# Your control room doesn't need another console. Your DER fleet needs an identity it can prove.

Detection tools stack up — each one another dashboard your OT SOC babysits, and none of them stops a stolen aggregator token that passes auth or an operator that rotates across three clouds. Whisper isn't another console. It's one primitive — the address is the identity — expressed as three planes that plug into the IEEE 2030.5 head-end, the DERMS, the OT sensors and the SIEM you already run.

Derive an inverter's identity once from the key behind the `LFDI` it already carries; verify it anywhere with `dig`. That one primitive becomes three planes — identity, an attribution graph that survives IP rotation, and per-DER egress governance — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

- 7.44B nodes in the live attribution graph — BGP, DNS, WHOIS, TLS, hosting, threat intel
- 39.3B fused relationships across that graph
- <300ms attribution answers, kept off the hot path
- AS219419 — our own autonomous system, real routable space
- 2a04:2a01::/32 — every DER identity derives from here
- 1→3 — one primitive, three planes, zero new silos

## Everything below derives from one line: the address is the identity.

A routable IPv6 /128 out of `2a04:2a01::/32` (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.

Most security tooling starts from an observation — a Modbus write, a log line, a source IP — and tries to infer who is behind it. Whisper starts from the other end: it gives the thing an identity that is its address, cryptographically bound to a key you already hold, and publicly verifiable without trusting the issuer. Point it at an inverter, a battery gateway, an EVSE, or the VPP dispatch agent your trading desk is about to run, and the question "who is this?" stops being an inference and becomes a fact anyone can check. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address.

## One address, three jobs: who is this, who's really behind that, and what may talk to what.

Identity answers who is this, provably. The attribution graph answers who's really behind a source that rotates. Egress governance answers what may reach what. Each plane is useful alone; together they close both gaps every fleet-takeover attack leans on.

**The three planes on one primitive:**

- **Identity** — who is this, provably; the inverter proves it, no one forges it. `device /128 · DNSSEC · DANE-EE · bound to the LFDI`
- **Attribution graph** — who's really behind this; operator fingerprint across rotating clouds + residential. `identify · origins · walk · history · watch · Cypher`
- **Egress governance** — what may talk to what; every DER on its own routable address. `per-DER /128 · policy · lookups · firewall · budget · revoke — default-deny`
- **Base primitive** — THE ADDRESS IS THE IDENTITY · AS219419 · 2a04:2a01::/32

## Plane 1 — A device identity your head-end authorizes on, not a bearer token anyone can present.

This is the plane that closes the gap the fleet-takeover attacks live in: abuse that passes auth. Bind authority to the inverter, not to a token whoever holds it can replay.

Point the primitive at devices. Derive each inverter's — or each battery gateway's or EVSE's — /128 from the public key behind the identifier it already carries: the IEEE 2030.5 LFDI (itself a SHA-256 of the device's X.509 cert), a SunSpec/Kyrio device cert, a secure element, or a TPM — with the LFDI or DER serial as the domain separator. The private key never leaves the device; the address is a one-way function of its public half and that identifier. No re-flashing the 25M+ inverters already in the field — you bind the identity they were born with. Pass the LFDI as `device_id` today; a first-class typed `--lfdi` arg is on the roadmap.

**LFDI/key → /128 → verifiable name:** Inverter/EVSE key (LFDI · SunSpec cert · TPM, private key sealed) → public key + LFDI → /128 (`2a04:2a01:5e0::50c`, routable identity) → DNSSEC + DANE-EE → a name anyone can verify (`whisper verify --trustless`, our API not in the trust path) → `op:revoke` → gone worldwide at DNS-TTL.

> "IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough?"
>
> Because it can't be revoked and no one outside the utility can verify it. The LFDI is a SHA-256 of the device's own certificate — a genuinely good key-derived name — but it lives in a private SERCA→MCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL.

