Comments let your team attach context, decisions, and evidence directly to the finding they relate to — instead of in a separate ticket, spreadsheet, or chat thread. Comment Templates turn the responses you write over and over (triage notes, accepted-risk justifications, escalation language) into one-click reusable text, scoped per module.
Comments are a per-row affordance: most list pages (Alerts shown here) expose a chat-bubble icon on each finding with a badge for the comment count.
A comment is a freeform note (optionally with an image attachment) pinned to a single finding — one alert, one web application, one leaked credential, one ransomware post, and so on. Wherever you see the chat-bubble icon (or a Comments button), you can open the thread for that item, read what teammates wrote, and add your own. The icon shows a red badge with the current comment count when a finding has at least one comment.
Comments are available across nearly every module in ShadowMap — attack surface, threats, brand monitoring, data leaks, dark web, asset inventory, vendor risk, and threat intelligence — because each module type has its own comment "channel" keyed by an internal module type. A comment left on an alert is never mixed with a comment left on a web application, even if their underlying IDs happen to collide.
Templates are managed centrally under Settings → Comment Templates and surface as clickable chips inside the comment composer, filtered to the module you are working in.
model_id — the database ID of the specific finding (the alert, application, repo, etc.).
type — an internal module type number that identifies which kind of finding it is (Alerts = 2, Exposures/Web Applications = 1, Stealer Logs = 4, and so on — see the module type table below).
company_id — your organization. Comments are tenant-isolated: you only ever see your own organization's comments, and the API enforces this on every read.
Because the channel is (company, type, model_id), the same comment thread follows a finding wherever it appears — the list row, the detail page, and the side drawer all read and write the same thread. Add a comment from the row icon and it is immediately visible when you open the full detail view of that item.
Required. Free text; line breaks are preserved when displayed.
Attachment
Optional single image — .jpg, .jpeg, or .png only, max 3 MB. Other file types and oversized files are rejected client-side and server-side.
Author
Captured automatically from your logged-in user. Displayed with a colored initial avatar. If the author's account is later removed, the comment remains but the author shows as NA / "User No Longer Exists."
Timestamp
Captured automatically and shown as relative time (for example, "3 days ago").
Comments are append-only from the UI — there is no edit or delete control on an individual comment in the standard comment panel. Treat a comment as a permanent record of what was known and decided at that point in time. (A few modules expose their own comment-delete endpoints for module-specific comment threads, but the shared comment composer described here does not.)
Adding a comment is an auditable event. For finding types that the platform resolves to a concrete object — currently Exposures/Applications (type 1) and Alerts (type 2) — adding a comment writes an add-comment entry into the Activity feed, attributed to you and carrying the comment text. This means comment activity on those high-traffic finding types shows up in the audit trail without anyone having to remember to log it.
A comment template is a saved snippet of text bound to one module type. In the composer, ShadowMap shows you only the templates for the module you are currently in — open the composer on a phishing finding and you see phishing templates, open it on an alert and you see alert templates. Click a template chip and its text drops into the comment box, ready to edit before you post.
Templates have two creation paths that both land in the same place:
Save Template in any comment composer — takes whatever you have typed and saves it as a template for that module, so it appears as a chip next to that module's composer from then on.
Settings → Comment Templates — a full management table to create, edit, and delete templates for any module (see Managing templates).
Templates are organization-scoped: a template you save is available to everyone in your organization who works in that module, not just you.
Why scope templates per module
Triage language is module-specific. The standard note you leave on a domain-squatting candidate ("benign parked domain, no MX, accepting risk") is useless on an open port, and vice-versa. Scoping templates to a module type keeps each composer's chip list short and relevant instead of a wall of unrelated snippets.
The exact placement varies slightly by module, but the interaction is consistent:
Open the thread. Click the chat-bubble icon on a list row, the Comments button/section on a detail page, or the comments area in a finding's side drawer. The badge on the icon tells you how many comments already exist.
Write your note. Type into the composer. To reuse a saved response, click one of the template chips to drop its text in, then edit as needed.
(Optional) Attach an image. Click Add File and choose a .jpg, .jpeg, or .png up to 3 MB — useful for a screenshot of the live exposure, a proof-of-concept, or a takedown confirmation. Remove it with the file chip's close button before posting if you change your mind.
(Optional) Save as a template. If this is a note you will reuse, click Save Template to make it a chip for this module before or after posting.
Post. Click Add Comment / Add. The new comment appears at the top of the thread immediately, stamped with your name and the time.
Existing comments render newest-first as a thread of cards, each showing the author avatar, name, relative timestamp, the note text, and a View attachment affordance if an image was attached (it opens full-size in a modal).
TIP
Comments are the right home for the "why" behind a status change — why an alert was closed as a false positive, why a leaked credential was marked a duplicate, why a squatting domain is being left in monitoring. Pair a status change with a one-line comment and the next analyst (or auditor) never has to guess.
Choose a Module from the dropdown — this determines which composer the template will appear in. The dropdown is populated from the platform's canonical module-type list.
