# Your SOC sees *that* a farm API is abused: not *who*, and not whether it's really the machine.

Upstream, Recorded Future, Sentinel, Mandiant, VirusTotal: each is good at what it
does, and you should keep running every one of them. But the equipment-API attack
survives the whole stack, because it exploits two seams no single tool was built to
close: **attribution that outlives IP rotation**, and **identity that outlives a
harvested token**.

**Whisper is those two layers, and only those.** Additive, never a replacement: it
feeds your SIEM and threat intel, closes both gaps, and makes everything else on this
page sharper.

`whisper verify --trustless` · the one differentiator every tool here lacks: you never have to trust *our* API.

- **2 gaps**: the two seams every equipment-API attack walks through, both closed here
- **0** rip-and-replace: Whisper sits on top of your SIEM and TI
- **STIX 2.1**: a machine-readable feed (CEF · ECS today), TAXII export on the roadmap
- **flat**: per-machine, per-year, not per-transaction, not usage-metered
- **trustless**: verify a machine's identity without trusting our API

---

## Every tool here is good. The incident survives in the seams between them.

The equipment-API attack: harvest a valid grant, enumerate organizations through a
BOLA/IDOR flaw, rotate egress across clouds and residential proxies. It passes every
perimeter check on purpose. Strip it down and it leans on exactly two structural gaps.

### Gap 1 · you can't follow them when the IP rotates

Your SOC sees only the ephemeral *last IP*, inside your own cloud, and it was never
the attacker. Curated threat intel doesn't close this either: Recorded Future,
Mandiant and VirusTotal match what's *already known*, but a just-spun cloud IP and a
residential-proxy swarm are, by definition, not yet in anyone's feed.

**Only Whisper closes it: the graph.** A live internet-infrastructure graph,
**7.44B** nodes and **39.3B** relationships of fused BGP,
DNS, WHOIS, TLS, hosting and threat intel, answering in under 300 ms, fingerprints
the *operator*, not the IP. Cloud rotation collapses into one infrastructure
genealogy; a residential swarm collapses on a `JA4/JA3` client fingerprint. Every
answer is a reproducible evidence chain your auditors and a regulator can replay.

### Gap 2 · abuse that passes auth looks legitimate

A harvested OAuth grant or a leaked partner key *is* a valid credential: behaviorally
it's a grower. Nothing at the perimeter, and no threat-intel feed, tells a real
machine from an impostor that presents a genuine token.

**Only Whisper closes it: identity.** Bind the session to the machine's own
forge-proof **/128**, derived from the key already sitting in the machine's secure
element. A request that passes auth but can't cryptographically prove the identity
never had authority. Not detected late; *structurally impossible*.

---

## Upstream sees *that* an API is abused. Whisper tells you *who*, and that it's really the machine.

Upstream is the best behavioral vehicle SOC on the market, and it is moving into
agriculture: extending its platform toward agricultural OEMs and engaging publicly on
ISO 24882. Cloud-native and agentless, it does stateful app-layer detection, BOLA and
business-logic abuse, well. That's necessary, you should run it, and it's where the
picture stops: inside your own cloud, at the app layer, seeing the last IP.

Whisper adds the two layers Upstream doesn't reach. On Upstream's own turf we're
honest: we're an **additive feed**, not a second detector.

| Capability | Upstream | Whisper |
|---|---|---|
| Detect farm-API abuse in your cloud: BOLA / IDOR, business-logic, digital twin | ✓ | *additive feed* |
| Attribute the operator across Amazon → Google → Azure rotation | – | ✓ |
| Collapse a residential-proxy swarm to one operator (`JA4/JA3`) | – | ✓ |
| Forge-proof per-machine identity, checked **after** auth (DANE-EE /128) | – | ✓ |
| Per-agent identity + default-deny egress governance (autonomy / MCP / LLM) | *detecting* | ✓ native |
| Owner-controlled, publicly verifiable revocation (never a covert lockout) | – | ✓ |
| Reproducible evidence chain a regulator can replay | – | ✓ |
| Trustless verification: no need to trust the vendor's API | – | ✓ |
| Deploys as | cloud-native agentless twin, in your cloud | additive feed · on-prem / own-tenant |
| Pricing model | cloud-scale ingestion | flat, per-machine / year |

> **"Upstream already flags BOLA and business-logic abuse, and it's coming to agriculture. What do I need you for?"**
> To answer the next two questions. Flagging *that* an API is abused doesn't tell you
> *who* is behind it when the IP rotates, and it can't stop a genuine, harvested
> token. The graph names the operator and follows them across the rotation; the
> identity plane makes "one IP → a whole co-op" *physically impossible*, not merely
> detected. Run both: we're a feed into the same SIEM.

