Shadowserver: The Internet's Quiet Early-Warning System

In February 2020, Shadowserver came close to shutting down permanently. The organization announced that its primary funder, Cisco, would cease support at the end of March 2020. The team published an appeal that spread through the security community with some urgency: without emergency funding, one of the most critical pieces of internet-wide defensive infrastructure would simply go dark.

The response was significant. Governments, security companies, and individual researchers contributed. The UK's National Cyber Security Centre stepped in with direct support. The Dutch government followed. Shadowserver survived — and the episode revealed something important: a quiet nonprofit operating out of modest infrastructure had become genuinely irreplaceable to how the global security community understands the live threat landscape.

This article examines how Shadowserver built that position, what its infrastructure actually does, and why its model of nonprofit threat intelligence remains both unusual and essential.

Origins: Volunteers, Sinkholes, and the Botnet Wars

Shadowserver was founded in 2004 by a group of volunteers from the security community who were frustrated by the gap between what researchers knew about active threats and what defenders could actually act on. The original focus was botnet tracking — specifically, taking over the command-and-control infrastructure used by malware operators and redirecting infected machines' traffic to researcher-controlled servers. This technique is called sinkholingsinkholingRedirecting a malware C2 domain to a researcher-controlled server after seizure or expiry. Infected hosts "phone home" to the sinkhole instead, revealing IP addresses of active infections without enabling attacker communication..

Sinkholing is conceptually straightforward but operationally complex. When a malware family's C2 domain expires or is seized, a researcher can register or obtain that domain and point it to a server they control. Infected machines trying to "phone home" instead connect to the sinkhole. The sinkhole logs those connections, revealing the IP addresses of infected hosts — and by extension, giving network owners and CERTs the data they need to clean up infections they might not have known existed.

Early Shadowserver operations targeted prevalent botnets of the mid-2000s, including Storm, Waledac, and Conficker. The Conficker Working Group, a landmark coordinated response effort formed in 2008, relied on Shadowserver infrastructure and expertise. At its peak, Conficker infected an estimated 10 to 15 million machines. The working group — which included Shadowserver alongside Microsoft, ICANN, and multiple national CERTs — used sinkhole data to track infection counts and coordinate remediation globally.

"Shadowserver has been a critical partner in some of the most significant botnet disruption operations of the past two decades. The data they provide is not duplicated anywhere else at this scale and cost." — Phil Reitinger, former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security

That early credibility — earned through operational involvement in real incidents, not just research publications — became the foundation for Shadowserver's subsequent expansion into internet-wide scanning.

The Daily Scan: What 3.7 Billion IP Addresses Reveals

Today, Shadowserver's core operational activity is daily internet-wide scanning. According to the organization's own published documentation, it scans the entire IPv4 address space — approximately 3.7 billion routable IPv4 addresses across more than 140 ports each day, collecting service banners, protocol metadata, and vulnerability indicators. According to the organization's published statistics, the infrastructure also scans more than one billion IPv6 addresses using hitlist-based discovery methods.

Internet-wide scanning has become a standard measurement technique used by academic researchers and nonprofit security organizations. Projects such as Censys, Rapid7's Project Sonar, and Shadowserver all conduct large-scale scans of publicly reachable services to measure exposure and vulnerability prevalence. Because these scans interact only with services intentionally exposed to the public internet and do not attempt authentication or exploitation, they are generally considered legitimate security research under accepted internet measurement norms.

The scan types are not limited to simple port availability checks. Shadowserver captures service banners, software version strings, TLS certificate data, exposed protocol details, and vulnerability indicators. A scan for open RDP, for example, does not simply record that port 3389 is open — it captures NLANetwork Level AuthenticationA pre-authentication layer for RDP that requires the connecting user to authenticate before a full session is established. Devices with NLA disabled expose the full Windows login screen to the internet, significantly increasing attack surface. status, TLS certificate fingerprints, and whether the service is presenting characteristics associated with known vulnerable configurations.

