Comment Templates are saved, reusable text snippets that appear as one-click chips inside the comment dialog on findings. They let your team paste consistent triage language — "Confirmed false positive, asset is decommissioned", "Accepted risk, compensating control in place", "Escalated to app owner, ticket JIRA-1234" — instead of retyping the same notes on every alert, leaked credential, or phishing URL.
This page (Settings → Comment Templates) is the management console for your organization's template library. Each row is one template, scoped to a single module:
MODULE — the finding type this template is available on (Alerts, Phishing & Impersonations, Leaked Credentials, etc.).
TEMPLATE — the snippet text, truncated to 80 characters in the table (the full text is what gets inserted).
ADDED BY — the member who created the template (shows NA if that user has since been removed).
UPDATED BY — the member who last edited it.
ACTION — per-row Edit and Delete controls.
From the header you can Create Template, and by selecting rows you get a bulk bar with Delete for removing several at once. The same templates you manage here are what your analysts see — as clickable chips — when they open the comment dialog on a finding in the matching module.
The mechanics that aren't visible from the table itself:
Templates are bound to one module type. When you create a template you pick a Module from a fixed list of 46 finding types (Alerts, Open Ports, Phishing & Impersonations, Leaked Credentials, Mobile Application, S3 Bucket, CVE, and more — the full set is in Module Coverage). A template only appears in the comment dialog for findings of that module. There is no "all modules" option; if you want the same snippet on both Alerts and Phishing, you create it twice.
They surface as chips in the comment dialog. When an analyst opens comments on a finding, ShadowMap queries the template library for that finding's module type and renders each matching template as a small chip above the comment box. Clicking a chip replaces the comment text with the template's full text — the analyst can then edit it before posting, or post as-is. Hovering a chip shows the full template in a tooltip (useful because the chip itself is space-limited).
Click replaces, it does not append
Clicking a template chip overwrites whatever is currently in the comment box with the template text. It is a starting point, not an insert-at-cursor. Type your finding-specific details after clicking.
Analysts can promote a comment into a template on the fly. The comment dialog has a Save Template button. Whatever text is currently in the comment box gets saved as a new template for that finding's module — no need to come back to this Settings page. That template then immediately appears for everyone in your organization on that module. This is the most common way the library grows: a good note written once during triage becomes reusable.
Scope is per-company. Templates you create belong to your organization only. They are never visible to other ShadowMap tenants. Within your organization, every member sees the same shared library — there are no private/personal templates. Both this Settings list and the in-dialog chips are filtered to your organization's templates.
Templates are just text. There is no variable substitution, no merge fields (no or ), and no formatting/markdown rendering — the snippet is inserted as plain text exactly as you wrote it. Keep them generic enough to reuse, then fill in specifics manually.
In the Module dropdown, choose the finding type this template should apply to. The help text reminds you that "Module type determines where this template is available."
In the Template box, write the reusable comment text. Both a module and non-empty text are required.
Click Create Template. The template is saved to your organization's library and is immediately available as a chip in that module's comment dialog.
Build templates around your workflow states
The highest-value templates map to the decisions your team makes repeatedly: marking something a false positive, accepting a risk with a stated compensating control, confirming remediation, or handing off to an owner. Pairing these with your Severity & Status workflow keeps triage notes consistent and auditable.
Edit (pencil icon) opens the editor with the template text loaded. You can change the text, but the module type is locked on an existing template ("Module type cannot be changed for existing templates"). To move a snippet to a different module, create a new template there and delete the old one. Saving updates the text and records you as UPDATED BY.
Delete (trash icon) removes a single template after a confirmation prompt.
Bulk delete — tick the checkbox on one or more rows, then use Delete in the bulk bar that appears in the header. Clear deselects everything.
Deletion is permanent and immediate
Deleting a template is a hard delete — there is no archive or undo. It disappears from the comment dialog for every member of your organization right away. Comments already posted using that template are unaffected (the text was copied into the comment when it was posted).
Stealer Log, Malware Compromised Users, Malware Compromised Computers, Data Breaches, Ransomware Group & Forum, Telegram Conversations
Threat intelligence
Campaign, IOC Search, Malware, Ransomware, Threat Actor, Threat Feed
Vendor risk
Vendor Risk Management
Module labels match the SLA policy module list
This is the same module enumeration used by SLA Policies. A "Module" in Comment Templates is the same notion of finding type used to scope SLA timers, so the labels you see in both places line up.
Comment Templates is governed by the settings.comment-template permission, with separate read and write operations:
Operation
Grants
Read
Open this Settings page and load its module-type list.
Write
Edit and delete existing templates.
Two things deliberately sit outside this read/write split: creating a template (the Save Template action in the comment dialog, and the add-template endpoint) and the list query that powers both this table and the in-dialog chips are gated only on being signed in. In practice that means any authenticated member who can comment can create a template and see existing ones, but only members with the write operation can modify or remove existing templates, and the dedicated Settings page itself requires read. See Roles & Permissions and the RBAC Permissions reference for how to assign these.
Do templates apply to every module or just one? Just one. A template is created against a single module type and only appears on findings of that module. To reuse the same wording across modules, create it once per module.
Where do my analysts actually see these? In the comment dialog on a finding. Templates for that finding's module appear as clickable chips above the comment box; clicking one loads its text so the analyst can post or tweak it.
Can I create a template without leaving the finding I'm triaging? Yes. Write your note in the comment box and click Save Template in the dialog. It's saved to the library for that module and becomes available to everyone immediately.
Why does clicking a chip erase what I already typed? Selecting a template replaces the comment text rather than inserting at the cursor. Choose your template first, then add finding-specific details after it.
