Subscribe to Reports

Complete the form below to request free, detailed, relevant, daily remediation reports about the state of your networks or constituency. We’ll evaluate your request and follow up with you. There is no charge for this service. Our reports will provide you a free daily potential attack surface report relevant to your organization’s network or constituency, as well as potential malware or other malicious activity seen originating from your network/constituency.

Our daily reports are available either via e-mail or API. For automation, we recommend the API. You can find an overview of the API in our GitHub wiki. For API access, you need to request an API key. You can do so by adding a request in the “References” form or later via our Contact form.

Please note that by default we also share a lot of information on possible accessible services on your network. Too many daily reports? If you find some of these redundant, you can choose to opt-out of receiving those via via our Contact form. You can also always request the Delta mode option as well to lower the amount of daily reporting.

    Your information





    Your network

    Report Recipient(s)

    Enter the name and contact information for one or more individuals in your organization, ideally someone listed on the whois for your network space. This will help us verify your identity.

    If you selected a 'please specify' or 'other' option in the How you heard about us question.

    View our privacy policy for details on use and storage of your personal data.

    Common Questions

    What information do you include in your reports?

    We share most of the data that we collect each day, filtered by ASN, CIDR, Country Code, or TLD (all levels). We offer 76 different report types; you can subscribe to any or all of them. Full answer »

    How can I edit or update my subscription?

    Please send an email to report_admin@shadowserver.org if you need to add or remove recipients, add new CIDR/ASN space to your subscriptions, make a change to your organization’s name, or request another update. All administration for your subscription is carried out internally by Shadowserver staff.

    How are reports formatted?

    The available format for reports is comma separated variable (CSV) files. The timestamps in the reports are always represented in UTC+0.

    How often are reports run? How often are they delivered?

    We run the reports every morning for the previous 24 hours, in UTC time. By default, our systems check your networks for each data area every time. The delivery frequency of reports will depend ... Full answer »

    Are reports compressed?

    All reports are compressed by default due to the use of non-ASCII characters. Most mail systems can’t handle the special characters very well; most, in fact, will just drop the emails, so compression is one method of encapsulating the text from the mail systems.

    However, this can cause an issue with border protections that prevent compressed files from being delivered. If you cannot receive compressed files, please let us know, and we can disable compression for your reports.

    How are reports delivered?

    We currently have a few types of delivery, depending upon your subscription for your area of responsibility. Full answer »

    What types of reports do you offer?

    We offer over 90 different reports, from activity like DDoS attacks and botnets to open Elasticsearch and MongoDB servers. You can see a full list of the reports we offer on the Network Reporting page.

    What do I do if I receive a false positive?

    While most of our data is no more than 24 hours old, occasionally mistakes are made. We currently process approximately three to four billion events each day. Our systems are not bullet-proof, nor is our code without flaw. So, if you think there’s an issue, feel free to contact us. We’ll take a look and try to get it fixed.

    How long does it take to create the reports (when will you respond to me)?

    While we don’t guarantee a fixed response time, we are committed to responding as rapidly as possible and creating reports as swiftly as we can. It takes time to validate listed networks and verify contacts; when we have a question, we’ll email you. Normally, however, the queue for report creation is cleared out at least once a month; many times, sooner.

    How can I make sure I get reports set up as soon as possible?

    Here are a few tips for getting your reports set up quickly ... Full answer »

    Can you provide reports based on domain names?

    Yes, we can provide reports based on domain names (as opposed to ASN/CIDR/Country level), in instances where you have ownership of domains but not of a particular IP. Examples of reports that can be filtered on domain include Compromised Website reports and Accessible RDP reports. TLD-level reports are available for National CERTs and to the operating registries responsible for that TLD.

    Do you provide reports to national CERTs?

    Yes. In fact, wherever possible, we like to work with the National CERT of each country. For those CERTs, we will provide country-level reports of any data we collect. This request is for a specific geographical area or TLD.

    More frequently asked questions »
    Help us make the Internet more secure
    Help us make the Internet more secure

    Shadowserver offers all services free of charge, for public benefit. We don’t sell data. Our revenue comes from sponsorships, grants, and charitable donations.

    Become a partner