This data feeds into what Shadowserver calls its "reports" system. Network operators, ISPs, academic institutions, government CERTs, and national cybersecurity agencies can subscribe to receive daily automated reports scoped to their IP address space. A university's IT security team receives a daily CSV listing every device within their registered IP ranges that appeared in that day's scan data with a notable finding — an exposed service, an outdated version, a certificate anomaly, a known vulnerable configuration.

"The daily reports are operationally transformative for smaller CERTs and developing economies who lack the infrastructure to do this scanning themselves. Shadowserver effectively gives them a national vulnerability posture report every morning at no cost." — Adli Wahid, Senior Cybersecurity Specialist, Asia Pacific Network Information Centre (APNIC)

The free model is not incidental — it is the point. Shadowserver explicitly operates as a public good. An ISP in a lower-income country receives the same quality of scan data covering its address space as a major European telecommunications provider. This universality is, by design, what makes the data valuable at scale: when a vulnerability like Log4Shell or ProxyLogon triggers mass exploitation, Shadowserver's scan data captures the global exposure picture within 24 to 48 hours of publication.

The Vulnerability Window: Where Shadowserver Data Changes Outcomes

The practical value of daily internet-wide scanning becomes clearest in the hours and days following a critical vulnerability disclosure. When a CVE drops for a widely deployed piece of software — an edge device, a mail server, a VPN appliance — defenders and attackers are in a race. Defenders need to know whether they are exposed. Attackers are already scanning for targets.

Shadowserver begins scanning for new vulnerabilities rapidly after public disclosure, often within hours. Its published data on exposure counts — the number of devices globally presenting characteristics associated with a given vulnerability — becomes a reference point for the entire security community. CISA cites Shadowserver scan data in advisories. Vendors reference it in patch urgency communications. Journalists use it to characterize the scope of a threat.

When ProxyLogon (CVE-2021-26855 and related CVEs) was disclosed in March 2021, Shadowserver's scan data showed more than 250,000 vulnerable Exchange servers globally within the first 48 hours. That figure became the anchor for reporting and policy response. As patching proceeded, Shadowserver's daily updates provided a live counter — the number declining over days and weeks, making it possible for both government agencies and reporters to track remediation velocity in near-real time.

A similar pattern played out with vulnerabilities in Citrix ADC, Pulse Secure, Fortinet, and dozens of other widely deployed edge products. For each one, Shadowserver's scanning provided the most authoritative public count of exposed devices, disaggregated by country and autonomous system.

This disaggregation by ASNAutonomous System NumberA unique identifier assigned to a network or group of networks under a single routing policy. ISPs, universities, and large enterprises each control one or more ASNs. Shadowserver disaggregates vulnerability data by ASN so the responsible operator receives targeted findings. is particularly significant. When Shadowserver publishes that a given vulnerability affects 40,000 devices in a particular country, and a substantial portion of those devices belong to a single ISP's autonomous system, that ISP's security team — if subscribed to Shadowserver reports — already has the specific list. The national CERT has it too. The path from vulnerability disclosure to actionable notification is compressed in a way that has no equivalent in the commercial threat intelligence market.

The IPv6 Frontier

The article framing this organization purely around IPv4 scanning would be incomplete. Shadowserver scans over one billion IPv6 addresses across dozens of ports using hitlist-based discovery techniques. Daily IPv6 scans currently surface more than 120 million active services across nine service types. This matters because IPv6 adoption is accelerating and the assumption that IPv6 address space is too large to enumerate coherently — long used as an informal security argument — does not hold against an organization scanning from observed-address hitlists rather than attempting brute-force enumeration of the full space. Devices that administrators may believe are less visible by virtue of living on IPv6 addresses appear in Shadowserver's data if they are genuinely reachable and active.

Sinkhole Operations and Botnet Disruption

Alongside scanning, Shadowserver's sinkhole operation remains one of the most extensive in the world. The organization maintains sinkholes for hundreds of malware families at any given time, representing years of accumulated coordination with law enforcement, domain registrars, and the research community.

