Complete Guide

    How Reporting Works

    A comprehensive guide to submitting reports, understanding the review process, and tracking your report through to resolution.

    Step-by-Step Reporting Guide

    1

    Choose Report Type

    Select whether you have confirmed abuse (you've analyzed the threat) or suspected abuse (you observed suspicious behavior). Free-tier reports are automatically screened (rule-based + LLM-assisted) — submissions with insufficient detail are rejected automatically. Pro/Enterprise reports skip screening and go straight to a human analyst.

    Confirmed Abuse

    For users with technical evidence like hashes, C2 servers, or sandbox analysis.

    Suspected Abuse

    For anyone who observed suspicious behavior but may not have technical details.

    2

    Website Information

    Provide details about the abusive website:

    Required
    Domain — The main domain (e.g., abusive-site.com)
    Required
    Full URLs — Complete URLs where abuse was observed (one per line)
    Optional
    IP Address — Server IP if known (helps when domain is taken down)
    Optional
    Registrar — Domain registrar (use WHOIS to find this)
    Optional
    Cloudflare — Whether the site uses Cloudflare (affects abuse reporting path)
    3

    Behavior & Technical Details

    Describe the abusive activity and provide technical indicators.

    Automated Screening Requirements

    Free-tier reports are scored on multiple factors. Reports that score below the threshold are automatically rejected. To pass, ensure you provide:

    • • A detailed description (at least 2–3 full sentences explaining what you observed)
    • Specific technical details — generic one-word descriptions will be rejected
    • • At least one form of evidence (hash, screenshot, log file, or URL)
    • No gibberish, test data, or placeholder text — the system detects these patterns

    For Confirmed Reports:

    • • File hashes (SHA256, MD5, SHA1)
    • • Process information
    • • Command line arguments
    • • File paths and registry keys
    • • C2 server addresses
    • • Detailed technical description

    For Suspected Reports:

    • • Observed behaviors (select from list)
    • • What happened when you visited
    • • Any antivirus alerts
    • • System changes noticed
    • • Thorough description of suspicious activity
    4

    Evidence Upload

    Attach supporting evidence to strengthen your report:

    Screenshots — Website appearance, error messages, download prompts
    Log Files — Sandbox reports, network captures, system logs
    Video Links — YouTube or other video evidence of the abuse in action

    Do NOT upload actual malware samples. Only upload screenshots, logs, and documentation.

    5

    Your Information

    Your account email is automatically linked to the report. You can also:

    Consent to be contacted for follow-up questions
    Share your report with the community (anonymized)
    6

    Review & Submit

    Review all information, confirm accuracy, and submit. You'll receive a confirmation with your unique Report ID that you can use to track your submission.

    Email Notifications

    You receive email notifications only for meaningful updates — not for every intermediate step. This keeps your inbox clean and ensures every Blackwall email is worth reading.

    Submission confirmation — with your unique Report ID (sent immediately)
    Abuse confirmed / not found — when investigation results are in
    Forwarded — when sent to hosting providers, registrars, or law enforcement
    Resolved / Rejected — final outcome with analyst notes

    Intermediate statuses like "Accepted" or "Pending" do not trigger emails — you can track these in real-time through your Dashboard.

    Report Status Guide

    Understanding what each status means and what happens next:

    Pending

    Your report has been received and is queued for automated screening. The system scores the report on description quality, evidence provided, domain reputation and anti-abuse signals. Reports with insufficient detail are rejected automatically. Pro/Enterprise reports skip screening and go straight to a human analyst.

    Automated screening will either accept the report for human analyst review or reject it if it lacks sufficient detail or appears to be spam. This typically happens within minutes.
    Accepted

    The report has passed automated screening and/or an analyst has reviewed it and determined it warrants further investigation.

    The analyst will investigate the reported website to determine if abuse is confirmed.
    Invalid

    The report could not be processed due to insufficient information, incorrect format, or the website being out of scope.

    This is a terminal state. You may submit a new report with corrected information.
    Abuse Confirmed

    Investigation confirmed abusive activity on the reported website. Evidence has been documented.

    The report will be forwarded to relevant parties for takedown action.
    Abuse Not Found

    Investigation did not find evidence of abuse at the time of analysis. The site may have been cleaned or the threat was not confirmed.