Can I change which module a template belongs to? No. The module is fixed once a template exists. Create a new template under the target module and delete the old one.
Do templates support variables, like the asset name or date? No. Templates are plain text inserted verbatim — no merge fields, no markdown. Fill in specifics manually after inserting.
Are templates shared across my whole organization? Yes. There are no personal templates — everyone in your organization sees and uses the same library.
Are templates visible to other companies on ShadowMap? No. They are scoped to your organization and never shared across tenants.
What happens to comments that used a template I deleted? Nothing. The template text was copied into the comment when it was posted, so existing comments are preserved. Deleting only removes the snippet from future use.
Comment Templates
Comment Templates are saved, reusable text snippets that appear as one-click chips inside the comment dialog on findings. They let your team paste consistent triage language — "Confirmed false positive, asset is decommissioned", "Accepted risk, compensating control in place", "Escalated to app owner, ticket JIRA-1234" — instead of retyping the same notes on every alert, leaked credential, or phishing URL.
Overview
This page (Settings → Comment Templates) is the management console for your organization's template library. Each row is one template, scoped to a single module:
NAif that user has since been removed).From the header you can Create Template, and by selecting rows you get a bulk bar with Delete for removing several at once. The same templates you manage here are what your analysts see — as clickable chips — when they open the comment dialog on a finding in the matching module.
How it works
The mechanics that aren't visible from the table itself:
Templates are bound to one module type. When you create a template you pick a Module from a fixed list of 46 finding types (Alerts, Open Ports, Phishing & Impersonations, Leaked Credentials, Mobile Application, S3 Bucket, CVE, and more — the full set is in Module Coverage). A template only appears in the comment dialog for findings of that module. There is no "all modules" option; if you want the same snippet on both Alerts and Phishing, you create it twice.
They surface as chips in the comment dialog. When an analyst opens comments on a finding, ShadowMap queries the template library for that finding's module type and renders each matching template as a small chip above the comment box. Clicking a chip replaces the comment text with the template's full text — the analyst can then edit it before posting, or post as-is. Hovering a chip shows the full template in a tooltip (useful because the chip itself is space-limited).
Click replaces, it does not append
Clicking a template chip overwrites whatever is currently in the comment box with the template text. It is a starting point, not an insert-at-cursor. Type your finding-specific details after clicking.
Analysts can promote a comment into a template on the fly. The comment dialog has a Save Template button. Whatever text is currently in the comment box gets saved as a new template for that finding's module — no need to come back to this Settings page. That template then immediately appears for everyone in your organization on that module. This is the most common way the library grows: a good note written once during triage becomes reusable.
Scope is per-company. Templates you create belong to your organization only. They are never visible to other ShadowMap tenants. Within your organization, every member sees the same shared library — there are no private/personal templates. Both this Settings list and the in-dialog chips are filtered to your organization's templates.
Templates are just text. There is no variable substitution, no merge fields (no
or), and no formatting/markdown rendering — the snippet is inserted as plain text exactly as you wrote it. Keep them generic enough to reuse, then fill in specifics manually.Creating a template
Build templates around your workflow states
The highest-value templates map to the decisions your team makes repeatedly: marking something a false positive, accepting a risk with a stated compensating control, confirming remediation, or handing off to an owner. Pairing these with your Severity & Status workflow keeps triage notes consistent and auditable.
Editing and deleting
Deletion is permanent and immediate
Deleting a template is a hard delete — there is no archive or undo. It disappears from the comment dialog for every member of your organization right away. Comments already posted using that template are unaffected (the text was copied into the comment when it was posted).
Module Coverage
A template's Module determines which findings show it. The 46 available module types are:
Module labels match the SLA policy module list
This is the same module enumeration used by SLA Policies. A "Module" in Comment Templates is the same notion of finding type used to scope SLA timers, so the labels you see in both places line up.
Permissions
Comment Templates is governed by the
settings.comment-templatepermission, with separate read and write operations:Two things deliberately sit outside this read/write split: creating a template (the Save Template action in the comment dialog, and the
add-templateendpoint) and the list query that powers both this table and the in-dialog chips are gated only on being signed in. In practice that means any authenticated member who can comment can create a template and see existing ones, but only members with the write operation can modify or remove existing templates, and the dedicated Settings page itself requires read. See Roles & Permissions and the RBAC Permissions reference for how to assign these.Common questions
Do templates apply to every module or just one? Just one. A template is created against a single module type and only appears on findings of that module. To reuse the same wording across modules, create it once per module.
Where do my analysts actually see these? In the comment dialog on a finding. Templates for that finding's module appear as clickable chips above the comment box; clicking one loads its text so the analyst can post or tweak it.
Can I create a template without leaving the finding I'm triaging? Yes. Write your note in the comment box and click Save Template in the dialog. It's saved to the library for that module and becomes available to everyone immediately.
Why does clicking a chip erase what I already typed? Selecting a template replaces the comment text rather than inserting at the cursor. Choose your template first, then add finding-specific details after it.
Can I change which module a template belongs to? No. The module is fixed once a template exists. Create a new template under the target module and delete the old one.
Do templates support variables, like the asset name or date? No. Templates are plain text inserted verbatim — no merge fields, no markdown. Fill in specifics manually after inserting.
Are templates shared across my whole organization? Yes. There are no personal templates — everyone in your organization sees and uses the same library.
Are templates visible to other companies on ShadowMap? No. They are scoped to your organization and never shared across tenants.
What happens to comments that used a template I deleted? Nothing. The template text was copied into the comment when it was posted, so existing comments are preserved. Deleting only removes the snippet from future use.
Related