---

## It makes Recorded Future, Sentinel and Mandiant sharper. It doesn't replace them.

| Capability | Recorded Future | Microsoft Sentinel | Mandiant / Google TI | VirusTotal | Whisper |
|---|---|---|---|---|---|
| Broad curated threat intel: known indicators & actors | ✓ | *via feeds* | ✓ | ✓ | *consumes + feeds* |
| SIEM backbone: correlation, alerting, the SOC hub | – | ✓ | – | – | *feeds it* |
| Live attribution across rotating clouds + residential (`JA4/JA3`) | *known only* | – | *known only* | *known only* | ✓ |
| Forge-proof per-machine / per-agent identity, after auth | – | – | – | – | ✓ |
| Agentic read-only graph query (Cypher) over live infra | – | – | – | – | ✓ |
| Agriculture-native: farm-platform + machine-identity mapping | *generic* | *via content* | *generic* | – | ✓ |
| Pricing shape | licensed by module | platform + ingest | licensed | tiered API | flat, per-machine |

Whisper is additional depth, flexibility, agentic query and flat pricing *on top of*
the SIEM and threat intel you already run, and it rides on top of the X.509
device-cert mTLS your equipment cloud already speaks, anchoring that same identity in
public DNSSEC/DANE, verifiable *outside* the cloud's tenancy.

### Every tool here, you must trust. Ours, you don't have to.

Whisper's core claim, *this address is that machine*, is checkable by anyone, against
the IANA DNS root, with our own API deliberately outside the trust path. No account
required. And that matters doubly in agriculture, where the farmer's side of the
story has never had a verifiable fact to stand on.

```sh
# keyless: re-derive and verify any machine's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::a6f1
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED, and our own API was never trusted
```

---

## Whisper is one layer, done well. It sits beside these, not over them.

- **In-cab & bus-level security.** Intrusion detection on the ISOBUS/J1939 CAN backbone, embedded firewalls, secure boot, and tractor-implement (TIM) functional safety. That's the silicon and the bus; Whisper is on the wire and in the cloud, and never touches it.
- **SBOM & compliance automation.** The binder and the build. Whisper produces evidence *for* that process; it isn't that process.
- **FMIS & farm-data platforms.** Whisper doesn't store a byte of agronomic data and doesn't broker consent contracts: it anchors the *identities* on each side so the platform's own consent model is enforced against a network fact, not a portable secret.

---

## No new silo. Mapped to your standards. Priced so you can say yes.

- **A feed, not another console.** Splunk, Microsoft Sentinel and OpenCTI connectors ship today; CEF and ECS mappings; STIX 2.1 over TAXII on the roadmap.
- **Speaks your compliance language.** ISO 24882 (DIS, October 2025), AEF Guideline 040, the EU Data Act, Ag Data Transparent.
- **Flat, forecastable TCO.** Per-machine, per-year and flat. [See pricing →](/pricing)
- **On-prem or your own tenant.** Fail-open by design: a Whisper outage never parks a machine.
- **A vendor built to outlast the question.** Real routable address space (AS219419).
- **Keyless to prove, one call to adopt.** The claim is checkable before the contract.

> **"Will you still be here in five years, and is my growers' data yours?"**
> Real address space, your tenant, your call. We hold no agronomic data: the graph
> and logs run on-prem or in your own tenant, the identity plane fails open so our
> uptime never gates a machine, and the trustless verify path means you, or a farmer,
> can audit the core claim without trusting us at all.

---

## Keep your stack. Close the two gaps.

Whisper is the attribution and identity layer that sits on top of the SOC and threat
intel you already run: additive, mapped to your standards, flat to price. Keyless to
try, one call to provision, one more to revoke.

Or run `whisper verify --trustless` right now: our API isn't in the trust path.
