Johannes Ullrich

Dr. Johannes Ullrich is the Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, and founder of the Internet Storm Center ( which provides a free analysis and warning service to thousands of Internet users and organizations. He is the host of the SANS Internet Storm Center Daily Stormcast, a daily podcast that provides a brief 5-minute summary of current network security related events, and the author of SEC546: IPv6 Essentials, co-author of SANS SEC522: Defending Web Applications Security Essentials, and can be found teaching his own courses as well as SEC503: Network Monitoring and Threat Detection In-Depth.

More About Johannes


Prior to his two decades at SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes has always been attracted to the fast pace of information security and curious to understand and measure the intricate dependencies of attacks and countermeasures. While the fast pace of the field can be overwhelming at times, it does offer constant opportunities for learning, and any change and impact is quickly measurable.

Johannes’s first network was a lab network used to remote control physics experiments. When he first got his hands on an "early" cable modem, which allowed him to control experiments from home, he overlooked the fact that the router (which he built himself from a Linux distribution) was also an open mail relay. Of course, it didn't take long for a spammer to find and abuse it, which led to an angry call from his ISP. Like most of us who start to worry about security after an incident, that was when he started learning about firewalls and security. In the process, he discovered his interest in collecting data about the attackers scanning for systems like his own. This led to the development of, a website that still today collects logs from users worldwide to better understand these attacks.

Johannes’s daily work revolves around the Internet Storm Center. Leading this group brings him in direct contact with packets, web applications, and malware on a day-to-day basis. This work keeps his skills sharp and relevant while informing the material he presents in class. Johannes enjoys working for SANS due to the ability to disseminate what he’s learned researching current attacks, as well as bringing him in contact with students who are working in the trenches of information security. This back-and-forth sharing and learning with others drives his passion for information security.

It can be exhausting to have to deal with "yet another attack" day in and day out, but being part of the great team at the Internet Storm Center allows Johannes to affect how networks are defended. It is rewarding for him to hear from former students, readers of the Internet Storm Center, or listeners to the podcast how they applied what they learned and how it helped them. Teaching technology "from the ground up" can be challenging at times, yet crafting even a dry topic like packet analysis into something exciting and seeing students light up as they capture new concepts makes even hex conversion and counting offsets more exciting than a good movie for Johannes.

Johannes has found that students starting out in the field will often question why they need to know some of the background and details about protocols that are taught. His ability to link these topics to practical examples where this detail made the difference wins them over. His approach to teaching is to convey an understanding for the underlying principles to get students ready for what's next since information security is developing too fast to focus on specific techniques and tools.

Johannes is a partner of the Cyberwire Podcast, a member of the Board of Advisors for Threatstop, Inc, earned a PhD in physics from SUNY Albany, and holds multiple security-related certifications, including the GIAC GMON, GNFA, GWEB, GCIA and GSIP. Over the years, Johannes has been honored with a variety of awards, as well:

  • ISSA President's Award for Public Service 2018 – 2018 from ISSA
  • Best Security Podcast - Mar 2014 from Security Bloggers Network
  • Historic Preservation Award Mobile Web Application for Historic Springfield – from City of Jacksonville, FL
  • Best Technical Security Blog - 2009 & 2010 from honorSecurity Bloggers Network
  • Best Paper Award - 2008 from Usenix
  • Top 5 Influential Security Thinkers - Dec 2005 from SC Magazine
  • Top 50 Most Powerful People in Networking - 2004 from Network World

Check out Johannes' weekly video series, Packet Tuesday:



Packet Tuesday





  • Recent Internet Storm Center Posts
  • "A comparative study of cyberattacks" with S. H. Kim and Q.-H. Wang, Communications of the ACM Vol 55 Issue , 66-73, (2012)
  • “Gausian Process Learning for Cyber-Attack Early Warning”, with J. Zhang and P. Porras, Statistical Analysis and Data Mining: The ASA Data Science Journal 3 (1), 56-68, (2010)
  • “Top Cyber Security Risks” with R. Dhamankar; M. Dausin; M. Eisenbarth; J. King; W. Kandek; E. Skoudis; and R. Lee, SANS Institute, (2009)
  • "Highly Predictive Blacklisting" with J. Zhang and P. A. Porras, USENIX Security Symposium, (2008)
  • “Development of the Higher Education Network Analysis (HENA) Intrusion Detection and Prevention Tool“, with S. Burd, E. Gavas, B. Kochergin, L. Lehman, and N. Memon, 1st Annual Symposium on Information Assurance, (2006)
  • “Networks Under Fire: The SANS Internet Storm Center”, Invited talk, Simposio Internacional de Redes y Comunicaciones de Datos, Lima, Peru, (May 2006)
  • “The SANS Internet Storm Center (ISC): A Collaborative Information Security Community”. Invited talk, FIRST technical colloquia, Buenos Aires Argentina, (2005)
  • “Disappearing Patch Window and Zotob”, invited talk, University of Florida at Gainsville IT Security Awareness Day, (Oct 2005)
  • “The Disappearing Patch Window. Observations from the Internet Storm Center”, invited talk, MIT Security Camp (August 2004)
  • “Internet intrusions: global characteristics and prevalence.” with V. Yegneswaran and P. Barford, SIGMETRICS Perform. Eval. Rev. 31, 1, 138-147, (June 2003)
  • “Administering a Distributed Intrusion Detection System” with W. Larmon, Sys Admin Magazine, Vol 11 Issue 8, (August 2002)

Johannes's Contributions