How Reporting Works
A comprehensive guide to submitting reports, understanding the review process, and tracking your report through to resolution.
Step-by-Step Reporting Guide
Choose Report Type
Select whether you have confirmed abuse (you've analyzed the threat) or suspected abuse (you observed suspicious behavior). Free-tier reports are automatically screened (rule-based + LLM-assisted) — submissions with insufficient detail are rejected automatically. Pro/Enterprise reports skip screening and go straight to a human analyst.
Confirmed Abuse
For users with technical evidence like hashes, C2 servers, or sandbox analysis.
Suspected Abuse
For anyone who observed suspicious behavior but may not have technical details.
Website Information
Provide details about the abusive website:
Behavior & Technical Details
Describe the abusive activity and provide technical indicators.
Automated Screening Requirements
Free-tier reports are scored on multiple factors. Reports that score below the threshold are automatically rejected. To pass, ensure you provide:
- • A detailed description (at least 2–3 full sentences explaining what you observed)
- • Specific technical details — generic one-word descriptions will be rejected
- • At least one form of evidence (hash, screenshot, log file, or URL)
- • No gibberish, test data, or placeholder text — the system detects these patterns
For Confirmed Reports:
- • File hashes (SHA256, MD5, SHA1)
- • Process information
- • Command line arguments
- • File paths and registry keys
- • C2 server addresses
- • Detailed technical description
For Suspected Reports:
- • Observed behaviors (select from list)
- • What happened when you visited
- • Any antivirus alerts
- • System changes noticed
- • Thorough description of suspicious activity
Evidence Upload
Attach supporting evidence to strengthen your report:
Do NOT upload actual malware samples. Only upload screenshots, logs, and documentation.
Your Information
Your account email is automatically linked to the report. You can also:
Review & Submit
Review all information, confirm accuracy, and submit. You'll receive a confirmation with your unique Report ID that you can use to track your submission.
Email Notifications
You receive email notifications only for meaningful updates — not for every intermediate step. This keeps your inbox clean and ensures every Blackwall email is worth reading.
Intermediate statuses like "Accepted" or "Pending" do not trigger emails — you can track these in real-time through your Dashboard.
Report Status Guide
Understanding what each status means and what happens next:
Your report has been received and is queued for automated screening. The system scores the report on description quality, evidence provided, domain reputation and anti-abuse signals. Reports with insufficient detail are rejected automatically. Pro/Enterprise reports skip screening and go straight to a human analyst.
The report has passed automated screening and/or an analyst has reviewed it and determined it warrants further investigation.
The report could not be processed due to insufficient information, incorrect format, or the website being out of scope.
Investigation confirmed abusive activity on the reported website. Evidence has been documented.
Investigation did not find evidence of abuse at the time of analysis. The site may have been cleaned or the threat was not confirmed.
The report has been sent to one or more external parties for action. This may include hosting providers, domain registrars, or law enforcement.
After investigation, the analyst determined the report does not meet criteria for forwarding or action.
The abusive website has been successfully taken down or the threat has been neutralized.
The report was rejected after review. This may be due to false reporting, duplicate submissions, or policy violations.
Where Reports Are Forwarded
When abuse is confirmed, reports may be forwarded to:
Hosting Provider
The company that hosts the abusive website's servers. They can suspend the hosting account.
Domain Registrar
The company that registered the domain name. They can suspend or seize the domain.
Law Enforcement
Relevant law enforcement agencies for serious criminal activity like fraud or illegal content.
Custom
Other organizations like CERTs, ISPs, or security vendors that may be relevant to the case.
Tips for Better Reports
- Write detailed descriptions (2–3 sentences minimum) — screening scores description quality and rejects vague reports
- Include technical evidence like SHA256 hashes, screenshots, or log files — more evidence means a higher score
- Take screenshots before the site is taken down — evidence disappears quickly
- Use WHOIS to identify the registrar and hosting provider before submitting
- Do not use placeholder text, gibberish, or test data — these are detected and rejected automatically
- Reporting well-known legitimate domains (Google, Amazon, etc.) requires overwhelming evidence
- Enable "Share with Community" to help warn others about the threat
Zodiac · OSINT Investigation Boards
Zodiac is Blackwall's collaborative OSINT workspace (Pro & Enterprise). You map persons, domains, IPs, wallets, social accounts and more on a live graph, enrich them automatically, work with teammates in real time and — once the case is solid — submit the board to be verified and flagged system-wide across every Blackwall analyst.
Graph canvas
30+ entity types + custom ones. Smart Paste auto-detects entities from clipboard. Snap-to-grid, dark/light themes, draggable edge waypoints, floating connectors with auto-avoidance — no spaghetti.
Realtime collaboration
Invite analysts by email, switch them between read-only and edit, see presence avatars, threaded comments per node, task assignment, provenance and trust levels, and a pin-wall for key findings.
Conflict-free editing
Live sync across all collaborators with soft node locks (60s heartbeat) so two analysts can't overwrite each other. Every edit is captured into an append-only audit trail.
Automated enrichment
Right-click any entity to enrich: IP/ASN, WHOIS, crypto wallet, plus VirusTotal and AbuseIPDB. Results land directly in the node attributes with the source recorded for chain-of-custody.
Global flag database
Once verified, indicators (wallets, domains, handles, IPs…) are written to a global threat database. Any board on Blackwall containing a matching value instantly shows a red Ampel pulse — across every workspace, in real time. Click the flag to see the sanitized original case.
Strict verification
Only the host can submit a board. A verification officer reviews every entity, relationship and piece of evidence against strict criteria, then approves or rejects with written reasoning. Every flagged value must appear verbatim on the board — no invented facts. Email decision either way.
Snapshots & audit
Versioned board snapshots you can roll back to, plus an append-only audit trail with SHA-256 hash chaining. Admins can verify the entire decision history end-to-end and export it.
PDF export
Export the full case as a forensic PDF: graph screenshot, executive summary, entities, evidence levels, sources and chain-of-custody hash. Suitable for legal, partners or law enforcement handover.
Mobile viewer
Read-only route (/osint/m/:projectId) to view the graph, read & post comments, and update status on the go — without editing the canvas.
Navigator, Profiler & Pattern Scan
Zodiac Navigator pathfinds between two entities. The Adversarial Persona Profiler summarizes the subject's MO strictly from board evidence. A scheduled pattern scan finds entities that appear across multiple boards (shared infrastructure between independent cases).
Confidence scores and internal decision tooling are admin-only and never shown to users or in the public flag UI.
