Get in contact


Joint Standardisation Workshop of Dynamic countering of cyber-attacks projects

On January 22nd 2021 all projects that are funded in the H2020 call SU-ICT-01-2018 will have a joint workshop to exchange knowledge and to develop plans for collaborative standardisation and dissemination activities. We intend to utilise intra-project synergies to increase the overall impact of the projects and consequently increase the resilience of the EU community against cyber-attacks.



At the Ericsson Internal Network Security Seminar on September 22nd 2020, The Shadowserver Foundation was invited to give a presentation. The presentation was Titled “Large Scale Internet Garbage Collection and sharing”.


The Shadowserver Foundation has been collecting network threat information on a big-data scale for many years with a mission to make the Internet a more secure environment for all. The collected data is shared with 112+ National CSIRTs and 5900+ network owners worldwide via the Shadowserver free daily remediation feeds and used to support various law enforcement investigations. Data collection and management on such a scale is a big challenge – the talk will give an overview of how Shadowserver operates, what data it collects and what threat information can be inferred from it, how the information is being shared and how Shadowserver has supported various malware botnet takedowns and disruptions.


D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype

This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.


SOC Automation 101: Let’s Make the SOC Great (-er) Again!

Wednesday August 26, 2020 4:00 PM – 5:10 PM CEST

SOCCRATES and the SECO institute jointly organize a webinar on August 26th (4 PM-5.10 PM CEST) about SOC automation. During this webinar we’ll evaluate automation as one of the solutions to overcoming major challenges that Security Operations Centers face today. We’ll evaluate time consuming tasks that could be automated to increase the efficiency of a SOC and help the Security Analyst to evolve from a fire-fighter to a more proactive response expert.

Rob van Os (SOC Manager at de Volksbank and member of the SOCCRATES stakeholder group) explains why and how a SOC should embrace automation to deal with ‘alert overkill’; manage security tools that generate a lot of data; increase SOC efficiency and outputs; and make the Security Analyst job ‘Great Again’. Erik Ringdahl and Frank Fransen from SOCCRATES deliver a short presentation and a demo of the Attack Defence Graph Analyser, that automatically and continuously generates models of IT architectures in a SOC to perform automated attack simulations and threat modelling, predict how attacks might propagate and suggest mitigations.

Participation is free upon timely registration:


SOCCRATES and SAPPAN organise International Workshop on NG SOC in conjunction with ARES, August 25, 2020


Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.

The aim of the NG-SOC 2020 workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. The workshop will draw on expertise from two EU-funded H2020 projects: SAPPAN ( and SOCCRATES ( Selected members of the projects’ consortia will present their research activities. The workshop will include a panel session to foster discussion on the major operational challenges that enterprises and SOC operators face and provide insights into promising research-based solutions

Project abstract

The workshop is jointly organized by two H2020 projects that are funded by the European Commission:

SOCCRATES project ( will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES Platform aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. The outcomes of the project will contribute to a more secure cyberspace and strengthen competitiveness in the EU digital single market.

SAPPAN project ( aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy-levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.

Topics of interest include, but are not limited to:

Security Operation Center (SOC)

Anomaly Detection

Network Intrusion Detection Systems

Domain Generation Algorithms

Cyber Threat Intelligence Utilization

Privacy-aware Threat Intelligence Sharing

Business Impact Modelling
Attack Analysis with Attack Defence Graphs (ADGs)

Visual Presentation to Support Response and Recovery Actions

Workshop Agenda (Tuesday, 25th of August 2020 | 9:00 – 17:45)

TimeTalkDuration [min]
Session 1 (Ewa Piatkowska)90
09:0009:05Welcome Ewa Piatkowska5
09:059:25The SOCCRATES Project: Overview and Objectives Frank Fransen (TNO)20
9:259:45The SAPPAN Project: Overview and Objectives Avikarsha Mandal (Fraunhofer FIT)20
9:4510:30Keynote: Semi-Automated Cyber Threat Intelligence (ACT) Martin Eian (Mnemonic)45
10:3011:00Coffee break30
Session 2 (Tomas Jirsik)100
11:0011:20Monitoring Malicious Infrastructures to Produce Threat Intelligence Piotr Kijewski (Shadowserver)20
11:2011:40Pipeline development for Automatically Generated Domain detection Irina Chiscop (TNO)20
11:4012:00Leveraging Machine Learning for DGA Detection Arthur Drichel (RWTH Aachen University)20
12:0012:20Knowledge Management and Anonymization Techniques in Cyber-Threat Intelligence Lasse Nitz, Mehdi Akbari Gurabi (Fraunhofer FIT)20
12:2012:40Reputation Management Techniques for IP addresses, domains, and mail Mischa Obrecht (DreamLab) 20
12:4013:45Lunch break65
Session 3 (Avikarsha Mandal)80
13:4514:05Host and Application Behaviour Modelling Tomas Jirsik (Masaryk University) and Sebastian Schaefer (RWTH Aachen University)20
14:0514:25L-ADS: Live Anomaly Detection System Alejandro Garcia Bedoya (ATOS)20
14:2514:45Adversarial Examples against Intrusion Detection Systems Ewa Piatkowska (AIT)20
14:4515:05Fast and Scalable Cybersecurity Data Processing Josef Niedermeier, Gabriela Aumayr (HPE)20
15:0515:30Coffee break25
Session 4 (Irina Chiscop)80
15:3015:50Attack Analysis with Attack Defence Graphs Erik Ringdahl (Foreseeti)20
15:5016:10Attack Graph-based Courses of Action for Defense Wojciech Widel (KTH)20
16:1016:30Visual Analytics for Cyber Security Data Christoph Müller and Franziska Becker (University of Stuttgart)20
16:3016:50Endpoint Protection Paolo Palumbo (FSecure)20
16:5017:05Coffee break15
Panel Session45
17:0517:35Discussion on Future Challenges for SOC Speakers: Pavel Kacha (CESNET) Sarka Pekarova (DreamLab) Paul Smith (AIT) Panel chair: Tomas Jirsik (Masaryk University)30
17:3517:45Wrap up Ewa Piatkowska (AIT)10