**A per-identity CA, not a shared root.** Each /128 carries its own leaf, deterministically derived and DANE-EE pinned — one key per inverter, per gateway, per agent. There is no issuing intermediate whose compromise mints look-alikes, and no shared secret an attacker steals once to forge the fleet. Compromise one inverter and you've compromised that inverter — the single-CA-breach failure mode that has burned this industry before is removed by construction, not by policy.

**The LFDI is the public fingerprint — the /128 is its cryptographic counterpart.** The LFDI is a known, structured identifier flowing through every CSIP deployment; that's useful for interoperability but it's not a secret. The /128 is bound to the device's key and the LFDI — so the LFDI alone yields nothing. You cannot go LFDI → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the device's whereabouts. Because the derivation is tenant-bound, the same unit under two aggregators yields two unrelated /128s — no one can link a device across operators.

Attaches to what you already ship — the IEEE 2030.5 / SunSpec / Kyrio device certificate, TPM/HSM/secure elements — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. You can even DANE-pin your existing 2030.5 head-end's certificate to DNSSEC and cut single-CA trust risk. No bespoke CA trust store to push to every inverter; revocation at DNS-TTL speed instead of a certificate that can never be revoked. [Standards mapping →](/for-grid-security)

## Plane 2 — Attribution that survives IP rotation, because it fingerprints the operator, not the exit.

This is the plane that closes the other gap: the attacker who rotates across Amazon, Google and Azure or a residential-proxy swarm until your OT SOC only ever logs a meaningless last IP.

A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.

> "When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"
>
> Track it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your OT SOC, your auditors and a regulator can replay.

- **`identify(ip)`** — who really operates a host, even behind a CDN, across any cloud.
- **`origins(prefix)` + `walk(node,depth)`** — cluster rotating IPs into one infrastructure genealogy.
- **`history` / `watch`** — a timeline of an operator and a standing sentinel; plus `variants(domain)` to catch typosquat aggregator or utility domains before they activate.
- **read-only Cypher** — express "one source touching N distinct DER identities in a window" as a query your agent runs, not a ticket your analyst files.

Additive to the OT sensor and SIEM — the same fingerprints power external attack-surface mapping and dependency blast-radius (if a cloud region goes dark, which sites lose their head-end). [Trace the full back-trace →](/grid-api-abuse)

## Plane 3 — Govern exactly what each DER may reach: default-deny, and see who's looking.

An identity you can prove is also an identity you can watch and gate. Because every DER's name resolves through Whisper's own graph-first resolver and its egress source-binds to the device's /128, you see who looked, allow only the head-end and the OTA endpoint, and kill a compromised unit worldwide in one call.

**Graph-first resolution path.** A DER's DNS query (`ota.vendor? AAAA`) enters the graph-first resolver, evaluated identically by our two authoritative nodes in lockstep — two servers, one truth. The policy stage (`whisper.assess`) applies default-deny with an allow-list for the DERMS head-end and the OTA endpoint (plus category · geography · listing), and `op:lookups` records who asked. Outcomes: an allowed name resolves to a real AAAA answer (`derms.example-vpp.com · ota.example-vpp.com`); a denied name returns NXDOMAIN (everything else, blocked at the resolver); a name the graph has no opinion on falls through to real upstream DNS (a recursive upstream, then public resolvers — fail-open), so the resolver never breaks the internet it fronts.

- **Who checked this inverter is a query** — `op:lookups` returns who resolved or RDAP-queried a DER's identity: an early warning that someone is enumerating your fleet, not a post-mortem after the dispatch. A reconnaissance tripwire the LFDI's private registry never gave you.
- **Default-deny, by name** — `op:policy` and `op:firewall` enforce default-deny per device: allow the DERMS head-end and the OTA endpoint by name or subdomain, allow/deny by host, cidr or port, block everything else.
- **Cap it, kill it** — `op:budget` caps a device's traffic and arms a kill-switch; `op:revoke` cuts a compromised unit off worldwide in one call at DNS-TTL — the off-switch IEEE 2030.5's life-long certs never had.
- **Non-repudiable telemetry** — sign a DER's dispatch and telemetry stream to its forge-proof /128 (`sign-outputs`) so the ISO, the utility and your own market settlement trust the numbers came from the real device, not a spoofed feed.

