Our Mission: We improve network security by identifying and detecting threats early; sharing data in near real time; and playing an active role in providing the knowledge, capability, and capacity to secure and monitor valuable networks.

Achieving network situational awareness depends on an organization's ability to effectively monitor its networks and, ultimately, to analyze that data to detect malicious activity. The CERT Network Situational Awareness (NetSA) group has analyzed hundreds of real-world cases of malicious activity on large, enterprise-scale networks to develop tools and approaches that can help organizations defend their networks from potential attacks.

The CERT NetSA group works to provide broad quantitative insights on network traffic characteristics relevant to the security of the networks involved. This insight ranges from descriptive (What is happening on the network right now? What changed before and after an incident?) to exploratory (What new traffic is appearing on the network? How often does an event happen?) to predictive (If this change is made, what will the impact be? How effective will this kind of additional protection be?). The tools and methods providing this insight are in a constant state of development and improvement. Learn more about our work.

We sponsor the annual FloCon conference.

Our annual network security conference invites operational network analysts, tool developers, researchers, and others to discuss and showcase the next generation of flow-based analysis techniques.

We automate the analysis of large-scale network traffic.

Large networks can generate billions of network transactions each day. Unassisted, network security analysts cannot possibly analyze this volume of data. We develop approaches to automate that analysis and find malicious activity within these huge data sets, and we transition these techniques to our sponsors and the larger network security community.

We develop large-scale, open source tools.

Our open source tools enable organizations to monitor large-scale networks using flow data. These tools grew out of the AirCERT and SiLK projects, and the effort to integrate those projects into a unified, standards-compliant flow collection and analysis platform.

Engage with Us

Contact us to learn more about our research, collaborate on new research, seek our help with your critical problems, or provide feedback.

Contact Us

What Is Network Situational Awareness?

Network situational awareness is the systematic gathering, analysis, and interpretation of data from local and remote networks, regarding structure, applications, traffic, and resources to produce actionable information for decision making in network operations and defense.

—Richard Friedberg

Publications & Media

FloCon 2015 Presentations Available; FloCon 2016 Program Announced
The presentations from FloCon 2015 are available online. Dates and the venue for FloCon 2016 have been announced. 

Learn How to Improve Network Traffic Data Storage
In our recent blog post and SEI technical report, we explore how to improve network traffic data storage by determining what data to store to meet organizational needs.

ALTernatives to Signatures (ALTS)
This paper presents the results of a study of non-signature-based approaches to detecting malicious activity in computer network traffic.

CERT Study Examines Chinese Cyber Espionage Unit's Infrastructure
An analysis from CERT, based on data from Mandiant, combines unclassified information and describes a large, malicious network used to steal important information.