The Zeek project conducted a two week survey of its user community in early 2023, soliciting 98 responses. The majority of respondents (75%) report living in North America, with a plurality (29%) reporting that their closest major city was located on the east coast.
The overwhelming majority (75%) have known about Zeek for more than 5 years, with a colleague (50%) and security conferences (47%) being the top two sources of that initial knowledge. 63% of respondents directly use Zeek or Zeek data, with another 26% using Zeek as part of a commercial solution. 48% have used Zeek for more than 5 years.
A plurality of respondents (47%) monitor throughput of less than 1 Gbps, although nearly as many (44%) monitor throughput up to 10 Gbps. 95% use Zeek to consume its output, while 65% write Zeek scripts. A majority (68%) look at data using the command line and 50% use Elastic.
Zeek 5.0.x is the single most popular version in use (39%), although 24% report using a 3.x version and 51% report using a 4.x version. The most popular answer driving version usage was constraints imposed by a software distribution or predeployed kit (16%). Detection (81%), threat hunting (72%), network forensics (67%), incident response (60%), and research (50%) are the most popular use cases.
The three most popular ways to interact with the Zeek project are the Web site (49%), Slack (47%), and GitHub (40%). A plurality of users (31%) get Zeek support from Slack. ZeekWeek (53%), virtual Zeek training (48%), regional Zeek events (39%), and other conferences (39%) are the most popular types of Zeek events.
The two most popular ideas for growing the Zeek community include improved documentation (30%) and more events (27%). 79% of respondents have either no answer or no concerns about the Zeek project, although the top concern involved the influence of Big Tech or loss of open source status (6%). 59% of respondents know how to contact the Zeek leadership team, and 31% are interested in participating in a guided, small group discussion about the project. 82% have no concluding comments and 12% express general positive support for the project.
Introduction
During the roughly two week period from 26 January to 10 February 2023, the Zeek project offered an open survey to community members via a Google Survey form. 99 participants responded, one of whom appeared to be a bot and is therefore omitted from these results.
This post distills the raw survey results and captures the most valuable feedback shared by the community. The Zeek project thanks participants for their time and effort. We intend for this survey to be the first step of many towards growing, strengthening, and developing our software and community.
To facilitate presenting the results, the author categorized or recoded some of the details. Some details appear inline as the author perceived community interest in the specific results. Some results appear in order of response by count, while others appear alphabetically. When listed alphabetically, the top result is bolded. When “no answer” is the top result, the top detailed answer is bolded.
Demographic Results
The following depict the locations of survey respondents.
1. Which country are you based in?
Summary
| North America | 73 | 75% |
|---|---|---|
| Europe | 14 | 14% |
| Asia-Pacific | 10 | 10% |
Details
| Country | Count | Europe | North America | Asia- Pacific |
|---|---|---|---|---|
| Australia | 4 | 4 | ||
| Belgium | 2 | 2 | ||
| Canada | 9 | 9 | ||
| China | 1 | 1 | ||
| Czech Republic | 1 | 1 | ||
| Denmark | 1 | 1 | ||
| Finland | 1 | 1 | ||
| France | 1 | 1 | ||
| Germany | 1 | 1 | ||
| Italy | 1 | 1 | ||
| Japan | 1 | 1 | ||
| Netherlands | 2 | 2 | ||
| No Answer | 2 | |||
| Norway | 1 | 1 | ||
| Pakistan | 2 | 2 | ||
| South Korea | 1 | 1 | ||
| Spain | 1 | 1 | ||
| Switzerland | 2 | 2 | ||
| United States | 64 | 64 | ||
| Vietnam | 1 | 1 |
2. What is the closest major city?
The following summarizes responses.
| Canada-US-East | 28 | 29% |
|---|---|---|
| Canada-US-Center | 18 | 19% |
| Canada-US-West | 18 | 19% |
| Europe | 13 | 14% |
| Asia-Pacific | 10 | 10% |
Involvement with Zeek
The following questions capture basic Zeek involvement.
