a key you already hold, and publicly verifiable without trusting the issuer. Point it at an inverter, a battery gateway, an EVSE, or the VPP dispatch agent your trading desk is about to run, and the question "who is this?" stops being an inference and becomes a fact anyone can check. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address.
One address, three jobs: who is this, who's really behind that, and what may talk to what.
Identity answers who is this, provably. The attribution graph answers who's really behind a source that rotates. Egress governance answers what may reach what. Each plane is useful alone; together they close both gaps every fleet-takeover attack leans on.
A device identity your head-end authorizes on — not a bearer token anyone can present.
This is the plane that closes the gap the fleet-takeover attacks live in: abuse that passes auth. Bind authority to the inverter, not to a token whoever holds it can replay.
Point the primitive at devices. Derive each inverter's — or each battery gateway's or EVSE's — /128 from the public key behind the identifier it already carries: the IEEE 2030.5 LFDI (itself a SHA-256 of the device's X.509 cert), a SunSpec/Kyrio device cert, a secure element, or a TPM — with the LFDI or DER serial as the domain separator. The private key never leaves the device; the address is a one-way function of its public half and that identifier. No re-flashing the 25M+ inverters already in the field — you bind the identity they were born with. Pass the LFDI as device_id today; a first-class typed --lfdi arg is on the roadmap.
"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough?"
Because it can't be revoked and no one outside the utility can verify it. The LFDI is a SHA-256 of the device's own certificate — a genuinely good key-derived name — but it lives in a private SERCA→MCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL.
Attaches to what you already ship — the IEEE 2030.5 / SunSpec / Kyrio device certificate, TPM/HSM/secure elements — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. You can even DANE-pin your existing 2030.5 head-end's certificate to DNSSEC and cut single-CA trust risk. No bespoke CA trust store to push to every inverter; revocation at DNS-TTL speed instead of a certificate that can never be revoked. Standards mapping →
Attribution that survives IP rotation — because it fingerprints the operator, not the exit.
This is the plane that closes the other gap: the attacker who rotates across Amazon, Google and Azure or a residential-proxy swarm until your OT SOC only ever logs a meaningless last IP.
A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.
"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"
Track it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your OT SOC, your auditors and a regulator can replay.
identify(ip)
Who really operates a host — even behind a CDN, across any cloud.
origins(prefix) + walk(node,depth)
Cluster rotating IPs into one infrastructure genealogy.
history / watch
A timeline of an operator and a standing sentinel — plus variants(domain) to catch typosquat aggregator or utility domains before they activate.
read-only Cypher
Express "one source touching N distinct DER identities in a window" as a query your agent runs — not a ticket your analyst files.
Additive to the OT sensor and SIEM — the same fingerprints power external attack-surface mapping and dependency blast-radius (if a cloud region goes dark, which sites lose their head-end). Trace the full back-trace →
Govern exactly what each DER may reach — default-deny, and see who's looking.
An identity you can prove is also an identity you can watch and gate. Because every DER's name resolves through Whisper's own graph-first resolver and its egress source-binds to the device's /128, you see who looked, allow only the head-end and the OTA endpoint, and kill a compromised unit worldwide in one call.
op:lookups records who asked.Who checked this inverter is a query
op:lookups returns who resolved or RDAP-queried a DER's identity — an early warning that someone is enumerating your fleet, not a post-mortem after the dispatch. A reconnaissance tripwire the LFDI's private registry never gave you.
Default-deny, by name
op:policy and op:firewall enforce default-deny per device — allow the DERMS head-end and the OTA endpoint by name or subdomain, allow/deny by host, cidr or port, block everything else.
Cap it, kill it
op:budget caps a device's traffic and arms a kill-switch; op:revoke cuts a compromised unit off worldwide in one call at DNS-TTL — the off-switch IEEE 2030.5's life-long certs never had.
Non-repudiable telemetry
Sign a DER's dispatch and telemetry stream to its forge-proof /128 (sign-outputs) so the ISO, the utility and your own market settlement trust the numbers came from the real device — not a spoofed feed.
The same address-is-identity primitive that governs a compromised inverter also governs the AI agents your VPP and trading desk are about to run — per-agent /128, per-agent logs via op:logs, default-deny egress, one revoke. From day one.
The three planes drop into the systems your fleet already runs — at the IP and cloud boundary, never inside the bus.
Whisper anchors the cloud, not the plug. Each row below is a proposed integration onto a system you already operate — the device-identity /128 is the one capability that is shipped and live today. Every one is additive: it complements whatever authenticates the message, and it never reaches into the closed, pseudonymous-by-design layers — the substation bus (IEC 61850 GOOSE/SV), DNP3 pre-shared keys, the ISO 15118 charging handshake.