The same address-is-identity primitive that governs a compromised inverter also governs the AI agents your VPP and trading desk are about to run — per-agent /128, per-agent logs via `op:logs`, default-deny egress, one `revoke`. From day one.

## The three planes drop into the systems your fleet already runs — at the IP and cloud boundary, never inside the bus.

Whisper anchors the cloud, not the plug. Each row below is a proposed integration onto a system you already operate — the device-identity /128 is the one capability that is shipped and live today. Every one is additive: it complements whatever authenticates the message, and it never reaches into the closed, pseudonymous-by-design layers — the substation bus (IEC 61850 GOOSE/SV), DNP3 pre-shared keys, the ISO 15118 charging handshake.

| Surface / standard you run | Where a plane plugs in | Complements — does not replace |
|---|---|---|
| **IEEE 2030.5 / CSIP head-end** (CA Rule 21 default) | **Identity.** Bind an `EndDevice`'s LFDI to a routable /128 and DANE-pin the head-end's TLS certificate to DNSSEC — the CSIP identifier projected onto the public namespace, publicly verifiable and revocable at DNS-TTL. | Complements the SERCA→MCA→MICA private PKI and the mandated 2030.5 stack — Whisper never becomes the head-end; it adds public verifiability and an off-switch to the LFDI it lacks. |
| **Secure element / TPM** + device key · *shipped & live* | **Identity.** Derives the routable /128 from the same non-exportable key in the TPM or secure element and publishes a globally resolvable, DANE-verifiable, RDAP-registered name bound to it — the device-identity spine. | Complements the hardware birth-certificate — does not replace the secure element; it makes an otherwise un-routable, un-discoverable key resolvable and verifiable. |
| **DERMS / VPP platform** (fleet dispatch) | **Identity + egress governance.** Adds a publicly-verifiable /128 per device — checkable outside the DERMS tenancy, no vendor account — plus per-device egress attribution and non-repudiable telemetry from the DER's own /128. | Complements the DERMS that consumes the manufacturer 2030.5 cert and dispatches setpoints — Whisper anchors identity and governance, not the dispatch logic. |
| **OpenADR 3.0 / 3.1** (VTN ↔ VEN) | **Attribution graph + identity.** DANE + DNSSEC anchor the VTN's HTTPS host; a `venID` + JWT bearer becomes a checkable fact against a verifiable endpoint; the attribution graph maps the aggregator infrastructure behind it. | Complements OAuth2 bearer auth — which authorizes the event; Whisper anchors the transport and the operator identity the bearer alone can't prove. |
| **AWS IoT Core / cloud DER telemetry** (and Azure Event-Grid MQTT, Google Cloud) | **Identity + egress governance.** Adds an RDAP-registered, reverse-DNS + DANE/DNSSEC-anchored identity a regulator or peer can verify outside the cloud's tenancy — no vendor account — plus per-device egress attribution from the DER's own /128. | Complements the vendor X.509 device cert over MQTT/mTLS (the cloud is the CA) — does not replace it. Anchor the cloud, not the plug. |
| **ISO 15118 Plug & Charge / OCPP 2.0.1** (EVSE ↔ CSMS) | **Identity.** DANE anchors the EVSE or CSMS TLS endpoint; a per-EVSE Whisper name is revocable in one call — instant containment for a compromised charger, alongside your 15118 PKI. | Complements the V2G Root CA contract-cert handshake — Whisper never touches the ISO 15118 charging handshake or the EMAID billing path; it anchors the cloud/transport boundary. |

Read together, these are exactly the vendor-remote-access doors NERC CIP-013 / CIP-005 require you to govern and EU NIS2 requires you to log — per-/128 egress logs plus the attribution graph become ready-made monitoring and forensic evidence, and nothing is issued in the dark: every mint and revoke lands in a public transparency log. [Standards mapping →](/for-grid-security)

## Five things you can't stand up overnight — and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap: **AS219419** (our own AS, RPKI-signed `2a04:2a01::/32`), **the graph** (7.44B nodes accreted over years), a **per-identity CA** (one leaf per DER/ECU/agent, no shared root), **RDAP · WHOIS** (every /128 a real registered object), and **DNSSEC** (anchored at the IANA root, not at us).

