# Compare — Whisper vs Upstream · additive to your SIEM and threat intel

> Your VSOC sees *that* a fleet API is abused — not *who*, and not whether it's really the car.
> Upstream, Recorded Future, Sentinel, Mandiant, VirusTotal — each is good; keep running every one.
> Whisper is the two layers no one else owns — attribution that outlives IP rotation, and identity
> that outlives a stolen token — and it feeds your stack rather than replacing it.

The fleet-API attack survives the whole stack, because it exploits two seams no single tool
was built to close: **attribution that outlives IP rotation**, and **identity that outlives a
stolen token**. Whisper is those two layers — and only those. Additive, never a replacement:
it feeds your SIEM and threat intel, closes both gaps, and makes everything else on this page
sharper. **The address is the car — provable, and no one can forge it.**

`whisper verify --trustless` — the one differentiator every tool here lacks: you never have to trust *our* API.

- **2 gaps** — the two seams every fleet-API attack walks through — both closed here
- **0** — rip-and-replace; Whisper sits on top of your SIEM and TI
- **STIX 2.1** — a machine-readable feed (CEF · ECS today) — TAXII export on the roadmap
- **flat** — per-VIN, per-year — not per-transaction, not usage-metered
- **trustless** — verify a car's identity without trusting our API

---

## Every tool here is good. The incident survives in the seams *between* them.

The fleet-API attack — steal a valid session, enumerate VINs through a `BOLA/IDOR` flaw,
rotate egress across clouds and residential proxies — passes every perimeter check on
purpose. Strip it down and it leans on exactly two structural gaps. Here's which category
of tool leaves each one open, and why.

### Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. Your VSOC sees only the ephemeral *last IP*,
inside your own cloud — and it was never the attacker. Curated threat intel doesn't close
this either: Recorded Future, Mandiant and VirusTotal match what's *already known*, but a
just-spun cloud IP and a residential-proxy swarm are, by definition, not yet in anyone's feed.

**Only Whisper closes it — the graph.** A live internet-infrastructure graph —
**7.44B** nodes and **39.3B** relationships of fused BGP, DNS,
WHOIS, TLS, hosting and threat intel, answering in under 300 ms — fingerprints the *operator*,
not the IP. Cloud rotation collapses into one infrastructure genealogy (shared ASN, hosting,
certificate lineage); a residential swarm collapses on a `JA4/JA3` client fingerprint that
travels with the tooling regardless of the exit. Every answer is a reproducible evidence
chain your auditors and a regulator can replay.

### Gap 2 · abuse that passes auth looks legitimate

A stolen session or a leaked dealer-portal key *is* a valid credential — behaviorally it's a
customer. A behavioral VSOC can flag the *pattern* once it's anomalous enough, but the
credential itself is a bearer secret: whoever holds it, holds it. Nothing at the perimeter,
and no threat-intel feed, tells a real car from an impostor that presents a genuine token.

**Only Whisper closes it — identity.** Bind the session to the car's own forge-proof **/128**,
derived from the key already sitting in the vehicle's secure element. State-changing fleet
commands terminate mutually-authenticated to the *target car's* /128 — the car co-signs — so a
request that passes auth but can't cryptographically prove the identity never had authority.
Not detected late; *structurally impossible*.

Gap 1 is detection made durable across rotation. Gap 2 is the root cause removed. No tool you
already run was built to close either — that's the white space, and it's exactly the two gaps
the fleet-API attacks exploit.

---

## The attacker asks three questions. Your stack answers only the first.

Line the categories up against the questions an incident actually forces you to answer, and
the picture is honest and simple: the app layer is well covered, and the two layers underneath
it are the seams.

```
① Is a fleet API being abused?          ──▶  covered — your VSOC / Upstream (app layer, in your cloud)
② Who's really behind it, across        ──▶  GAP 1 — known-indicator TI matches only what's already known
   cloud + residential rotation?
③ Is this really the car — after auth?  ──▶  GAP 2 — no tool on your stack

                                    Whisper spans ② + ③ and feeds ①
                                    operator fingerprint · JA4 · DANE-EE /128 · car co-signs
                                    evidence chain → your SIEM (STIX 2.1 · TAXII · CEF · ECS)
```

Additive by construction: Whisper owns the two layers no one else does, and hands the first
layer a sharper feed. Keep your VSOC and your threat intel — Whisper closes what they can't reach.

