Domains

The Domains view is the root of your external attack surface. Each row is a registrable domain (an apex such as example.com) that ShadowMap has discovered and attributed to your organization. Every subdomain, IP address, web application, SSL certificate, and security finding ShadowMap tracks ultimately hangs off one of these domains — so an untracked domain is, by definition, an unmonitored slice of your attack surface.

Overview

The page has three stacked layers above the table:

• Metrics strip — four KPI cards (Total Domains, Expiring Soon, Expired, Certificate-Valid). Each card is clickable: the three validity cards apply the matching validity filter, while Total Domains clears all filters back to the full list.
• Analytics panel — a 6-month domain discovery trend, top registrars, top hosting countries, and a domain-validity breakdown. Toggle it from the header; it follows whatever filters are active, not global totals.
• Validity tabs — All, Valid, Expiring Soon, Expired, No Expiry Date, each with a live count badge.

Below that sits the filterable, sortable domain table. Clicking any row opens a side drawer; from the drawer you can open the full detail page. Use the metrics and analytics toggles in the page header to collapse either band and reclaim vertical space.

How it works

These are the mechanics you cannot infer from the table itself.

How domains get here

Domains are populated by ShadowMap's discovery pipeline, not entered by hand. A domain is attributed to your organization through a combination of signals — WHOIS registrant data, ownership of the IP space the domain resolves into, and SSL certificates that chain back to your known assets. Those three signals surface explicitly on the detail page as Confidence Attribution (see Detail view). Because attribution is signal-based, the list reflects what ShadowMap can observe and tie back to you; it is not limited to domains you have manually declared.

Online vs. Offline

The status dot on each row is set from the most recent scan. Internally status = 1 renders as Online (green) and status = 0 as Offline (red). "Offline" means the domain did not respond on the last scan — it is still tracked and still part of your inventory, it simply isn't currently serving.

Validity buckets (the 30-day rule)

The metrics cards, the tabs, and the row badges all classify a domain by its WHOIS expiry date against one shared rule. Counting from today:

Bucket	Condition	Why it matters
Expired	Expiry date is in the past	The registration has lapsed. The domain is at risk of being dropped and re-registered by a third party (domain takeover / brand hijack).
Expiring Soon	Expires within the next 30 days	Renew now. This window is fixed at 30 days across the whole module.
Valid (a.k.a. Certificate-Valid)	Expires more than 30 days out	Healthy registration.
No Expiry Date	No usable expiry date (null, blank, or 0000-00-00)	WHOIS did not return an expiry. Common for .gov-class TLDs, some ccTLDs, and registrars that withhold the field — not necessarily a problem, but it means expiry monitoring can't apply.

Why "Certificate-Valid" instead of "Valid"

On tenants where every domain lacks a WHOIS expiry date, a card simply labeled "Valid" reads as 0 while the "No Expiry Date" tab is full — which looks broken. The Total/Valid card is labeled Certificate-Valid and its subtitle surfaces the no-expiry count, so the metric reconciles with the sibling tab. The "Valid" tab and the "Valid" filter value still use the same 30-day rule.

The same DomainValidity rule drives the list, the summary counts, the category filters, and the export — so a count on a card always matches the count behind its tab.

Related-asset counts are live cross-links

The Subdomains / Alerts / Apps / SSL / IPs numbers on each row (and on the detail page) are counts of assets tied to that domain. When a count is greater than zero it is clickable and navigates to the corresponding module, pre-filtered to that domain (or any host ending in .<domain>). This is the fastest way to pivot from "this domain" to "everything under it."

Relevance

The Relevance column shows a relevance indicator for the domain. Use it to triage which attributed domains are most likely to be core to your organization versus peripheral. Sorting in the table is available on Domain and Last Seen; the default sort is most-recently-seen first.

Understanding the data

Columns are configurable through the column customizer in the page header (the Domain column is locked and always shown).

Column	What it shows
Status dot	Online (green) / Offline (red), from the last scan. Shown next to the row checkbox.
Domain	The root domain name. Sortable. Always visible.
Registrar / Validity	Registrar name, the registered-to-expiry date range, and a validity badge — Expired N days ago (red) or Expiring in N days (amber) — when applicable.
DNS	Up to three resolved DNS records inline, with a +N more indicator. SOA records are excluded from the inline view. Full records live on the detail page.
Country / ASN	Hosting/registration country (with flag) and the primary autonomous system number (e.g. AS13335).
Related Assets & Tags	The five related-asset counters (Subdomains, Alerts, Apps, SSL, IPs) plus any custom tags applied to the domain.
Orgs	Business units or entities associated with the domain (truncated with a +N overflow).
Relevance	Relevance indicator for the domain.
Last Seen	Relative time since the last successful scan. Sortable.

Each row also carries a bookmark star and a comment affordance (the comment count opens an inline thread).

Filtering & search

The filter bar supports structured, multi-condition queries. Available filter fields:

Filter	Notes
Domain	Full or partial domain-name match.
Status	Online or Offline.
Domain Validity	Valid, Expired, Expiring Soon, or No Expiry Date.
Country	Hosting/registration country.
ASN	Autonomous system number.
Registrar	Registrar name.
Organization	Associated business unit / entity.
DNS	Filter on DNS records.
Bookmarked	Limit to bookmarked domains.
Added On	Date the domain was first added.
Last Seen	Date of most recent scan.
Custom tags	Any user-defined tag key/value.