When a botnet takedown operation occurs — whether led by law enforcement like the FBI or Europol's EC3, or coordinated through private sector partnerships — Shadowserver is frequently a named participant or behind-the-scenes infrastructure provider. In Operation Duck Hunt (August 2023), the FBI-led multinational disruption of the QakBot botnet, Shadowserver was listed as a technical partner alongside CISA and Microsoft, assisting with victim notification and disseminating data on historical QakBot infections to over 200 national CERTs and network operators worldwide. In a separate operation, the DOJ named Shadowserver Foundation as providing valuable assistance in Operation Dying Ember — the court-authorized January 2024 disruption of the GRU's Moobot botnet, in which the FBI neutralized hundreds of Ubiquiti routers that Russia's APT28 had hijacked for global cyber espionage. Operation PhishOFF, which dismantled the LabHost phishing-as-a-service platform and resulted in 37 arrests, also included Shadowserver support — and ultimately won Europol's Excellence Award for Innovation.

Supporting law enforcement operationally requires more than sinkhole telemetry. Shadowserver operates MISP-LEA — a dedicated instance of the open-source Malware Information Sharing Platform built jointly with Luxembourg's CIRCL and funded by the EU Internal Security Fund — specifically tailored to law enforcement needs. Unlike general-purpose MISP deployments, MISP-LEA receives Shadowserver data feeds formatted for investigative and disruption workflows, providing EU law enforcement agencies (and partner LEAs globally) with structured cybercrime-relevant threat intelligence that is otherwise difficult to access in machine-readable, actionable form.

# Example of what Shadowserver sinkhole telemetry captures per connection:
timestamp: 2025-03-11T14:22:07Z
src_ip: [infected host]
src_asn: AS[redacted]
src_country: [redacted]
dst_ip: [sinkhole server]
dst_port: 443
malware_family: [family name]
c2_domain: [original C2 domain, now sinkholed]
bot_id: [botnet-assigned identifier if recoverable]

That telemetry, aggregated across millions of connections per day across hundreds of botnet families, produces what Shadowserver describes as its "Botnet Drone" reports — daily feeds showing which IP addresses in a subscriber's network space are observed making connections to sinkholed botnet infrastructure. For an enterprise security team, this is among the highest-fidelity indicators of compromise available: the infected host reached out to a server that was only reachable because it was formerly a live C2 that has been taken over.

Botnet sinkhole data is categorically different from generic threat intelligence feeds. When a host appears in sinkhole telemetry, there is behavioral evidence of infection — not just a hash or a file path. That distinction matters enormously for triage and response.

The breadth of malware families covered is itself a significant operational achievement. Maintaining active sinkholes requires ongoing work: monitoring for domain expiry, coordinating with registrars when domains are contested, updating configurations as malware families evolve their C2 communication, and ensuring the sinkhole infrastructure itself does not become a target or vector. Shadowserver does this at scale, for hundreds of families simultaneously, without charging the CERTs and network operators who receive the resulting reports.

The Honeypot Network: Catching Exploitation in the Wild

Scanning tells you what is exposed. Sinkholes tell you what is infected. A third sensing modality — one the article most commonly describing Shadowserver tends to underemphasize — tells you what is being actively attacked right now. Shadowserver operates a Global Honeypot Sensor Network: a distributed infrastructure of intentionally vulnerable-looking systems placed across the internet to attract and record exploitation attempts.

When a new critical vulnerability is disclosed, Shadowserver's honeypots often detect active exploitation attempts within hours — before the organization has even completed a full scanning pass for the vulnerability. This is the capability that earned Shadowserver recognition from vulnerability intelligence firm VulnCheck as the "Earliest Reporter of Exploitation in the Wild" in 2024. The distinction matters: there is a significant operational difference between knowing a vulnerability exists and knowing it is being actively weaponized. Shadowserver's honeypot telemetry collapses that gap.