### Real routable space, not a namespace we invented

AS219419 and `2a04:2a01::/32` are announced to the global routing table and RPKI ROA-signed. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain.

### A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

### A per-identity CA, so blast radius is one

One deterministically-derived leaf per inverter, gateway or agent — DANE-EE pinned, never a shared intermediate. The single-CA-breach failure mode that has burned this industry before is removed by construction, not by policy.

### Nothing issued in the dark

Every mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — an auditable, non-repudiable issuance trail for your regulator. *Honest status:* tamper-evident today; independent witnessing is the next step — it already speaks the witness protocol so any external witness can co-sign.

**Open standards, not a Whisper protocol.** Every layer is something you already know how to check: DNSSEC and DANE for the verifiable name, RDAP and WHOIS for the registry object, RPKI for the route origin, did:web for the identity document, OpenTimestamps for the transparency anchor. `whisper verify --trustless` validates the whole chain to the IANA root — our API is never in the trust path, and there is no proprietary format to adopt.

> "DER-security pilots stall — a POC that never leaves the lab. Will you still be here in five years, and is this real or a checkbox?"
>
> It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide. You can verify every claim on this page yourself, today, without an account.

## Exercise all three planes yourself — our API isn't in the trust path.

Two tiers, by design. No key: verify a DER's identity, see who's been enumerating it, and back-trace a suspicious controller — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, revoke it worldwide.

```console
# plane 1 — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# who checked this DER — the reconnaissance tripwire, keyless
$ curl -s https://whisper.online/ip/2a04:2a01:5e0::50c/lookups
  3 RDAP + 11 AAAA/TLSA lookups in 6h from one ASN — someone is enumerating the fleet

# plane 2 — with your key, attribute who really operates a suspicious controller
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```console
# plane 1 — bind an inverter to the LFDI it already carries
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the device key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the LFDI
  → identity 2a04:2a01:5e0::50c   DNSSEC + DANE live
# plane 3 — govern its egress, read who it talked to, then kill it
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper logs --identity 2a04:2a01:5e0::50c --tail
$ whisper kill --revoke 2a04:2a01:5e0::50c   # worldwide, at DNS-TTL
```

## Three planes, and all three exit into the stack you already run — not a new silo.

### Feeds your SIEM, not another console

A machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain you can hand a regulator — STIX 2.1 over TAXII export on the roadmap.

### Speaks your compliance language

Maps to NERC CIP-013 R1.2.3/R1.2.6 and CIP-005 R3.1/R3.2 (determine & disable active vendor remote access), EU NIS2 Art.21, the EU NCCS zero-trust/traceability, and NISTIR 7628 SG.IA/SG.AU — usable in a CIP RSAW, not just a dashboard. (CIP scope is the Bulk Electric System, at the utility/vendor-access layer.)

### In your auth path — and safe there

It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your head-end authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks an inverter; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

### Flat, predictable pricing

Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset. [See pricing →](/pricing)

### On-prem or your own tenant

Data residency and GDPR by construction — the graph and the per-device logs stay where your regulator needs them. One identity fabric across every vendor's device, derived from the key already in it — no second PKI, no BOM cost, no re-flashing the fielded fleet.

### Where it fits vs. what you run

Depth on top of your OT sensor and threat-intel — it makes them sharper, it doesn't replace them. [See the comparison →](/compare)

## One primitive. Three planes. Give every DER an identity it can prove.

Identity, an attribution graph that survives IP rotation, and per-DER egress governance — additive to your DERMS and OT SOC, mapped to your standards, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.

Or run `whisper verify --trustless` right now.
