User Guide

Operating Castlewatch end to end

A starter guide for administrators, reviewers, and reporters using Castlewatch to run private incident coordination for a security team. Work through the steps in order the first time; revisit individual sections as your team scales.

Create workspaceStart a new organization Log inExisting workspace access Knowledge BaseDetailed articles GlossaryLook up a term
Audience
Administrators, reviewers, and reporters setting up or running a workspace.
Time
Roughly 20–40 minutes for full activation; a few minutes per ongoing step.
Prerequisites
A verified email and authority to act on the organization's behalf.
Outcome
A live workspace with members, sites, and reporting workflows ready for use.

Activate the workspace

The first three steps move a brand-new workspace from empty signup to a configured environment ready for live reporting.

Create or access your workspace

Use the signup page to create a new organization workspace, or log in if your account already belongs to an organization. The first signup creates both your user account and the organization itself.

  • Use an email address your organization can recognize and support over time.
  • Keep the first administrator account limited to trusted operators — this role can change every other member's permissions.
  • If your team already uses Castlewatch, ask an existing administrator to invite you rather than creating a parallel workspace.

Complete organization onboarding

Confirm the organization name and primary region. Onboarding activates the workspace profile so the team can begin live operations. Skipping fields here causes onboarding loops and missing actions later.

  • Use a region label that your partner organizations will understand — this is shown when they receive trust requests.
  • Review billing immediately after onboarding; live reporting and review actions are billing-gated.
  • Confirm the organization profile saved successfully on the server, not just in the form.

Configure organization settings

Organization settings control members, notification defaults, mapped sites, policy thresholds, sharing defaults, and organization profile details. Get these right early — they shape every workflow that follows.

  • Add mapped sites for common reporting locations so incidents render correctly on the map.
  • Keep member roles aligned with actual duties; over-permissioned accounts are the most common audit finding.
  • Set notification recipients and severity thresholds before high-volume reporting begins.
  • Configure policy thresholds for trusted-partner acceptance and sharing defaults.

Run day-to-day operations

Once the workspace is configured, these steps describe the operating loop: report, review, coordinate, and maintain the record.

Submit incidents

Reporters should capture the operational facts: what happened, when it happened, where it happened, how severe it was, and who should be able to see it. A consistent reporting style makes review faster and pattern detection possible.

  • Use concise, factual titles — "Suspicious vehicle, north lot, 21:40", not "weird thing happened".
  • Add tags that support search and pattern recognition across multiple reports.
  • Select a visibility mode intentionally; the default may be broader than you want.
  • Attach supporting media when it materially helps reviewers understand the situation.

Review and moderate reports

Reviewers claim reports and move them through explicit moderation actions. Use comments to preserve decision context and follow-up needs — the audit trail is the operating record, not the chat.

  • Claim reports before detailed review to prevent two reviewers duplicating work.
  • Request changes when facts are missing or unclear; do not edit the reporter's narrative.
  • Verify reports only when ready for the selected audience — verification triggers downstream visibility and notifications.
  • Use comments to capture the why behind moderation decisions.

Coordinate trusted partners

Use trusted partner workflows to request organization connections, review relationship status, and track template MOU/NDA signing details. Partner sharing only works when the relationship lifecycle is fully connected.

  • Confirm relationship intent before sending a partner request — partner inboxes are visible to their administrators.
  • Keep signing metadata accurate for each template document; outstanding signatures can block sharing.
  • Review sharing defaults after partner connections become active so the right reports flow at the right scope.
  • Only the receiving organization can accept a request — the requester cannot self-accept.

Maintain the operating record

Use comments, sightings, attachments, audit views, and organization reports to keep decisions traceable over time. The record's value compounds — a year of consistent reporting reveals patterns no individual report can.

  • Attach supporting files when they materially help review or later investigation.
  • Log follow-up sightings when a pattern continues across days or weeks.
  • Review audit trails after sensitive workflow changes to confirm intent.
  • Export organization reports periodically for offline review or sharing with leadership.

Need more depth?

The knowledge base covers each step in detail with field-level reference tables, common scenarios, and FAQs. Start with the role-based hubs to find the article you need.

Open knowledge base