The honeypot network also covers ICS/OT protocolsIndustrial Control System / Operational TechnologyProtocols used by industrial systems — Modbus, DNP3, BACnet, Siemens S7, and others — that control physical infrastructure. ICS-targeted scanning is a recognized precursor to infrastructure attacks and is tracked by Shadowserver's dedicated ICS honeypot sensors. through dedicated ICS sensor deployments. Any scanning activity targeting industrial control system protocols — Modbus, DNP3, BACnet, and others — is logged and reported, providing early warning of reconnaissance activity against industrial networks that would otherwise be invisible to most defenders.

A related capability is Shadowserver's darknet telescopeDarknet / Network TelescopeBlocks of IP address space that are routable but have no legitimate services assigned. Any traffic arriving at these addresses is inherently suspicious — unsolicited scanning, DDoS backscatter, or malware propagation. Analyzing darknet traffic reveals attack patterns without requiring deployment of interactive honeypots. data. Darknets — blocks of routable but unused IP address space — receive no legitimate traffic by definition. Any packets that arrive are catalogued: scanning probes, DDoS backscatter from spoofed sources, malware attempting to spread. Shadowserver's Darknet Events reports feed this data back to network operators, providing a detection signal that requires no interaction or vulnerability on the recipient's part.

The IoT Blind Spot

A growing share of Shadowserver's honeypot and scanning work now targets IoT devices — routers, cameras, NAS appliances, and industrial gateways — that make up an increasingly significant portion of both the global attack surface and active botnet infrastructure. In 2024, Shadowserver introduced a dedicated Compromised IoT Report that aggregates device compromise data from multiple detection methods: HTTP-based scan detections, correlation of scan and honeypot findings, and collaboration with external partners to identify compromised SSH hosts by detecting attacker-installed public keys. For network defenders managing large numbers of edge devices with inconsistent patch cadences, this report provides a ground-truth indicator of compromise that no internal monitoring tool is positioned to supply.

The Dashboard: Public-Facing Threat Intelligence

In recent years, Shadowserver has expanded its public-facing data access through the Shadowserver Dashboard, available at dashboard.shadowserver.org. The dashboard provides aggregated, country-level and ASN-level views of internet exposure data without requiring an account or subscription.

The dashboard allows anyone to query, for example, how many devices in a given country are presenting open SMB on port 445, or how many devices globally have an exposed Telnet service, or what the current global count of internet-facing RDP servers is. Trend data shows how these numbers change over time — useful for researchers, policymakers, and journalists who need to characterize the state of internet hygiene in quantitative terms.

For network operators who want device-level specifics rather than country aggregates, the subscription-based reports system provides daily CSV or JSON files scoped to their registered IP space, delivered via email or SFTP. There is no cost to subscribe for operators who can demonstrate they are responsible for the address space in question — verified through regional internet registry (RIR)Regional Internet RegistryOrganizations that manage IP address allocation within specific regions: ARIN (Americas), RIPE NCC (Europe/Middle East), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa). RIR data is the authoritative source for confirming which organization controls a given IP range. data. This verification step is deliberate: the device-level specificity of the reports means they could be misused if delivered to parties who do not have a legitimate interest in the network in question.

Governance, Funding, and the Question of Independence

Shadowserver is structured as a nonprofit organization registered in the United States. Its governance model emphasizes operational independence from any single government or commercial funder. This independence is not merely organizational principle — it is operationally necessary. For Shadowserver's data to be trusted by CERTs in geopolitically diverse countries, including some that have fraught relationships with Western governments, the organization must be credible as a neutral actor.

The 2020 funding crisis and its resolution through a diverse set of government and industry contributors actually strengthened this model. No single entity now controls the funding. Contributors include the UK's NCSC, the Dutch NCSC, the German BSI, the Japanese Cybersecurity Strategy Office, and a range of private sector partners including major security vendors. The allocation of contributions to operations, rather than to any shareholder or founder, is structurally enforced by nonprofit status.