| Surface / standard you run | Where a plane plugs in — identity /128 · attribution graph · egress governance | Complements — does not replace |
|---|---|---|
| IEEE 2030.5 / CSIP head-end (CA Rule 21 default) | Identity. Bind an EndDevice's LFDI to a routable /128 and DANE-pin the head-end's TLS certificate to DNSSEC — the CSIP identifier projected onto the public namespace, publicly verifiable and revocable at DNS-TTL. |
Complements the SERCA→MCA→MICA private PKI and the mandated 2030.5 stack — Whisper never becomes the head-end; it adds public verifiability and an off-switch to the LFDI it lacks. |
| Secure element / TPM + device key · shipped & live | Identity. Derives the routable /128 from the same non-exportable key in the TPM or secure element and publishes a globally resolvable, DANE-verifiable, RDAP-registered name bound to it — the device-identity spine, the hardware key projected onto the public namespace. |
Complements the hardware birth-certificate — does not replace the secure element; it makes an otherwise un-routable, un-discoverable key resolvable and verifiable. |
| DERMS / VPP platform (fleet dispatch) | Identity + egress governance. Adds a publicly-verifiable /128 per device — checkable outside the DERMS tenancy, no vendor account needed — plus per-device egress attribution and non-repudiable telemetry from the DER's own /128. |
Complements the DERMS that consumes the manufacturer 2030.5 cert and dispatches setpoints — Whisper anchors identity and governance, not the dispatch logic. |
| OpenADR 3.0 / 3.1 (VTN ↔ VEN) | Attribution graph + identity. DANE + DNSSEC anchor the VTN's HTTPS host; a venID + JWT bearer becomes a checkable fact against a verifiable endpoint; the attribution graph maps the aggregator infrastructure behind it. |
Complements OAuth2 bearer auth — which authorizes the event; Whisper anchors the transport and the operator identity the bearer alone can't prove. |
| AWS IoT Core / cloud DER telemetry (and Azure Event-Grid MQTT, Google Cloud) | Identity + egress governance. Adds an RDAP-registered, reverse-DNS + DANE/DNSSEC-anchored identity a regulator or peer can verify outside the cloud's tenancy — no vendor account needed — plus per-device egress attribution from the DER's own /128. |
Complements the vendor X.509 device cert over MQTT/mTLS (the cloud is the CA) — does not replace it. Anchor the cloud, not the plug. |
| ISO 15118 Plug & Charge / OCPP 2.0.1 (EVSE ↔ CSMS) | Identity. DANE anchors the EVSE or CSMS TLS endpoint; a per-EVSE Whisper name is revocable in one call — instant containment for a compromised charger, alongside your 15118 PKI. | Complements the V2G Root CA contract-cert handshake — Whisper never touches the ISO 15118 charging handshake or the EMAID billing path; it anchors the cloud/transport boundary. |
Read together, these are exactly the vendor-remote-access doors NERC CIP-013 / CIP-005 require you to govern and EU NIS2 requires you to log — per-/128 egress logs plus the attribution graph become ready-made monitoring and forensic evidence, and nothing is issued in the dark: every mint and revoke lands in a public transparency log. Standards mapping →
Five things you can't stand up overnight — and a competitor can't clone from a slide.
A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap.
Real routable space, not a namespace we invented
AS219419 and 2a04:2a01::/32 are announced to the global routing table and RPKI ROA-signed. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain.
A graph you accrete, not one you query once
7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.
A per-identity CA, so blast radius is one
One deterministically-derived leaf per inverter, gateway or agent — DANE-EE pinned, never a shared intermediate. The single-CA-breach failure mode that has burned this industry before is removed by construction, not by policy.
Nothing issued in the dark
Every mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — an auditable, non-repudiable issuance trail for your regulator. Honest status: tamper-evident today; independent witnessing is the next step — it already speaks the witness protocol so any external witness can co-sign.
whisper verify --trustless validates the whole chain to the IANA root — our API is never in the trust path, and there is no proprietary format to adopt."DER-security pilots stall — a POC that never leaves the lab. Will you still be here in five years, and is this real or a checkbox?"
It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide. You can verify every claim on this page yourself, today, without an account.
Exercise all three planes yourself — our API isn't in the trust path.
Two tiers, by design. No key: verify a DER's identity, see who's been enumerating it, and back-trace a suspicious controller — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, revoke it worldwide.
# plane 1 — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the inverter — reverse DNS names it
$ dig -x 2a04:2a01:5e0::50c +short
lfdi-3f2504e0.der.example-vpp.whisper.online.
# who checked this DER — the reconnaissance tripwire, keyless
$ curl -s https://whisper.online/ip/2a04:2a01:5e0::50c/lookups
3 RDAP + 11 AAAA/TLSA lookups in 6h from one ASN — someone is enumerating the fleet
# plane 2 — with your key, attribute who really operates a suspicious controller
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
# plane 1 — bind an inverter to the LFDI it already carries
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the device key>',
device_id:'3F2504E04F8911D39A0C0305E82C3301'}})" # device_id = the LFDI
→ identity 2a04:2a01:5e0::50c DNSSEC + DANE live
# plane 3 — govern its egress, read who it talked to, then kill it
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper logs --identity 2a04:2a01:5e0::50c --tail
$ whisper kill --revoke 2a04:2a01:5e0::50c # worldwide, at DNS-TTL
Three planes, and all three exit into the stack you already run — not a new silo.
Feeds your SIEM, not another console
A machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain you can hand a regulator — STIX 2.1 over TAXII export on the roadmap.
Speaks your compliance language
Maps to NERC CIP-013 R1.2.3/R1.2.6 and CIP-005 R3.1/R3.2 (determine & disable active vendor remote access), EU NIS2 Art.21, the EU NCCS zero-trust/traceability, and NISTIR 7628 SG.IA/SG.AU — usable in a CIP RSAW, not just a dashboard. (CIP scope is the Bulk Electric System, at the utility/vendor-access layer.)
In your auth path — and safe there
It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your head-end authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks an inverter; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
Flat, predictable pricing
Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset. See pricing →
On-prem or your own tenant
Data residency and GDPR by construction — the graph and the per-device logs stay where your regulator needs them. One identity fabric across every vendor's device, derived from the key already in it — no second PKI, no BOM cost, no re-flashing the fielded fleet.
Where it fits vs. what you run
Depth on top of your OT sensor and threat-intel — it makes them sharper, it doesn't replace them. See the comparison →
One primitive. Three planes. Give every DER an identity it can prove.
Identity, an attribution graph that survives IP rotation, and per-DER egress governance — additive to your DERMS and OT SOC, mapped to your standards, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now.