Network Situational Awareness (NetSA)


FloCon is an annual network security conference, where you can learn more about the next generation of flow-based analysis techniques.
Read more about FloCon conferences


We improve network security by identifying and detecting threats early; sharing data in near real time; and playing an active role in providing the knowledge, capability, and capacity to secure and monitor valuable networks.


Our publications cover topics such as monitoring networks and analyzing network data, detecting malicious activity, and developing and deploying tools to help you strengthen your networks.
Access our publications

Achieving network situational awareness depends on an organization's ability to effectively monitor its networks and, ultimately, to analyze that data to detect malicious activity. The CERT Network Situational Awareness (NetSA) group has analyzed hundreds of real-world cases of malicious activity on large, enterprise-scale networks to develop tools and approaches that can help organizations defend their networks from potential attacks.

The CERT NetSA group works to provide broad quantitative insights on network traffic characteristics relevant to the security of the networks involved. This insight ranges from descriptive (What is happening on the network right now? What changed before and after an incident?) to exploratory (What new traffic is appearing on the network? How often does an event happen?) to predictive (If this change is made, what will the impact be? How effective will this kind of additional protection be?). The tools and methods providing this insight are in a constant state of development and improvement. Learn more about our work.

We automate the analysis of large-scale network traffic.

Large networks can generate billions of network transactions each day. Unassisted, network security analysts cannot possibly analyze this volume of data. We develop approaches to automate that analysis and find malicious activity within these huge data sets, and we transition these techniques to our sponsors and the larger network security community.

We develop large-scale, open source tools.

Our open source tools enable organizations to monitor large-scale networks using flow data. These tools grew out of the AirCERT and SiLK projects, and the effort to integrate those projects into a unified, standards-compliant flow collection and analysis platform.

Engage with Us

Contact us to learn more about our research, collaborate on new research, seek our help with your critical problems, or provide feedback.

Contact Us

What Is Network Situational Awareness?

Network situational awareness is the systematic gathering, analysis, and interpretation of data from local and remote networks, regarding structure, applications, traffic, and resources to produce actionable information for decision making in network operations and defense.

—Richard Friedberg

Publications & Media

10 Years of FloCon
In this blog post, George Jones, chair of the 10th FloCon Conference, discusses the conference's general topics and themes, which have included community building, flow as a study, beaconing and distributed threats, the practical use of flow, flow in the context of other data, learning about your network, progression of analytics from ideas to prototypes to tools, and analysis at scale and perspectives.

2013 IEEE Symposium Quilt Poster
At the 2013 IEEE Symposium on Security and Privacy, NetSA group members presented a poster about Quilt, a system for distributed queries of security-relevant data.

FloCon Presentations
The NetSA group sponsors FloCon Conferences, where operational network analysts, tool developers, and researchers meet to discuss analysis at scale and showcase the next generation of flow-based analysis techniques. Download the presentations from FloCon 2014, where attendees discussed flow analysis in terms of perspectives.