In 2022, Shadowserver formalized this multi-stakeholder model through the launch of the Shadowserver AllianceShadowserver AllianceA structured partner program launched in 2022 enabling organizations including Mastercard, Akamai, Trend Micro, Avast, and Craig Newmark Philanthropies to support Shadowserver's mission. Alliance members contribute to operational funding while gaining closer coordination on threat intelligence sharing and real-time response.. The Alliance enables organizations — security vendors, domain registrars, financial institutions, and internet infrastructure providers — to join as structured partners rather than one-off donors. Alliance members include Mastercard, Akamai, Trend Micro, and Craig Newmark Philanthropies. The model matters beyond the funding it provides: it creates a communication layer that allows Shadowserver to coordinate in real time with partners during active incidents, rather than operating in isolation and publishing findings after the fact.

The question of what happens when Shadowserver scans your network is one that network operators sometimes raise. Shadowserver publishes its scanning IP ranges and operates an opt-out mechanism, though the organization notes that opting out of scanning means opting out of the free reports that scanning makes possible. The organization has published clear documentation of its scanning methodology, the purposes for which scan data is used, and the data handling policies that govern distribution of device-level findings.

Legal challenges to internet-wide scanning have been pursued by various parties over the years, but Shadowserver's legal and operational posture has been shaped by extensive experience navigating these questions. The organization's nonprofit status, transparent methodology, and explicit public-benefit mission distinguish its operations from commercial scanning services in ways that have withstood legal scrutiny in the jurisdictions where questions have arisen.

How to Actually Use Shadowserver

The article most commonly covering Shadowserver describes what it does at an institutional level but stops short of answering the practical question: what should a security practitioner, IT administrator, or small-country CERT analyst actually do with this? The answer is more accessible than the organization's reputation for background infrastructure might suggest.

For network operators — anyone responsible for a registered block of IP address space — the starting point is subscribing to the free daily reports. Subscription requires verifying control of the IP ranges in question, done by matching against RIR (regional internet registry) records. The process is documented at shadowserver.org/what-we-do/network-reporting. Once verified, reports arrive daily by email or SFTP in CSV or JSON format, covering whatever Shadowserver's scanning and sinkhole data found within those ranges: exposed services, outdated software, botnet-infected hosts, post-exploitation framework beacons, and more.

For researchers, policymakers, and anyone without registered IP space to claim, the public Shadowserver Dashboard requires no account. It provides two years of historical trend data, country-level and ASN-level views, and a honeypot attack statistics panel showing which vulnerabilities are being actively exploited against internet-facing services, updated continuously from the sensor network. The dashboard API allows programmatic access for building automated workflows or integrating Shadowserver data into existing tooling.

For those who want to go deeper — threat researchers, national CERTs, or organizations seeking to contribute data rather than only consume it — the Alliance partnership model and reciprocal data-sharing arrangements are the relevant paths. Shadowserver explicitly operates on the principle that its data improves when more trusted parties contribute to it, and the organization has structured agreements with governments, ISPs, and security vendors who share malware samples, sinkhole feeds, and sensor data in exchange for receiving enriched intelligence back.

