Overview

The National Center for Missing & Exploited Children (NCMEC) is a leading organization dedicated to protecting children against exploitation and abuse. Under U.S. federal law, electronic service providers are required to report any detected CSAM to NCMEC via its CyberTipline which then shares these reports with law enforcement and relevant service providers for further action. We have created a moderation flow that allows potential CSAM to be siloed from other other contact.

📘
Note:
This feature is only available for customers that have integrated with our CSAM Detection API.

Settings

Enable the CSAM Review Feed

The CSAM review feed is unique in that content sent through Thorn models automatically flows into the feed based on the models' results, rather than being directed by rules or moderators. To learn more about our Thorn integration, refer to the following documentation.

❗️
Displaying CSAM Content
Moderation Dashboard will never display CSAM content in the Review Feed. Instead, each task will surface the original link that the moderator can click on to open a new tab to review the content.

NCMEC Credentials

In order to submit reports on your behalf, your NCMEC credentials are required. If you do not have any, please contact NCMEC directly to get credentials.

Once credentials are verified, Moderators can report potential CSAM directly from the CSAM Review Feed using the built-in native action.

Once you identify flagged content that meets the NCMEC reporting criteria, you can select the "Report to NCMEC" native action from the list of all actions.

Note: The Report to NCMEC action is only accessible from within the CSAM review feed.

Refer to the Review Feeds documentation for additional information.

NCMEC Report Callback URL

This feature provides confirmation that the content was successfully submitted to NCMEC, providing a report id from NCMEC and a few pieces of information from the post.

When you send a post flagged with thorn_enabled: true, you can navigate to the CSAM tab under Review Feeds and click the Start Feed button.
If the post gets flagged, you'll have the option to report it to NCMEC. After you submit a report to NCMEC, a request will be sent to your callback URL in the following format:

{
  "report_id": "...",
  "post_id": "...",
  "user_id": "...",
  "image_url": "...",
  "moderator_email": "..."
}

If a callback is successful, it will be logged in your Moderation History under the Event Name "NCMEC Callback Succeeded."

NCMEC Report Data

Below are settings to help you pre-fill NCMEC reports.

Reporting Person Details

Use these if you want one specific contact person for all reports, regardless of moderator. These details will be attached to all reports. If left blank, the system will default to using the name and email of the moderator submitting the report.

Map Metadata to NCMEC Fields

Here you can choose from a subset of NCMEC fields from CyberTipline Reporting API Technical Documentation that you can map to your preconfigured metadata fields so that they can auto-populate based on the content or user. Refer to our Metadata Configuration documentation for additional information.

Default fileViewedByEsp Field

In order for NCMEC reviewers to be allowed to view the report content, they need to know your moderators have viewed the content themselves. This information is passed through the ‘fileViewedByEsp’ field. This setting, when checked, will default the field to True for all reports:

Alternatively, if left unchecked, the moderators can manually set this field. Once the moderator has selected the report to NCMEC action, the fileViewedByEsp icon should appear and can be toggled.

NCMEC Enrichment URL

Reporters may have additional information about a reported user that they do not want to enter directly into Moderation Dashboard, or do not want sent to the dashboard to be stored. The NCMEC Enrichment URL allows you to host that data on your own systems and have the platform fetch it automatically at report time, so it can be included in the final NCMEC report.

This feature lets you keep sensitive user information within your own infrastructure while still enriching the personOrUserReported, ipCaptureEvent, and associatedAccount sections of the NCMEC XML report (CyberTipline Report). None of this data will be saved on Hive.

Configure the NCMEC Enrichment URL

In Settings, under the NCMEC tab, you can input a url to retrieve the request data:

The NCMEC Enrichment URL receives a POST request with identifiers for the reported user and post, and returns enrichment data to be added to the NCMEC report.

The URL should point to an API endpoint you control, that can:

Accept an HTTP POST request with a JSON body.
Return a JSON response matching the schema described below.

Require Enrichment for All Reports

You can toggle the NCMEC Enrichment Required checkbox to make enrichment mandatory for all reports.

If this box is checked and an admin has not provided an enrichment URL, all NCMEC reports will be blocked and returned to the Review Feed with the error: This application settings require a NCMEC enrichment url to be set to submit reports.

If this box is checked and the enrichment call fails (after 3 retries), the NCMEC report will also be blocked (details below).
If this box is not checked and the enrichment call fails, the report proceeds without enrichment data.

How the Enrichment Callback Works

When a moderator submits a CSAM report to NCMEC from the CSAM Review Feed, Moderation Dashboard will:

Look up the configured NCMEC Enrichment URL for the application.
Send a POST request to that URL with the following payload:

{
  "user_id": "string",   // offending user
  "post_id": "string",
  "reporter_id": "string"
}

user_id: Identifier of the reported (offending) user.
post_id: Identifier of the post being reported.
reporter_id: Identifier of the moderator or reporter initiating the NCMEC report.