---

## Upstream sees *that* an API is abused. Whisper tells you *who* — and that it's really the car.

Upstream is the best behavioral VSOC on the market. Cloud-native and agentless, it ingests
telematics, OTA, diagnostics, dealer and API traffic into a live digital twin and does stateful
app-layer detection — BOLA, business-logic abuse — well. That's necessary, you should run it,
and it's where the picture stops: inside your own cloud, at the app layer, seeing the last IP.

Whisper adds the two layers Upstream doesn't reach — attribution across rotating clouds and
residential proxies, and a device/agent identity plane that separates a legitimate car from an
impostor *after* auth. On Upstream's own turf we're honest: we're an **additive feed**, not a
second detector.

| Capability | Upstream | Whisper |
|---|---|---|
| Detect fleet-API abuse in your cloud — BOLA / IDOR, business-logic, digital twin | ✓ | additive feed |
| Attribute the operator across Amazon → Google → Azure rotation | — | ✓ |
| Collapse a residential-proxy swarm to one operator (`JA4/JA3`) | — | ✓ |
| Forge-proof per-car identity, checked **after** auth (DANE-EE /128) | — | ✓ |
| Per-agent identity + default-deny egress governance (SDV / MCP / LLM) | detecting | ✓ native |
| Reproducible, signed evidence chain a regulator can replay | — | ✓ |
| Trustless verification — no need to trust the vendor's API | — | ✓ |
| Deploys as | cloud-native agentless twin, in your cloud | additive feed · on-prem / own-tenant |
| Pricing model | cloud-scale ingestion | flat, per-VIN / year |

> **"Upstream already flags BOLA and business-logic abuse. What do I need you for?"**
> To answer the next two questions. Flagging *that* an API is abused doesn't tell you *who* is
> behind it when the IP rotates, and it can't stop a genuine, stolen token — it can only notice
> the pattern once it's anomalous enough. The graph names the operator and follows them across
> the rotation; the identity plane makes "one IP → thousands of cars" *physically impossible*,
> not merely detected. Upstream sees the symptom sharply; we close the two gaps that let it recur.

---

## It makes Recorded Future, Sentinel and Mandiant sharper. It doesn't replace them.

The threat intel and SIEM you already run are broad, curated and load-bearing — keep them.
Their strength is known indicators and correlation; their blind spot is live, first-sighting
attribution across rotating infrastructure, and identity after auth. Whisper is depth on exactly
that blind spot, and it arrives as a feed *into* the tools below, mapped to their formats.

Additive one layer deeper, too: Whisper rides *on top of* the X.509 device-cert over MQTT/mTLS
your connected-vehicle cloud already runs — **AWS IoT Core**, **Azure**, **Google Cloud**, where
the cloud vendor is the CA — anchoring that same identity in public DNSSEC/DANE, RDAP-registered
and trustlessly verifiable *outside* that cloud's tenancy. It layers out-of-tenancy identity,
attribution and agent governance on top of both your cloud's device auth *and* the SIEM and
threat intel you own — and replaces none of it.

| Capability | Recorded Future | Microsoft Sentinel | Mandiant / Google TI | VirusTotal | Whisper |
|---|---|---|---|---|---|
| Broad curated threat intel — known indicators & actors | ✓ | via feeds | ✓ | ✓ | consumes + feeds |
| SIEM backbone — correlation, alerting, the VSOC hub | — | ✓ | — | — | feeds it |
| Live attribution across rotating clouds + residential (`JA4/JA3`) | known only | — | known only | known only | ✓ |
| Forge-proof per-car / per-agent identity, after auth | — | — | — | — | ✓ |
| Agentic read-only graph query (Cypher) over live infra | — | — | — | — | ✓ |
| Automotive-native — VSOC + Auto-ISAC ATM mapping | generic | via content | generic | — | ✓ |
| Pricing shape | licensed by module | platform + ingest | licensed | tiered API | flat, per-VIN |

Whisper is additional depth, flexibility, agentic query and flat pricing *on top of* the SIEM
and threat intel you already run. It makes Recorded Future, Sentinel and Mandiant sharper — it
doesn't replace them, and it doesn't add a console your analysts babysit.

