Use tags and annotations

Tags and annotations are the building blocks of precise policy composition in Threatmatic. They allow you to group and label resources dynamically, so policies stay accurate as your environment changes.

Tags vs. annotations

Working with tags

Apply a tag to a device

1. Go to Devices and click a device name
2. Under Tags, click Add Tag
3. Enter a key-value pair (e.g. env=prod) or a simple label (e.g. contractor)
4. Click Save

Tags can also be applied in bulk:

1. Select multiple devices using the checkbox
2. Click Bulk Actions → Add Tag

Apply a tag to a user group

1. Go to Organization → Identity → Groups
2. Click a group name
3. Under Tags, click Add Tag

Use tags in a policy rule

When creating a policy rule, set the Scope or Match field to a tag:

• Scope: tag: env=prod — applies the rule to all production devices
• Match: tag: application=custom-erp — matches traffic to/from a tagged application

Tags are evaluated dynamically — if a device's tags change, policies update automatically.

Working with annotations

Add an annotation to a policy

1. Go to Policies and open a policy
2. Click Annotate
3. Add key-value pairs (e.g. owner=security-team, review-date=2025-Q3)

Annotations appear in audit logs and exports, making it easy to trace policy decisions back to their business context.

Add an annotation to an exception

When creating an Allow rule that overrides a Block rule, document the reason:

1. Add the Allow rule
2. Click Annotate Rule
3. Enter reason=approved-exception and ticket=INC-1234

Next steps

• Apply microsegmentation
• Audit device activity