3. How long have you known about Zeek?
| Less than 1 year | 3 | 3% |
|---|---|---|
| 1-5 years | 25 | 25% |
| More than 5 years | 69 | 70% |
| No Answer | 2 | 2% |
4. How did you learn about Zeek? [check all that apply] (Percentages will not add up to 100%.)
| Colleague | 49 | 50% |
|---|---|---|
| Security conference | 46 | 47% |
| Web search | 25 | 26% |
| Other online sources | 23 | 23% |
| Workspace | 21 | 21% |
| Class | 18 | 18% |
| Article | 14 | 14% |
5. Do you use Zeek?
| Yes, we deploy Zeek or Zeek data alone | 59 | 62* | 63% |
|---|---|---|---|
| Yes, we deploy Zeek or Zeek data as part of a commercial solution or product | 24 | 26 | 26% |
| No, we don’t currently use Zeek but are considering it | 7 | 8 | 8% |
| Don’t know | 1 | 1 | 1% |
| Custom** | 6 | 0 | 0% |
| No Answer | 2 | 2 | 2% |
*Free-form custom answers categorized if possible.
**Custom answers, paraphrased:
● Considering Zeek, but Suricata is “main driver”
● Uses Zeek “as a component of another open source suite”
● Uses Zeek and “contracts have Zeek or use Corelight appliances”
● Used Zeek in the past
● Uses Zeek in analysis research
● Uses Zeek in Cloudshark and Endace
6. How long have you used Zeek?
| Less than 1 year | 10 | 10% |
|---|---|---|
| 1-5 years | 35 | 35% |
| More than 5 years | 48 | 48% |
| No Answer | 6 | 6% |
Usage Specifics
The following capture Zeek usage specifics.
7. How do you use Zeek to process traffic? [check all that apply] (Percentages will not add up to 100%.)
| Live <= 100MBit/s | 18 | 20% |
|---|---|---|
| Live <= 1 GBit/s | 41 | 47% |
| Live <= 10 GBit/s | 39 | 44% |
| Live <= 100 GBit/s | 27 | 31% |
| Live > 100 GBit/s | 11 | 13% |
| Offline, via pcaps | 26 | 30% |
8. How are you using Zeek? [check all that apply] (Percentages will not add up to 100%.)
| Consuming output | 84 | 84 | 95% |
|---|---|---|---|
| Write Zeek scripts | 55 | 57* | 65% |
| Develop Zeek parsers | 25 | 25 | 28% |
| Modify Zeek internals | 9 | 9 | 10% |
| Other** | 3* | 1** | 1% |
*2 other results categorized as Write Zeek scripts.
**1 other result reported “making custom graphs.”
9. How do you look at Zeek data? [check all that apply] (Percentages will not add up to 100%.)
| Command Line | 60 | 68% |
|---|---|---|
| Elastic | 44 | 50% |
| Other* | 28 | 32% |
| Splunk | 26 | 30% |
| Logscale (Humio) | 6 | 7% |
*Other is a “long tail” of single, individual product responses.
Zeek Characteristics
The following capture aspects of Zeek as used by respondents.
10. If you use Zeek - which version(s) of Zeek are you running? [check all that apply] (Percentages will not add up to 100%.)
| 3.0.x | 6 | 7% |
|---|---|---|
| 3.1.x | 5 | 6% |
| 3.2.x | 9 | 11% |
| 4.0.x | 17 | 21% |
| 4.1.x | 8 | 10% |
| 4.2.x | 16 | 20% |
| 5.0.x | 32 | 39% |
| 5.1.x | 25 | 30% |
| Master | 19 | 23% |
| No Answer | 17 | 21% |
Categorized reasons for running Zeek versions include the following:
| No answer | 21 | 26% |
|---|---|---|
| Distro or kit constraints | 13 | 16% |
| Preference for latest | 11 | 13% |
| Delays | 11 | 13% |
| Fit for purpose | 10 | 12% |
| Compatibility | 8 | 10% |
| Other | 5 | 6% |
| Technical concerns | 3 | 4% |
11. What’s the purpose of your Zeek [software] or Zeek data use? [check all that apply] (Percentages will not add up to 100%.)
| Detection | 73 | 81% |
|---|---|---|
| Threat Hunting | 65 | 72% |
| Network Forensics | 60 | 67% |
| Incident Response | 54 | 60% |
| Research | 46 | 51% |
| Troubleshooting | 30 | 33% |
| Policy Enforcement | 14 | 16% |
| No Answer | 9 | 10% |
| Other* | 7 | 8% |
*Other purposes include education, usage analysis, training, network analysis, cartography, ML and AI, and product building.
Zeek Awareness and Interaction
The following capture aspects of community awareness and interaction.
