Switch CERT Report

The Switch CERT Report is the result of merging and unifying the different notifications sent by Switch CERT to its constituencies. The events contained in the report are generally related to IT security abuse, mostly to networked devices. For more information see the section regarding classification. The report is sent to the most specific official abuse contacts for the given resource (system, domain, etc.). These are usually, but not limited to, abuse contacts of network operators, internet service providers (ISP), autonomous system (AS) or trusted partners and CERTs. The data format allows us to include additonal information, while not breaking the parse-ability on the receivers side.

Where does this information come from?

The events contained in the report are based on events generated by monitoring the Switch network or on the many external reports and information sent to Switch CERT by its community and many trusted partners.

The incoming reports and information is processed to a unified format and categorized, i.e. classification, before forwarding the information to the appropriate organization.

The report includes as much information Switch CERT has and/or is able to disclose.

What does the classification mean?

There are many efforts trying to standardise the classification of IT security events, which is very difficult as there are many different use cases, points of view or even definitions for the same term, which results in equally many different 'standards'. 

Switch CERT uses a european CERT community classification-type mapping based on the eCSIRT II Taxonomy.


These classification definitions might change over time as threats and the understaning is changing.

The resulting classification consists of up to three parts.

  • Taxonomy: Specified in the field classification.taxonomy. This field is mostly based on the European CSIRT Taxonomy.
  • Type: Specified in the field classification.type. This field specifies a general type for the event.
  • Identifier: Specified in the field classification.identifier. This field specifies an identifier. This identifier defines the actual software, service or malware name.

Classification Overview

The values in the report are all lower case to ensure case insensitivity.

abusive content    spam
information content security    dropzone
information gathering    scanner
intrusion attempts    brute-force exploit ids alert
intrusions    backdoor compromised defacement

malicious code    


botnet drone
malware configuration
vulnerablevulnerable service
other    blacklist



Switch CERT Report

Papers & Presentations

SWITCH-CERT uses proactive measures to make Internet users and companies more aware of the latest IT security threats. We regularly provide information at IT trade fairs and international exhibitions on relevant security topics and protective measures. Here are a few selected presentations in German or English.