Edit opens the same modal pre-filled. You can change the template text, but the module cannot be changed on an existing template — module assignment is fixed at creation. To move a snippet to a different module, create a new one and delete the old.
Delete removes a single template (with a confirmation prompt).
Bulk delete — select rows with the row checkboxes (or the select-all header checkbox) and use the Delete button that appears in the bulk action bar to remove several at once.
View the Comment Templates settings page and module-type list
settings.comment-template:read
Edit or delete a template from Settings
settings.comment-template:write
Create a template (Settings Create Template or a composer's Save Template)
Any authenticated user (no special permission)
Add a comment on a finding
Any authenticated user (no special permission)
WARNING
Adding comments and creating templates (from a composer's Save Template or the Settings Create Template button) require only an authenticated session — creation is not gated behind the settings.comment-template permission. The settings.comment-template permission governs viewing the management page (:read) and editing or deleting existing templates (:write). If you need to restrict who can author templates organization-wide, manage that through roles and permissions and your team's process.
Comments and templates are keyed by an internal module type. The same numbering powers SLA policies. The values below are the ones the comment and template system recognizes — useful when you want to confirm that a template you saved will appear on the finding you expect.
Module
Type
Module
Type
Exposures (Web Applications)
1
Subdomains
30
Alerts
2
Leaked Credentials
31
Stealer Log
4
CMDB Reconciliation
35
Ransomware Group & Forum
5
Executive Monitoring
36
Data Breaches
6
Tracker (JS Trackers)
37
Docker Container
7
Internal Host
38
Domain Squatting
10
IP Address
39
Phishing & Impersonations
11
Shortener URL
40
Leaked APIs
12
Stack Overflow
41
Leaked File
13
Campaign
42
Code Repositories
14
CVE
43
Mobile Application
15
IOC Search
44
Social Media Monitoring
16
Malware
45
S3 Bucket
17
Ransomware
46
Open Ports
18
Threat Actor
47
IP Reputation
19
Threat Feed
48
Telegram Conversations
20
App Misconfiguration
49
Credit Card Leaks
22
Defacement
50
SSL Certificates
23
Network Service
51
Elastic Search Instances
27
Technology Stack
52
Executive Leak
28
SSO Login Page
53
(Numbering is not fully contiguous; not every module type exposes the shared comment composer.)
Can I edit or delete a comment after posting? Not from the standard comment panel — comments there are append-only and permanent, which keeps them reliable as an investigation record. If you posted the wrong text, post a follow-up correction. A handful of modules implement their own comment threads with delete support, but the shared composer documented here does not.
Who can see my comments? Everyone in your organization with access to that finding. Comments are isolated per organization (tenant) — no other ShadowMap customer ever sees them — but they are not private to you within your own org.
Why don't my templates show up on this finding? Templates are scoped to a single module type. A template you saved against, say, Phishing will only appear in the composer on phishing findings. Check the Module column on the Comment Templates settings page, and create a separate template for each module where you need the snippet.
Why can't I change the module on an existing template? Module assignment is fixed at creation to avoid silently re-scoping a snippet that teammates already rely on. Create a new template under the correct module and delete the old one.
What file types and sizes can I attach? A single image per comment — .jpg, .jpeg, or .png, up to 3 MB. There is no support for PDFs, documents, or multiple files. For larger evidence, link to it in the comment text or use an integration to push the finding to a system that handles attachments.
Do comments show up in reporting or audit logs? Adding a comment to an Exposure or an Alert records an add-comment event in the Activity feed with your name and the comment text. Other module types store the comment but may not emit an activity event.
I see a comment author shown as "NA" — what happened? The user who wrote that comment has since been removed from your organization. The comment itself is retained; only the author attribution is lost.
Comments and Templates
Comments let your team attach context, decisions, and evidence directly to the finding they relate to — instead of in a separate ticket, spreadsheet, or chat thread. Comment Templates turn the responses you write over and over (triage notes, accepted-risk justifications, escalation language) into one-click reusable text, scoped per module.
Overview
A comment is a freeform note (optionally with an image attachment) pinned to a single finding — one alert, one web application, one leaked credential, one ransomware post, and so on. Wherever you see the chat-bubble icon (or a Comments button), you can open the thread for that item, read what teammates wrote, and add your own. The icon shows a red badge with the current comment count when a finding has at least one comment.
Comments are available across nearly every module in ShadowMap — attack surface, threats, brand monitoring, data leaks, dark web, asset inventory, vendor risk, and threat intelligence — because each module type has its own comment "channel" keyed by an internal module type. A comment left on an alert is never mixed with a comment left on a web application, even if their underlying IDs happen to collide.
Templates are managed centrally under Settings → Comment Templates and surface as clickable chips inside the comment composer, filtered to the module you are working in.
How it works
The comment system is the same code everywhere, so the mechanics below hold for every module.
Where a comment is stored
Every comment is stored against three things:
model_id— the database ID of the specific finding (the alert, application, repo, etc.).type— an internal module type number that identifies which kind of finding it is (Alerts = 2, Exposures/Web Applications = 1, Stealer Logs = 4, and so on — see the module type table below).company_id— your organization. Comments are tenant-isolated: you only ever see your own organization's comments, and the API enforces this on every read.Because the channel is
(company, type, model_id), the same comment thread follows a finding wherever it appears — the list row, the detail page, and the side drawer all read and write the same thread. Add a comment from the row icon and it is immediately visible when you open the full detail view of that item.What a comment can contain
.jpg,.jpeg, or.pngonly, max 3 MB. Other file types and oversized files are rejected client-side and server-side.NA/ "User No Longer Exists."Comments are append-only from the UI — there is no edit or delete control on an individual comment in the standard comment panel. Treat a comment as a permanent record of what was known and decided at that point in time. (A few modules expose their own comment-delete endpoints for module-specific comment threads, but the shared comment composer described here does not.)
Comments are logged as activity
Adding a comment is an auditable event. For finding types that the platform resolves to a concrete object — currently Exposures/Applications (type 1) and Alerts (type 2) — adding a comment writes an
add-commententry into the Activity feed, attributed to you and carrying the comment text. This means comment activity on those high-traffic finding types shows up in the audit trail without anyone having to remember to log it.Templates: how they scope and where they appear
A comment template is a saved snippet of text bound to one module type. In the composer, ShadowMap shows you only the templates for the module you are currently in — open the composer on a phishing finding and you see phishing templates, open it on an alert and you see alert templates. Click a template chip and its text drops into the comment box, ready to edit before you post.
Templates have two creation paths that both land in the same place:
Templates are organization-scoped: a template you save is available to everyone in your organization who works in that module, not just you.
Why scope templates per module
Triage language is module-specific. The standard note you leave on a domain-squatting candidate ("benign parked domain, no MX, accepting risk") is useless on an open port, and vice-versa. Scoping templates to a module type keeps each composer's chip list short and relevant instead of a wall of unrelated snippets.
Using comments on a finding
The exact placement varies slightly by module, but the interaction is consistent:
.jpg,.jpeg, or.pngup to 3 MB — useful for a screenshot of the live exposure, a proof-of-concept, or a takedown confirmation. Remove it with the file chip's close button before posting if you change your mind.Existing comments render newest-first as a thread of cards, each showing the author avatar, name, relative timestamp, the note text, and a View attachment affordance if an image was attached (it opens full-size in a modal).
TIP
Comments are the right home for the "why" behind a status change — why an alert was closed as a false positive, why a leaked credential was marked a duplicate, why a squatting domain is being left in monitoring. Pair a status change with a one-line comment and the next analyst (or auditor) never has to guess.
Managing templates
The Settings → Comment Templates page is the central admin view for reusable comment text.
The table lists every template in your organization with these columns:
Creating a template
Editing and deleting
Permissions
settings.comment-template:readsettings.comment-template:writeWARNING
Adding comments and creating templates (from a composer's Save Template or the Settings Create Template button) require only an authenticated session — creation is not gated behind the
settings.comment-templatepermission. Thesettings.comment-templatepermission governs viewing the management page (:read) and editing or deleting existing templates (:write). If you need to restrict who can author templates organization-wide, manage that through roles and permissions and your team's process.Module types
Comments and templates are keyed by an internal module type. The same numbering powers SLA policies. The values below are the ones the comment and template system recognizes — useful when you want to confirm that a template you saved will appear on the finding you expect.
(Numbering is not fully contiguous; not every module type exposes the shared comment composer.)
Common questions
Can I edit or delete a comment after posting? Not from the standard comment panel — comments there are append-only and permanent, which keeps them reliable as an investigation record. If you posted the wrong text, post a follow-up correction. A handful of modules implement their own comment threads with delete support, but the shared composer documented here does not.
Who can see my comments? Everyone in your organization with access to that finding. Comments are isolated per organization (tenant) — no other ShadowMap customer ever sees them — but they are not private to you within your own org.
Why don't my templates show up on this finding? Templates are scoped to a single module type. A template you saved against, say, Phishing will only appear in the composer on phishing findings. Check the Module column on the Comment Templates settings page, and create a separate template for each module where you need the snippet.
Why can't I change the module on an existing template? Module assignment is fixed at creation to avoid silently re-scoping a snippet that teammates already rely on. Create a new template under the correct module and delete the old one.
What file types and sizes can I attach? A single image per comment —
.jpg,.jpeg, or.png, up to 3 MB. There is no support for PDFs, documents, or multiple files. For larger evidence, link to it in the comment text or use an integration to push the finding to a system that handles attachments.Do comments show up in reporting or audit logs? Adding a comment to an Exposure or an Alert records an
add-commentevent in the Activity feed with your name and the comment text. Other module types store the comment but may not emit an activity event.I see a comment author shown as "NA" — what happened? The user who wrote that comment has since been removed from your organization. The comment itself is retained; only the author attribution is lost.
Related
settings.comment-template).