Key Takeaways

1. Scale without commercial incentive: Shadowserver provides internet-wide scanning and botnet sinkhole data to national CSIRTs and network operators in more than 175 countries and territories - at no cost to recipients, a model that has no equivalent in the commercial threat intelligence market and that fills gaps that market forces do not address.
2. Three distinct sensing modalities: Scanning reveals what is exposed. Sinkholes reveal what is infected. The Global Honeypot Sensor Network reveals what is being actively attacked right now. Each answers a different question; together they provide a more complete picture than any single modality alone.
3. IPv6 is not a blind spot: Shadowserver now maintains a hitlist of up to one billion IPv6 addresses and scans them daily, surfacing over 120 million active services. The assumption that IPv6 address space is too large to monitor does not hold against a hitlist-based approach.
4. Operationally irreplaceable: Shadowserver's data appears in government advisories, vendor communications, and law enforcement operations. The 2020 funding crisis demonstrated that no equivalent replacement would spontaneously emerge — the data pipeline would simply stop.
5. Speed matters in vulnerability disclosure: The organization's honeypot network detects active exploitation often within hours of disclosure, and its scanning produces global exposure counts within 24 to 48 hours. VulnCheck named Shadowserver the "Earliest Reporter of Exploitation in the Wild" in 2024.
6. Sinkhole telemetry is high-fidelity: Unlike threat intelligence based on file hashes or IP reputation lists, botnet sinkhole data represents behavioral evidence of active infection. When a host appears in sinkhole reports, it has made a network connection that is only explainable by the presence of malware on that host.
7. Independence enables trust, and the Alliance sustains it: Shadowserver's nonprofit structure, diverse funding base, and the structured Shadowserver Alliance are operational requirements, not organizational niceties. CERTs in countries with varied geopolitical positions trust Shadowserver data precisely because no single government or company controls the organization.
8. It is accessible to anyone with registered IP space: Daily reports are free, machine-readable, and require only verification of IP range ownership. For organizations without registered ranges, the public dashboard provides two years of historical data at country and ASN granularity without any account required.

Shadowserver does not make the news the way a ransomware campaign does, or the way a nation-state intrusion disclosure does. It operates in the infrastructure layer of the security community — the part that makes other defensive actions possible. That invisibility is, in a sense, a measure of how well it works. When a vulnerable edge device gets patched before it is exploited, or when a botnet infection is cleaned up before it pivots to ransomware deployment, no headline is written. The threat that did not materialize leaves no record. Shadowserver's contribution to that outcome, real and ongoing, happens in the background.

The internet needs institutions that treat security visibility as a public good — not a product, not a competitive advantage, but infrastructure. Shadowserver is one of the few that has actually built that at scale. Understanding what it does, and what its continued operation requires, is relevant to anyone who works in or thinks seriously about cybersecurity.

Sources

• [1] Shadowserver Foundation — Official mission and operations documentation. shadowserver.org/what-we-do
• [2] Shadowserver Foundation — Reports and data feeds documentation. shadowserver.org/what-we-do/network-reporting
• [3] Shadowserver Foundation — 2020 funding crisis public statement and appeal.
• [4] Shadowserver Dashboard — Public internet exposure data. dashboard.shadowserver.org
• [5] Conficker Working Group — Archive documentation. confickerworkinggroup.org
• [6] CISA — Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities (references Shadowserver scan data). cisa.gov/news-events/cybersecurity-advisories/aa21-062a
• [7] U.S. Department of Justice — Press release on QakBot Botnet disruption (Operation Duck Hunt), August 2023.
• [8] APNIC Blog — Adli Wahid, "Support unsung hero to keep Internet secure," April 2020. blog.apnic.net/2020/04/20/support-unsung-hero-to-keep-internet-secure
• [9] Shadowserver Foundation — Scanning methodology and opt-out documentation.
• [10] Shadowserver Foundation — Annual reports and funding disclosures.
• [11] Shadowserver Foundation — 2024 Year in Review (includes honeypot network, IoT reporting, MISP-LEA, and Operation Dying Ember). shadowserver.org/news/shadowserver-2024-highlights-of-the-year-in-review
• [12] Shadowserver Foundation — Shadowserver Alliance launch announcement. shadowserver.org/news/shadowserver-alliance-launch
• [13] VulnCheck — "Earliest Reporter of Exploitation in the Wild" recognition of Shadowserver, 2024.
• [14] Help Net Security — Interview with Piotr Kijewski, CEO, The Shadowserver Foundation. December 2024. helpnetsecurity.com/2024/12/05/piotr-kijewski-shadowserver-foundation-secure-internet
• [15] Shadowserver Foundation — IPv6 scanning rollout documentation. shadowserver.org/topics/scans
• [16] U.S. Department of Justice — Press release on Operation Dying Ember (GRU / APT28 Moobot botnet disruption), February 2024. justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian