The SWITCH-CERT Report is the result of merging and unifying the different notifications sent by SWITCH-CERT to its constituencies. This not only reduces the number of messages sent, but also makes it easier to process the received messages.

The events contained in the report are generally related to IT security abuse, mostly to networked devices. For more information see the section regarding classification.

The report is sent to the most specific official abuse contacts for the given resource (system, domain, etc.). These are usually, but not limited to, abuse contacts of network operators, internet service providers (ISP), autonomous system (AS) or trusted partners and CERTs.

The data format allows us to include additonal information, while not breaking the parse-ability on the receivers side.


Which SWITCH-CERT notifications are replaced?

The SWITCH-CERT notifications using the following email subjects are replaced

  • Compromised IP

Coming soon

  • Most Likely Compromised
  • Scanner

Other SWITCH-CERT notifications that are not replaced

  • SWITCH domain CH and LI related domain notifications, based on the registry activity. Read more https://www.switch.ch/saferinternet/
  • SWITCH custom notifications. These "one-shot" notifications are based on information that is only once or very irregularely available. The subject, content, format, description, etc. will therefore vary.


Where does this information come from?

The events contained in the report are based on events generated by monitoring the SWITCH network or on the many external reports and information sent to SWITCH-CERT by its community and many trusted partners.

The incoming reports and information is processed to a unified format and categorized, i.e. classification, before forwarding the information to the appropriate organization.

The report includes as much information SWITCH-CERT has and/or is able to disclose.


What does the classification mean?

There are many efforts trying to standardise the classification of IT security events, which is very difficult as there are many different use cases, points of view or even definitions for the same term, which results in equally many different 'standards'. 

SWITCH-CERT uses a european CERT community classification-type mapping based on the eCSIRT II Taxonomy.

These classification definitions might change over time as threats and the understaning is changing.

The resulting classification consists of up to three parts.

  • Taxonomy: Specified in the field classification.taxonomy. This field is mostly based on the European CSIRT Taxonomy.
  • Type: Specified in the field classification.type. This field specifies a general type for the event.
  • Identifier: Specified in the field classification.identifier. This field specifies an identifier. This identifier defines the actual software, service or malware name.

Classification Overview

The values in the report are all lower case to ensure case insensitivity.

abusive content spam
availability ddos
fraud copyright
information content security dropzone
information gathering scanner
intrusion attempts brute-force
ids alert
intrusions backdoor
malicious code botnet drone
malware configuration


vulnerable service

other blacklist