Common Questions

Absolutely! Please send a request to  report_admin@shadowserver.org  with changes you want to make in your report setup.

Currently no. You can use our RESTful API to easily automate the processing of our API report data. You can receive test API data access to our sample reports to build your parsers. Contact us for API key access.

Yes! We have published a report-manager tool on our GitHub page. There are open source and commercial tools that have parsers of our reports, allowing for automation.

A good example of a free open source tool is IntelMQ. We maintain the Shadowserver feed parsers there, so it is most up to date!

It is better if you create a mail alias  to receive our reports rather than individual e-mail addresses. In some cases for larger networks you will be getting a lot of notifications daily! Also, please consider the API to pull reports.

Yes! We are rolling out tutorials and videos over time to our report suite. You can find the links to these on the relevant Shadowserver report description page.  For a general introduction to our reporting and possible Use Cases, please review https://www.shadowserver.org/wp-content/uploads/2022/06/Overview_of_Shadowserver_Reports_March_2022.pdf.

Please keep a look out on our site and twitter feeds and make sure you subscribe to public@shadowserver.org by sending a request to us or subscribing yourself .

Occasionally our reports that we email are blocked at your firewall. When subscribing to us, please ensure that your mail filters are set up to allow Shadowserver reporting. We also encourage you to use our API instead of e-mail notifications. You can read how to retrieve reports via our API here.

Yes, every quarter you will receive a subscription summary of the network space we have on record for you and some aggregated data such as the total events we have reported out to you.

All admin for your subscription is managed internally at Shadowserver. For all updates please submit a change request to report_admin@shadowserver.org quoting your mailing list address and any changes required.

Yes, please ensure that the third party (name, organisation and email) is referenced in the initial report request, giving them permission to manage reports on your behalf.

Currently we can only disable a report type from a whole subscription and are unable to remove a report type from a specific net block.

Yes, please send an opt-out request to report_admin@shadowserver.org quoting the report types you want to disable

Yes, we can report only on changes we see on your network. You can request this option by contacting us.

You can read more on how the delta mode works here.

The scan that you saw is part of an effort by The Shadowserver Foundation to identify hosts/services that are unnecessarily exposed on the Internet, misconfigured, vulnerable or otherwise abusable. Some of our scans are also population scans to measure accessible services.  We mean no harm, nor do we exploit any vulnerabilities. The goal is to reduce the Internet’s exposed attack surface by reporting our findings to you or the responsible (national) CERT. We hope to improve the Internet’s cybersecurity resilience. You can subscribe to our service and get all the information we collect about your network for free.

You can read more on our scanning efforts in our blog “The Scannings Will Continue Until The Internet Improves”.

If you are developing your own tools to process our feeds and need to test your parsers or are a vendor that develops software for that purpose you can apply for an API key to get sample dummy test reports. Please contact us.

Yes, we collect IPv6 data on your networks as well. This includes sinkholing data and scan data. Many of our reports have an IPv6 and IPv4 version.

Yes, please subscribe here.

Yes. In fact, wherever possible, we like to work with the National CERT of each country. For those CERTs, we will provide country-level reports of any data we collect. This request is for a specific geographical area or TLD.

Yes, we can provide reports based on domain names (as opposed to ASN/CIDR/Country level), in instances where you have ownership of domains but not of a particular IP. Examples of reports that can be filtered on domain include Compromised Website reports and Accessible RDP reports. TLD-level reports are available for National CERTs and to the operating registries responsible for that TLD.

Here are a few tips for getting your reports set up quickly ... Full answer »

While we don’t guarantee a fixed response time, we are committed to responding as rapidly as possible and creating reports as swiftly as we can. It takes time to validate listed networks and verify contacts; when we have a question, we’ll email you. Normally, however, the queue for report creation is cleared out at least once a month; many times, sooner.

While most of our data is no more than 24 hours old, occasionally mistakes are made. We currently process approximately three to four billion events each day. Our systems are not bullet-proof, nor is our code without flaw. So, if you think there’s an issue, feel free to contact us. We’ll take a look and try to get it fixed.