Conditions can be combined with AND or OR. Two shortcuts sit beside the filter bar:

• Bookmarked toggle — quickly restrict the list to domains you have starred.
• Tabs — the validity tabs (Valid / Expiring Soon / Expired / No Expiry Date) are one-click presets equivalent to a Domain Validity = filter, and the metric cards apply the same presets.

Your active filter state is preserved in the URL (shareable) and carried into exports.

Detail view

Clicking a row opens a side drawer for fast inspection; the drawer's Open full page link loads the full detail page (also reachable directly at a per-domain URL). Use j / k to move between domains in the drawer, s to bookmark, Space to select, and Escape to close.

The full detail page is organized into four tabs.

Overview

• Metadata cards — Registered Date, Expiry Date, Last Seen, Registrar, Country (with flag), ASN.
• Organizations — associated business units/entities as chips.
• Confidence Attribution — three yes/no signals that explain why this domain is attributed to you:
  • Domain Owned — WHOIS / registration evidence links the domain to your organization.
  • IP Owned — the IP space the domain resolves into is yours.
  • SSL Cert Linked — a certificate ties the domain back to your known assets.
• WHOIS Information — registrant name, registrant company, registrant email, WHOIS server, last WHOIS update, and name servers, where available.
• Custom Tags — any tags applied to the domain.

DNS & Infrastructure

Current DNS records grouped by type (A, AAAA, MX, NS, CNAME, etc.), each group showing up to five records with a show-more control and a copy-to-clipboard button. All TXT variants — TXT, SPF, DKIM, DMARC, verification, and misc — are merged into a single TXT (combined) group, and SOA is omitted. Use this tab to confirm DNS is configured as intended and to spot unexpected records (for example a mail or verification record you don't recognize).

Related Assets

A card grid for Subdomains, Alerts, Applications, SSL Certificates, and IP Addresses. Each card with a non-zero count links straight into that module, scoped to this domain:

Card	Lands on
Subdomains	Subdomains, filtered to hosts under this domain
Alerts	Alerts, Needs Review, filtered to this domain
Applications	Web Applications, filtered to this domain
SSL Certificates	SSL Certificates, searched on this domain
IP Addresses	IP Addresses

Activity

A timeline (Last Seen, Registered, Expires — with an expired marker), the domain's tags, and a threaded comments section where analysts can post notes to record investigation context. Comments are keyed to the domain and shared with the inline comment thread on the list row.

Taking action

Action	How	What it does
Inspect	Click a row	Opens the drawer; Open full page for the full record.
Bookmark	Star icon on a row, s in the drawer, or bulk-bookmark from the action bar	Flags domains for follow-up; the Bookmarked toggle filters to them.
Tag	Custom tags on a row / detail view	Apply user-defined labels (business unit, owner, environment) for classification and filtering. Tags are also filterable.
Comment	Comment affordance on a row, or the Activity tab	Records investigation notes on the domain.
Pivot to related assets	Click any non-zero related-asset count	Jumps to the related module pre-filtered to this domain.
Share	Select rows → Share in the bulk action bar, or share a single domain from its row	Shares the selected domains via your configured integration.
Export	Export button beside the filter bar	Runs a background export of the current filtered, sorted view (validity labels included). You're notified when the file is ready.

Bulk actions appear in an action bar once you select one or more rows (select-all, deselect-all, bookmark, share).

Common questions

Where do these domains come from — do I have to add them? They're discovered for you. ShadowMap attributes domains through WHOIS, IP-space ownership, and SSL certificate linkage. The Confidence Attribution panel on each domain's detail page shows which of those signals fired.

A domain shows "Offline" — is it gone? No. Offline means it didn't respond on the most recent scan. It stays in your inventory and keeps being monitored; the status simply reflects the last scan result.

Why does the "Valid" card read 0 when I clearly have valid domains? Those domains likely have no WHOIS expiry date, so they're bucketed under No Expiry Date rather than Valid. The card is labeled Certificate-Valid and its subtitle shows the no-expiry count to make this explicit. "Valid" specifically means an expiry date more than 30 days out.

What exactly is "Expiring Soon"? A WHOIS expiry date within the next 30 days. The window is fixed at 30 days everywhere in this module (card, tab, and the amber row badge).

Do the Subdomains / Apps / SSL counts on a row do anything? Yes — any non-zero count is a link. It takes you to the relevant module filtered to that domain (or any host under it), which is the quickest way to drill from a domain into its assets.

Does Export respect my filters? Yes. Export runs against the current filter and sort state and includes the computed validity label. It runs in the background and notifies you when ready.

Why are some rows missing an expiry or registrar? Some TLDs and registrars don't publish those WHOIS fields (or redact them). ShadowMap shows what it can resolve and buckets unparseable/absent expiry dates under No Expiry Date.

Related

• Subdomains — the hosts discovered under each root domain.
• IP Addresses — the IP space your domains and hosts resolve into.
• Asset Inventory overview — how Domains fits alongside subdomains, IPs, and internal hosts.
• SSL Certificates — certificates issued for your domains; one of the attribution signals.
• Web Applications — applications detected on these domains.
• Alerts — security findings tied to a domain and its assets.
• WHOIS Lookup — on-demand WHOIS for any domain.
• Custom Tags and Saved Searches — organize and re-run domain queries.