Detections
A detection is a saved Shadowspotter query that runs in the background. Whenever new data matches the query, Shadowspotter records a detection result and — if you have linked a notification — fires that notification. Detections are how you turn an interesting search into ongoing monitoring.
Creating a detection
There are two ways to create a detection:
- From a search. Run a query on the search page. If the query returns results, a "Save query as detection" button appears that takes you to the detection form with the query pre-filled.
- From the detections page. Open Detections in the navigation and click Create new detection. You will get an empty form to fill in.
Shadowspotter validates the query before saving and rejects detections whose query would match too broadly — this protects you against being flooded by results from a runaway query.
Detection fields
| Field | Description |
|---|---|
| Name | Short identifier shown in the detection list and in notifications. |
| Description | Optional free-text notes — useful when sharing with teammates. |
| Query | The ShadowLang query that drives the detection. See the query language docs. |
| Active | Toggle the detection on or off. Only active detections count against your subscription quota and produce results. |
| Shared | If you are part of an organization, sharing makes the detection (and its results) visible to other members. |
| Notification | Optional — pick one of your notifications or a notification shared with your organization. The notification runs every time a new detection result appears, subject to the notification's periodicity setting. |
Detection results
Each new match is stored as a detection result tied to the detection that produced it. Open a detection to see its results in a table; full-text filtering on the right lets you narrow a long list quickly. Click a row to see the full record (DNS, WHOIS, certificate or HTTP metadata, depending on the entity).
Results carry an evaluation flag and a notification flag, so you can distinguish between "the detection has seen this match" and "the notification has already run for it". This is also why a notification linked to a detection won't fire repeatedly for the same domain when the notification's dedup by domain option is enabled.
Quotas
Your subscription limits how many detections can be active at the same time. Inactive detections do not count. You can disable an old detection at any time and create a new one in its place.