12. How do you stay up to date with the Zeek project? [check all that apply] (Percentages will not add up to 100%.)
| Web site | 48 | 49% |
|---|---|---|
| Slack | 46 | 47% |
| GitHub | 39 | 40% |
| Blog | 34 | 35% |
| Mailing list | 24 | 24% |
| 18 | 18% | |
| YouTube | 15 | 15% |
| Mastodon | 15 | 15% |
| Discourse | 13 | 13% |
| I don’t stay up-to-date | 10 | 10% |
| Other | 2 | 2% |
| Conferences | 1 | 1% |
| Security Onion | 1 | 1% |
| Colleague | 1 | 1% |
13. Where do you go to get Zeek support? [Free form, categorized for results.] (Percentages will not add up to 100%.)
| Slack | 27 | 31% |
|---|---|---|
| Web search | 17 | 19% |
| Individuals | 9 | 10% |
| Mailing list | 7 | 8% |
| GitHub | 6 | 7% |
| Discourse | 5 | 6% |
| Commercial | 5 | 6% |
| Academics | 4 | 5% |
| Documentation | 4 | 5% |
| Web site | 2 | 2% |
| 1 | 1% | |
| 1 | 1% |
14. What type of Zeek events do you think you’d be interested in participating in this year? [check all that apply] (Percentages will not add up to 100%.)
| ZeekWeek | 50 | 53% |
|---|---|---|
| Virtual Zeek training | 46 | 48% |
| Regional Zeek events | 37 | 39% |
| Other conferences | 37 | 39% |
| Live Zeek training | 23 | 24% |
| I won’t be attending | 16 | 17% |
| No idea | 11 | 12% |
| European ZeekWeek or workshop | 1 | 1% |
| B-Sides (write-in) | 1 | 1% |
| Black Hat (write-in) | 1 | 1% |
15. What ideas do you have to grow the Zeek community and its use in the world? (e.g., events, training, documentation, etc.?) [Free form, categorized for results.] (Percentages will not add up to 100%.)
| Improve documentation | 10 | 30% |
|---|---|---|
| More events | 9 | 27% |
| Technical improvements | 4 | 12% |
| Better collaboration | 2 | 6% |
| More training | 2 | 6% |
| Capture the Flag events | 1 | 3% |
| Improved configuration | 1 | 3% |
| Better Slack use | 1 | 3% |
| Better Discourse use | 1 | 3% |
| More YouTube Videos | 1 | 3% |
| Internships | 1 | 3% |
16. Do you have any concerns about the Zeek project? [Free form, categorized for results.] (Percentages will not add up to 100%.)
| No answer | 56 | 57% |
|---|---|---|
| No concerns | 22 | 22% |
| Concerns about influence of big tech or loss of open source status | 6 | 6% |
| Other | 4 | 4% |
| Relevance of software due to encryption or other technical issues | 3 | 3% |
| Release/packages | 2 | 2% |
| Need to add new people to maintain software | 1 | 1% |
| Competition with Suricata; “most protocols have pretty good coverage” | 1 | 1% |
| The user prefers the old mailing list to Discourse | 1 | 1% |
| Support | 1 | 1% |
| Zeek Performance | 1 | 1% |
| Documentation | 1 | 1% |
17. Do you know how to contact the Zeek project leadership? [Categorized for results.]
| Yes | 56 | 59% |
|---|---|---|
| No | 34 | 36% |
| Unsure/Other answer | 5 | 5% |
18. Are you interested in participating in a guided, small group discussion about the Zeek project?
| Yes | 28 | 31% |
|---|---|---|
| No | 29 | 32% |
| Not sure | 34 | 37% |
33 participants provided contact information.
19. Anything else that you want to tell us about, or do you have feedback about the survey? [free form] [Categorized for results.]
| No | 80 | 82% |
|---|---|---|
| Positive support for the project | 12 | 12% |
| Other | 5 | 5% |
Afterword by the Zeek LT
The Zeek project thanks everyone who participated in our first community survey. We also thank Richard Bejtlich for his extensive efforts cleaning the data and authoring this summary of the community survey results.
As mentioned in the introduction, we intend this survey to be only a first step, and are planning to have follow-on surveys with questions that focus on specific areas. We will also continue discussing the steps to take based on these results – and follow up with posts that discuss specific aspects of this data (like the spread in installed versions).
If you have any additional questions or comments – please let us know – either by commenting here, or by emailing the Zeek LT at lt@zeek.org.