### Every tool here, you must trust. Ours, you don't have to.

Every feed and console on this page asks you to trust its verdict. Whisper's core claim — *this
address is that car* — is checkable by anyone, against the IANA DNS root, with our own API
deliberately outside the trust path. No account required.

```sh
# keyless — re-derive and verify any car's identity, trustless
$ whisper verify --trustless 2a04:2a01:1c0::c0de
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# who really operates a suspicious host — the public graph API, with your key
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

---

## Whisper is one layer, done well. It sits beside these — not over them.

Plenty of good vendors live in-vehicle or in the compliance binder. That's a different lane,
and we don't claim it. Naming the boundary is the point: it's how you know exactly what you're buying.

- **In-vehicle IDPS / embedded security.** Host and network intrusion detection inside the ECU and the vehicle bus, plus embedded firewalls and HSM integration. That's the silicon and the CAN/Ethernet backbone — Whisper is on the wire and in the cloud. Fully complementary; it runs below us.
- **SBOM & compliance automation.** Software bill-of-materials, CSMS/SUMS workflow, vulnerability management and the type-approval paperwork. That's the binder and the build. Whisper is runtime identity and live attribution — it produces evidence *for* that process, it isn't that process.
- **Managed VSOC services & SIEM apps.** People and playbooks around the SOC, and the Splunk apps that structure it. Whisper is a feed those services consume — STIX 2.1 over TAXII, CEF and ECS — sharpening the analysts, not replacing the desk they sit at.

We don't do embedded IDS, SBOMs or type-approval paperwork, and we don't pretend to. Whisper is
the network-identity and attribution layer — the one thing on this page that closes both
fleet-API seams — and it's honest about being exactly that.

---

## No new silo. Mapped to your standards. Priced so you can say yes.

The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing
you already run gets torn out; one line item closes two gaps and feeds everything else.

- **A feed, not another console.** The Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS, with **STIX 2.1 over TAXII** export on the roadmap; a sample Sentinel analytics rule and a Splunk CIM mapping ship in the docs. Zero analysts babysitting a new pane of glass.
- **Speaks your compliance language.** Maps to UN **R155**/R156 and **ISO/SAE 21434** evidence, and to the **Auto-ISAC Automotive Threat Matrix** — findings tagged to ATM tactics and techniques, with the ATM's machine-readable JSON export on the roadmap for sharing straight to Auto-ISAC and your peers. Usable in TARA and type approval.
- **Flat, forecastable TCO.** Per-VIN, per-year and flat — not per-transaction, not usage-metered. Against 40-billion-API-call-a-month economics that's a line item you can forecast, not a metered cloud bill you can't. ROI in analyst-hours saved correlating disposable IPs, warranty and recall exposure reduced, and one `revoke` instead of a fleet-wide reset. [See pricing →](/pricing)
- **On-prem or your own tenant.** Data residency and GDPR by construction — the graph and the per-agent logs stay where your regulator needs them. The identity plane is built to **fail open**: a Whisper outage never bricks a car; checks degrade to your existing anchors.
- **A vendor built to outlast the question.** Real routable address space (**AS219419**), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Auto-security startups fail — one raised ~$60M and folded; we built infrastructure to outlast that doubt.
- **Keyless to prove, one call to adopt.** Nothing about the decision is a leap of faith: run `whisper verify --trustless` today with no account, then POC → pilot → enterprise on real address space. The claim is checkable before the contract.

> **"Will you still be here in five years — and is my fleet's data yours?"**
> Real address space, your tenant, your call. AS219419 and founders who operated core internet
> registries and DNS aren't a burn-rate story. The graph and logs run on-prem or in your own
> tenant for data residency, the identity plane fails open so our uptime never gates a car, and
> the trustless verify path means you can audit the core claim without trusting us at all.
> *Additive* also means low switching cost in both directions — the safest way to start.

---

## Keep your stack. Close the two gaps.

Whisper is the attribution and identity layer that sits on top of the VSOC and threat intel you
already run — additive, mapped to your standards, flat to price. Keyless to try, one call to
provision, one more to revoke.

Bring your fleet home → <https://console.whisper.security/sign-up> · [For OEM security →](/oem-security)

Or run `whisper verify --trustless` right now — our API isn't in the trust path.

---

*Whisper for Automotive · Identity on the wire for connected vehicles · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
