STICHTING THE SHADOWSERVER FOUNDATION EUROPE

Their core work

Shadowserver Foundation Europe operates one of the world's most extensive passive internet threat monitoring infrastructures — a global network of darknets, honeypots, sandboxes, and sensors that continuously collect data on botnets, malware campaigns, and malicious traffic. They process this data and distribute free remediation feeds to network operators, CERTs, ISPs, and national cybersecurity agencies, enabling organizations worldwide to detect compromised systems on their networks at no cost. In H2020 projects, they function as the bridge between academic research and live operational threat data — bringing real-world malicious traffic datasets and sensor infrastructure that no university lab can replicate. Their nonprofit community-benefit model sets them apart from commercial threat intelligence vendors: the data flows freely to those who can act on it.

What they specialise in

How they've shifted over time

In the earlier period (SISSDEN, 2016–2019), the focus was squarely on infrastructure: building and operating the sensor network itself — honeypots, sandboxes, darknets — and generating raw threat feeds for community distribution. The work was about collection scale and data quality. By the later project (SOCCRATES, 2019–2022), the emphasis shifted downstream toward operational use of that data: how do SOC analysts and CSIRTs actually respond to what the sensors detect? This brought in business impact modelling, attack defence graphs, and AI-driven prediction — applying intelligence rather than just gathering it.

Shadowserver Europe is moving from raw data provider toward integrated intelligence partner — future collaborations will likely involve automated threat response pipelines, AI-driven incident prioritization, and tooling directly embedded into security operations workflows.

How they like to work

Shadowserver Europe participates exclusively as a specialist partner, never as project coordinator — consistent with an organization whose value lies in contributing unique operational infrastructure rather than managing research consortia. Despite only two projects, they engaged 18 distinct partners across 12 countries, indicating comfort with large, diverse European consortia. They are a sought-after contributor: partners come to them for the one thing no one else can provide — live, large-scale internet threat data from a trusted nonprofit source.

Across two projects, Shadowserver Europe built connections with 18 unique partners in 12 countries — a notably broad network for such a small project portfolio, pointing to high demand for their data infrastructure across European security research groups. No geographic concentration is visible from the data, reflecting their pan-European threat monitoring mandate.

What sets them apart

Shadowserver Foundation is one of the few organizations in Europe that operates genuine large-scale passive internet monitoring infrastructure as a nonprofit — this is not a commercial intelligence product, but a community service, which gives their data a credibility and accessibility that vendor feeds lack. For a consortium, they offer something irreplaceable: access to continuously updated, real-world botnet and malware telemetry that would take years and millions to build independently. No other H2020 participant brings both the operational scale and the community-neutral positioning that Shadowserver does in the cybersecurity space.

Highlights from their portfolio

• SISSDEN
  The largest-funded project (EUR 1.5M) and the one that most directly maps to Shadowserver's core mission — deploying a pan-European sensor network for malware and botnet tracking with freely distributed remediation feeds.
• SOCCRATES
  Marks a strategic pivot toward operationalizing threat intelligence for SOC and CSIRT teams, introducing AI/ML and business impact modelling — signalling where Shadowserver's research agenda is heading.