We offer over 90 different reports, from activity like DDoS attacks and botnets to open Elasticsearch and MongoDB servers. You can see a full list of the reports we offer on the Network Reporting page.

We currently have a few types of delivery, depending upon your subscription for your area of responsibility. Full answer »

All reports are compressed by default due to the use of non-ASCII characters. Most mail systems can’t handle the special characters very well; most, in fact, will just drop the emails, so compression is one method of encapsulating the text from the mail systems.

However, this can cause an issue with border protections that prevent compressed files from being delivered. If you cannot receive compressed files, please let us know, and we can disable compression for your reports.

We run the reports every morning for the previous 24 hours, in UTC time. By default, our systems check your networks for each data area every time. The delivery frequency of reports will depend ... Full answer »

The available format for reports is comma separated variable (CSV) files. The timestamps in the reports are always represented in UTC+0.

PII includes information that can be used to distinguish or trace your identity, such as your name, birth date, and mother’s maiden name. Shadowserver does not collect PII through this website unless you submit it voluntarily. Full answer »

Shadowserver may share aggregated, non-personal information from time to time, such as the number of users who visited our website during a specific time period, their general geographic location, and other non-identifying data.

At Shadowserver, we believe in transparency and work to promote a culture of sharing across the Internet security community. But we aren’t reckless. The data we collect is protected. We make it available on a need-to-know basis, whether you’re an end-user or a national CSIRT. Full answer »

Shadowserver is an altruistic nonprofit working for the public good. Our funding comes from the sponsorships, grants, and charitable donations of those who share our vision for a more secure Internet. We recently also launched an Alliance Partnership to provide a more structured approach to obtaining funding (in exchange for additional benefits).  You can read more on our “Become a Partner” page.

Similarly to organizations such as Shodan and Censys, Shadowserver performs daily port scanning of the entire IPv4 Internet, from computers physically located in the USA, where port scanning is not prevented by Federal law. Full answer »

You’re free to opt out at any time. To do so, email dnsscan@shadowserver.org and list the specific CIDRs you would like to have removed. (You’ll need to prove that you’re the verifiable owner of these CIDRs.)

We share most of the data that we collect each day, filtered by ASN, CIDR, Country Code, or TLD (all levels). We offer 76 different report types; you can subscribe to any or all of them. Full answer »

You can subscribe to custom reports here. Full answer »

Yes. You can read an introduction on the topic here: Announcing the New Reports API. For details on how to use the API, please read API: Documentation and API: Reports Query. Please contact us to request an API key.

Please send an email to report_admin@shadowserver.org if you need to add or remove recipients, add new CIDR/ASN space to your subscriptions, make a change to your organization’s name, or request another update. All administration for your subscription is carried out internally by Shadowserver staff.

Shadowserver provides detailed information about detected events on your networks once you opt-in and subscribe to our free daily reports. You can find more general high level information about different potential types of threats by visiting our Statistics page.

Since our founding, Shadowserver has pioneered a radical shift in the global security community, in which governments and major organizations share what they know so that the Internet can become more secure. Full answer »

The Shadowserver Foundation is a registered 501(c)3 tax-exempt non-profit organization in the US (EIN: 26-2267933) and Stichting The Shadowserver Foundation Europe is a registered tax-exempt non-profit organization with public benefit status in The Netherlands (KvK Number 61199613).

You can verify an organization’s current 501(c)3 status on the IRS website.

Note that during the 2020 COVID-19 pandemic, the data returned by the IRS web search may not be up to date. If you receive an auto-revocation warning such as “Important note: Just because an organization appears on this list, it does not mean the organization is currently revoked, as they may have been reinstated” then you can check the current underlying source data in the IRS’s Exempt Organizations Business Master File Extract (EO BMF). Download the current state of California data and confirm the active 501(c)3 tax-exempt status there, since that master data is updated daily.