    The case may be closed or monitored. You can submit additional evidence if available.
    Forwarded

    The report has been sent to one or more external parties for action. This may include hosting providers, domain registrars, or law enforcement.

    Waiting for response from the forwarded parties. Takedown timelines vary.
    Refused

    After investigation, the analyst determined the report does not meet criteria for forwarding or action.

    You will receive an explanation. You may provide additional evidence if you believe this was in error.
    Solved

    The abusive website has been successfully taken down or the threat has been neutralized.

    This is a terminal state. Thank you for helping make the internet safer!
    Rejected

    The report was rejected after review. This may be due to false reporting, duplicate submissions, or policy violations.

    This is a terminal state. Review our guidelines before submitting future reports.

    Where Reports Are Forwarded

    When abuse is confirmed, reports may be forwarded to:

    Hosting Provider

    The company that hosts the abusive website's servers. They can suspend the hosting account.

    Domain Registrar

    The company that registered the domain name. They can suspend or seize the domain.

    Law Enforcement

    Relevant law enforcement agencies for serious criminal activity like fraud or illegal content.

    Custom

    Other organizations like CERTs, ISPs, or security vendors that may be relevant to the case.

    Tips for Better Reports

    • Write detailed descriptions (2–3 sentences minimum) — screening scores description quality and rejects vague reports
    • Include technical evidence like SHA256 hashes, screenshots, or log files — more evidence means a higher score
    • Take screenshots before the site is taken down — evidence disappears quickly
    • Use WHOIS to identify the registrar and hosting provider before submitting
    • Do not use placeholder text, gibberish, or test data — these are detected and rejected automatically
    • Reporting well-known legitimate domains (Google, Amazon, etc.) requires overwhelming evidence
    • Enable "Share with Community" to help warn others about the threat

    Zodiac · OSINT Investigation Boards

    Zodiac is Blackwall's collaborative OSINT workspace (Pro & Enterprise). You map persons, domains, IPs, wallets, social accounts and more on a live graph, enrich them automatically, work with teammates in real time and — once the case is solid — submit the board to be verified and flagged system-wide across every Blackwall analyst.

    Graph canvas

    30+ entity types + custom ones. Smart Paste auto-detects entities from clipboard. Snap-to-grid, dark/light themes, draggable edge waypoints, floating connectors with auto-avoidance — no spaghetti.

    Realtime collaboration

    Invite analysts by email, switch them between read-only and edit, see presence avatars, threaded comments per node, task assignment, provenance and trust levels, and a pin-wall for key findings.

    Conflict-free editing

    Live sync across all collaborators with soft node locks (60s heartbeat) so two analysts can't overwrite each other. Every edit is captured into an append-only audit trail.

    Automated enrichment

    Right-click any entity to enrich: IP/ASN, WHOIS, crypto wallet, plus VirusTotal and AbuseIPDB. Results land directly in the node attributes with the source recorded for chain-of-custody.

    Global flag database

    Once verified, indicators (wallets, domains, handles, IPs…) are written to a global threat database. Any board on Blackwall containing a matching value instantly shows a red Ampel pulse — across every workspace, in real time. Click the flag to see the sanitized original case.

    Strict verification

    Only the host can submit a board. A verification officer reviews every entity, relationship and piece of evidence against strict criteria, then approves or rejects with written reasoning. Every flagged value must appear verbatim on the board — no invented facts. Email decision either way.

    Snapshots & audit

    Versioned board snapshots you can roll back to, plus an append-only audit trail with SHA-256 hash chaining. Admins can verify the entire decision history end-to-end and export it.

    PDF export

    Export the full case as a forensic PDF: graph screenshot, executive summary, entities, evidence levels, sources and chain-of-custody hash. Suitable for legal, partners or law enforcement handover.

    Mobile viewer

    Read-only route (/osint/m/:projectId) to view the graph, read & post comments, and update status on the go — without editing the canvas.

    Navigator, Profiler & Pattern Scan

    Zodiac Navigator pathfinds between two entities. The Adversarial Persona Profiler summarizes the subject's MO strictly from board evidence. A scheduled pattern scan finds entities that appear across multiple boards (shared infrastructure between independent cases).

    Confidence scores and internal decision tooling are admin-only and never shown to users or in the public flag UI.

    Cookie Notice

    We use cookies to ensure the functionality of our website. Necessary cookies are required for operation. Optional cookies help us improve our services. For more information, see our Privacy Policy.