Retry and Error Handling

For non-400 HTTP status codes (e.g., 500, 502, 503), the platform will retry the enrichment request up to 3 times.
If the platform fails to get a successful response and NCMEC Enrichment Required is checked, it will return a 400 with: The NCMEC Enrichment call failed. ${message}
- ${message} may contain additional error context when available (e.g. a timeout or upstream error description).
If NCMEC Enrichment Required is not checked and the enrichment call cannot be completed successfully, the report is sent without enrichment data.

Enrichment Response Schema

Your endpoint must return a JSON body that matches the following TypeScript interfaces:

export interface EnrichmentResponse {
  user_enrichment_data?: UserEnrichmentResponse;
}

export interface UserEnrichmentResponse {
  personOrUserReportedPerson?: PersonOrUserReportedPerson[];
  ipCaptureEvent?: IpCaptureEvent[];
  associatedAccount?: AssociatedAccount[];
}

Reported Person Enrichment `(personOrUserReportedPerson)`

Only the first entry in the personOrUserReportedPerson array is used today. These fields populate the <personOrUserReportedPerson> element in the NCMEC XML, which is part of the Reported Person details section as defined in NCMEC’s documentation (CyberTipline Report).

export interface PersonOrUserReportedPerson {
  espIdentifier: string; // Required
  firstName?: string;
  lastName?: string;
  dateOfBirth?: string; // Format: YYYY-MM-DD
  email?: string;
  age?: number;
  phone?: string;
}

Below is an example:

{
  "user_enrichment_data": {
    "personOrUserReportedPerson": [
      {
        "espIdentifier": "internal-user-12345",
        "firstName": "Alex",
        "lastName": "Doe",
        "dateOfBirth": "1995-08-14",
        "email": "alex@example.com",
        "phone": "+1-555-0100"
      }
    ]
  }
}

IP Capture Events `(ipCaptureEvent)`

Each object in the ipCaptureEvent array creates an <ipCaptureEvent> block under the <personOrUserReported> section of the NCMEC XML. These entries conform to NCMEC’s ipCaptureEvent format (CyberTipline Report).

export interface IpCaptureEvent {
  ipAddress?: string;
  eventName?: string;
  dateTime?: string; // ISO 8601 format
}

Below is an example:

{
  "user_enrichment_data": {
    "ipCaptureEvent": [
      {
        "ipAddress": "203.0.113.10",
        "eventName": "login",
        "dateTime": "2025-12-09T21:15:30Z"
      },
      {
        "ipAddress": "203.0.113.20",
        "eventName": "post_created",
        "dateTime": "2025-12-09T21:16:05Z"
      }
    ]
  }
}

Associated Accounts `(associatedAccount)`

Each object in the associatedAccount array becomes an <associatedAccount> element in the NCMEC XML, following NCMEC’s associatedAccount definition (CyberTipline Report).

export interface AssociatedAccount {
  type?: string;
  platform?: string;
  thirdPartyUser?: string;
  firstName?: string;
  lastName?: string;
  dateOfBirth?: string; // Format: YYYY-MM-DD
  email?: string;
  phone?: string;
  espIdentifier?: string;
  profileUrl?: string;
  screenName?: string;
}

Below is an example:

{
  "user_enrichment_data": {
    "associatedAccount": [
      {
        "type": "social",
        "platform": "ExampleSocial",
        "thirdPartyUser": "1234567890",
        "screenName": "alex_on_example",
        "profileUrl": "https://examplesocial.com/u/alex_on_example",
        "email": "alex+social@example.com",
        "espIdentifier": "example-social-12345"
      }
    ]
  }
}

Putting it Together

A typical enrichment response may combine all of these:

{
  "user_enrichment_data": {
    "personOrUserReportedPerson": [
      {
        "espIdentifier": "internal-user-12345",
        "firstName": "Alex",
        "lastName": "Doe",
        "dateOfBirth": "1995-08-14",
        "email": "alex@example.com",
        "phone": "+1-555-0100"
      }
    ],
    "ipCaptureEvent": [
      {
        "ipAddress": "203.0.113.10",
        "eventName": "login",
        "dateTime": "2025-12-09T21:15:30Z"
      }
    ],
    "associatedAccount": [
      {
        "type": "social",
        "platform": "ExampleSocial",
        "thirdPartyUser": "1234567890",
        "screenName": "alex_on_example",
        "profileUrl": "https://examplesocial.com/u/alex_on_example",
        "email": "alex+social@example.com",
        "espIdentifier": "example-social-12345"
      }
    ]
  }
}

When this response is returned successfully:

The Reported Person section (<personOrUserReported>) of the NCMEC report is enriched with your person’s details.
One or more IP Capture Events (<ipCaptureEvent>) are added for the reported person.
One or more Associated Accounts (<associatedAccount>) are added to show linked identities.

Send NCMEC Report via Callback URL

NCMEC Escalation

You can escalate a report to NCMEC when the content indicates heightened urgency or immediate risk. To escalate a report:

Select the Report to NCMEC action.
Click Mark as High Priority.
Provide a mandatory escalation reason.
Submit the report.

Enabling escalation adds an <escalateToHighPriority> section to the final NCMEC report.

Reference NCMEC’s guidance for this field (CyberTipline Report).

Before selecting Report to NCMEC:

After selecting Report to NCMEC you can escalate the post: