Incident Inbox - Whalemate Docs

Incident Inbox

The space where suspicious emails reported by employees are centralized so the security team can review, classify, and resolve them.

What is it for?

Gather in one place all emails that employees flagged as suspicious.
Triage each report: review content, headers, attachments, and links before making a decision.
Classify each incident by category (Threat, Spam, Clean, Unknown) and track its status end to end: Received → Under Review → Resolved.
Reply to the employee who reported with a message based on the chosen resolution type.
Keep a complete audit trail of every action in the incident history.

How to use it?

Navigation: Threats → Incidents

Incident Inbox

Go to Threats → Incidents. You'll see the Incident Inbox with the list of reported emails.
The list shows the columns: From, Category, Subject, Reported by, and Reported on.
Filter by status using the top tabs: All · Received · Under Review · Resolved.
Use the Search bar to find a specific report by sender, subject, or reporter.
Hovering over a row reveals quick actions on the right: delete, change status, classify, download, and reply to the reporter.
Click any row to open the Incident detail.

Incident detail

The header displays: the subject, a status label (Under Review / Resolved), a category label (Threat / Spam / Clean / Unknown), the sender (From), the recipient (To), and a trash icon to delete.

Below is a strip with the report data: From, Received on, Reported by, Reported on, and IP Address.

Available tabs:

Preview — shows the email rendered exactly as the user received it.
Raw Message — the email's raw content.
Headers — technical headers of the message.
Attachments — list of detected attachments.
Domain & URLs — sender information (domain) and all URLs found in the email.
History — logs every status change, every category change, and every reply sent, with the author and timestamp.

Reply to reporter

From the incident detail (or from the row's quick action), open Reply to user.
Choose a Resolution type:
- Phishing — confirmed threat: warns the user.
- False positive — legitimate email: reassures the user.
- Under review — still being analyzed.
- Spam — unwanted email, no risk.
- Custom reply — you write a custom message.
The Preview shows the exact message the reporter will receive based on the chosen type.
If you choose Custom reply, the free-text field and the Move to category dropdown are enabled (options: Keep current category · Threat · Spam · Clean · Unknown).
Enable the "Mark as Under Review on send" checkbox to automatically update the incident status when sending.
Click Send Reply to confirm (or Cancel to discard). Once sent successfully, a confirmation notice appears and the incident updates its status and category.

Every reply and every status or category change are logged in the History tab.

❓ Frequently asked questions

What do the categories mean?
Threat = confirmed malicious email. Spam = unwanted email with no risk. Clean = legitimate email. Unknown = not yet classified.
What's the difference between status and category?
The status indicates which stage of the process the report is in (Received, Under Review, Resolved). The category indicates what type of email it is (Threat, Spam, Clean, Unknown).
Can I change the category while replying?
Yes. Using the Custom reply option you can use Move to category to reclassify the incident in the same step.
Where can I see the URLs and domain of the reported email?
In the Domain & URLs tab inside the incident detail.
How do I know what happened to an incident and who handled it?
In the History tab, which lists every action with the user who performed it and the exact timestamp.

Have feedback or want to request improvements? Let us know at roadmap.whalemate.com/roadmap