Workshop Website

Venue and Registration

NG-SOC 2020 workshop is organised in conjunction with the ARES 2020 conference, which this year will be held all-digital. Registration for the workshop is required and costs 40€ (Regular Attendee) or 20€ (Student attendee). The registration fee includes the entrance to all ARES & CD-MAKE conference and workshop sessions. If you want to attend, please register at .


First SOCCRATES video released

We are very proud to release the first SOCCRATES video. It introduces the project and its goals and shows the underlying concepts in a way that is easy understandable.


Frank Fransen presents SOCCRATES on the market day cyber security at TNO

TNO organized a market day cyber security on March 12th 2020 at the Hague Security Delta in the Hague. For this event, people from cyber security industry and end users of cyber security solutions were invited. Maarten Tossings, member of the board of TNO opened the day on which results of recent TNO cyber security projects were highlighted with presentations, demo’s and posters. Frank Fransen, technical coordinator of SOCCRATES presented the SOCCRATES project, its vision and first results. SOCCRATES was very well received by the visitors of the event. For more information on cybersecurity at TNO, visit the TNO cybersecurity page.


SOCCRATES presented on Symposium on Power System Cyber Security at TU Delft March 11th 2020

Frank Fransen, technical coordinator of SOCCRATES, will present SOCCRATES on the Symposium on Power System Cyber Security at TU Delft on March 11th 2020. In the program, Frank will replace Dr. Anurag K Srivastava who is unable to attend. See for more information:


SOCCRATES second meeting in Helsinki

SOCCRATES team at F-Secure

On January 21st and 22nd, SOCCRATES had its second consortium meeting, hosted by F-Secure. It was a very fruitful meeting, in which besides the overall progress discussion, each Work Package had their own meeting. Good progress was made on several relevant subjects. In particular we had good discussions on the infrastructure modelling module, which resulted in a shared view.

We also had a joint session with the SAPPAN project (funded in the same call as SOCCRATES (H2020 SU-ICT-01-2018) in which F-Secure also participates. We agreed to jointly organize a workshop, look into forming a liaison beweteen the projects and investigate potential synergies and areas of cooperation between the projects.


SOCCRATES delivers first results

On December 1st 2019, the first batch of SOCCRATES results was delivered on time. One of the results is the external website, which is now fully functional and on-line. Part of the deliverables are internal deliverables. This includes cooperation tools for project members, information platform for stakeholder group and advisory board and a project handbook. But there also two important external deliverables that can be found under the results page of the website:

  • D2.1 – SOCCRATES use cases definition & pilot sites requirements           
  • D8.2 – SOCCRATES dissemination plan

We are very happy that we are now up to speed and are very satisfied with these first deliverables. We look forward to the interesting activities and deliverables that will follow in the coming years.


SOCCRATES has started

In 2018, the SOCCRATEs consortium submitted a proposal to work on security automation in H2020. This proposal was rewarded in December 2018 and after preparations have been completed, SOCCCRATES started on September 1st, 2019. SOCCRATES had its kick off meeting in the Hague on September 2nd and 3rd, where all partners assembled and the activities were started. The ‘vibe’ was already very good and all partners look forward to cooperate in this exciting venture, that will last three years until August 31st, 2022.


ARES conference Canterbury 2019

International Workshop on Next Generation Security Operations Centers (NG-SOC 2019)

in conjunction with 14th International Conference on Availability, Reliability and Security (ARES 2019)
August 26 – August 29, 2019, University of Kent, Canterbury, UK


The first SOCCRATES project workshop was organized within the ARES EU Project Symposium held in conjunction with the 14th International Conference on Availability, Reliability and Security (ARES 2019). It took place on Monday, 26th of August 2019 at the University of Kent, Canterbury, UK.

The workshop introduced the newly-awarded SOCCRATES project which aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the Security Operation Centres (SOCs). SOCCRATES will develop and implement a new security platform for SOC, which will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. 

The goal of this workshop was to create a forum for researchers and practitioners to discuss the challenges associated with operations of the SOCs and focus on research contributions that can be applied to address these challenges. Selected members of the SOCCRATES consortium presented their past and proposed project activities. The workshop was concluded with the open discussion on the major operational challenges that enterprises and SOC operators face and insights into promising research-based solutions.

Workshop Programme

The following presentations were given at the workshop:

  • The SOCCRATES Project: Motivation and Aims Reinder Wolthuis (TNO)
  • ACT: Cyber Threat Intelligence Platform Siri Bromander (Mnemonic)
  • Threat modelling and attack simulations with MAL and securiCAD Per Eliasson (Foreseeti)
  • Automated Response based on SecuriCAD recommendations Frank Fransen (TNO)
  • Anomaly Detection (DNS Ninja & ABC tool) Irina Chiscop (TNO)
  • Adversarial Machine Learning Ewa Piatkowska (AIT)

We concluded with the open discussion about future challenges for SOCs, moderated by Frank Fransen (TNO).

Copyright 2021 Soccrates
Developed by Convident