Zeek Newsletter - Issue 63 - May 2026

michelle · June 4, 2026, 6:55pm

Welcome to the Zeek Newsletter

In this Issue:

TL;DR: Zeek 8.2 is out and Zeek 9 development is officially underway, including a long-overdue package manager rewrite. The AI contribution policy is published, and the Berkeley Workshop CFP is open.

Community News & Reminders

Berkeley Workshop (Sept 10-11): Have a story to tell? The CFP is open for the upcoming workshop and we’d love to hear how you’re using Zeek. Learn more and submit a talk here.
2026 Project Survey (Coming June 23): The annual Zeek Project survey is launching later this month. If you have thoughts on how Zeek is working for you, consider spending 5-10 minutes to share them with us.
Community Call Recap: This month we covered Zeek 9 development, the AI contribution policy, and Seth Grover’s walkthrough of how Malcolm deploys and tunes Zeek in containers. Watch the recording on our YouTube channel. The next call is July 1 at 10am PT – use this Zoom link to join.
Topic of the Month: Last week we wrapped up “Sensor Placement”, you can find the recap from the conversation here. This month’s topic is “Detection Techniques” – join us on Slack to discuss!
Zeek at RVAsec: Evan is giving a talk at RVAsec next week. If you’re going, be sure to say hi and grab some Zeek stickers

Development Updates

Zeek 8.2 shipped last month! If you haven’t upgraded yet, the announcement blog post has full details on what changed.

Zeek 9 development is officially underway. The team has completed initial planning sessions and a project board is being populated with work items. Conceptually, Zeek 9 is the release that rounds out the Broker off-ramp work from 8.1 and 8.2, bringing in-flight PRs to completion and polishing the WebSocket implementation. On top of that, the team has committed to starting a long-overdue update of the package manager, which has remained largely unchanged for years.

Looking further ahead, with the Broker push winding down, the team is opening up longer-term planning discussions around Zeek 10 and 11. Community input will be part of that process, with details coming through the survey and follow-up discussions later this summer.

The migration from Cirrus CI, which announced a roughly six-week shutdown notice, is now largely complete. The team has two members who dropped other work to manage the transition and landed on a dual-track setup: GitHub’s free tier running alongside CircleCI as a paid option. PRs may show duplicated CI runs during this period; that’s expected and intentional. The team expects the new setup to be a meaningful improvement over Cirrus.

The Zeek Project has also published its AI contribution policy, finalizing months of drafting and review. The policy applies to all contributors and technical submissions: if you use an LLM to contribute code, you’re responsible for understanding everything it produced and for responding to reviewer feedback. AI-generated vulnerability reports without reproducers will be deprioritized, as the team has seen a significant increase in submissions that cannot be verified.

As always, follow development progress on GitHub to stay current with the latest changes.

Zeek Techniques

This tip was shared during March’s “I Didn’t Know Zeek Could Do This!” discussion by Mark Overholser:

Getting spurious or split connections when analyzing a PCAP? The culprit is often invalid checksums from capture equipment. Run Zeek with -C to skip checksum verification:

$ zeek -Cr your.pcap -C

To make it persistent, add redef ignore_checksums=T; to your local.zeek, or zeekargs = --no-checksums to zeekctl.cfg if you’re using ZeekControl.

Share your tricks, shortcuts, or techniques with us using this form.

Ecosystem News

Two tools in the Zeek ecosystem shipped new releases this month:

Malcolm v26.05.2: Release Malcolm v26.05.2 · idaholab/Malcolm · GitHub

Malcolm v26.06.06: Release Malcolm v26.06.0 · idaholab/Malcolm · GitHub

Security Onion 3.1.0: Security Onion: Security Onion 3.1.0 Now Available with Elastic 9.3.3, Suricata 8.0.5, Zeek 8.0.8, and much more!

Packages

Anyone in the community can write add-on functionality for Zeek via packages.

Browse Zeek packages: https://packages.zeek.org
Head to our zkg package manager documentation to get started on your own
Questions? Check out #package-sharing to get help

Recently added or updated packages are always visible on GitHub directly, via the following search of pull requests to our package repository:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

No package updates this month.

Get Involved

Share ideas or content: news@zeek.org or #security-news on Slack.
Stay connected: Discourse • YouTube • Mastodon • Bluesky • LinkedIn
Check out Leadership Team meeting notes for insider updates.
Looking for Zeek jobs? See openings on LinkedIn.

Thanks for being part of the community. We’ll see you next time!

Topic		Replies	Views
Zeek Newsletter - Issue 60 - February 2026 Announcements newsletter	0	81	March 5, 2026
Zeek Newsletter - Issue 62 - April 2026 Announcements newsletter	0	63	May 7, 2026
Zeek Newsletter - Issue 61 - March 2026 Announcements newsletter	1	73	April 8, 2026
Zeek Newsletter - Issue 53 - July 2025 Announcements newsletter	1	125	August 7, 2025
Zeek Newsletter - Issue 56 - October 2025 Announcements newsletter	0	81	November 6, 2025