Next Generation Security Operator Training Infrastructure (NGSOTI)

Set up an open-source training infrastructure based on real data for the practical training of SOC operators in network-related alerts.



An increasing number of Security Operation Centers (SOCs) are springing up all around the world. An asset for monitoring, analysing and protecting one organisation, its users and/or customers against cyber threats, SOC operators are, just like the technical and IT environment, strategic elements of its smooth operation.

To stay on top of their missions, people operating in a SOC must be trained, particularly on current and future attacks, and the warning signs accompanying them. Learning tools already existing are not proving sufficient to meet this growing challenge. An operational infrastructure, based on real data, and specifically dedicated to training future SOC operators is essential.


With NGSOTI, the consortium of partners intends to set up an open-source training platform dedicated to training future SOC operators regarding network-related alerts. The platform will focus on, among other things, incident response, log management and analysis, security operations centre management, cyber threat intelligence, and communication and documents.

To set up the platform, the partners will not only draw on their experience, but also on a wide range of open-source tools developed and/or used as part of their respective missions.

Throughout the project, training and conferences on the issue will complete the platform, particularly for future SOC operators. In parallel, data produced through the project could be openly reused by interested researchers for future research projects.


traffic for analytical purpose. This set of data consists of several terabytes jointly collected for more than 10 years by the Computer Incident Response Center Luxembourg (CIRCL) – operated by the Luxembourg House of Cybersecurity (LHC) – and the Restena Foundation’s Computer Security Incident Response Team (CSIRT). It gives an overview of recent attack indicators, among other things.

As a second step, Restena will extend the scope of its tool, developed within its ‘URL shortener’ service allowing to securely redirect long URLs to short URLs while respecting its privacy and that of its visitors. Additional security measures, mainly the checking of URLs to ensure they are not being used for cyber-attacks, will be integrated. Furthermore, a new ‘’ shortener should be developed to better serve the research community, for whom safety criteria differ from those of designed above all for the needs of education.

Lastly, Restena intends to step up its involvement in training the next generation of professionals. Already involved in several higher education courses at the Lycée Guillaume Kroll, Restena will make a greater commitment to the BTS cybersecurity students, thus training the cybersecurity specialists of tomorrow.

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.”

More details on the project

Some useful Information

NGSOTI has received funding from the European Union’s Digital Europe programme (DIGITAL) - Project: 101127921 with agreement: DIGITAL-ECCC-2022-CYBER-03. It is supported by the European Cybersecurity Competence Centre.

The project gathers a consortium of partners led by the Computer Incident Response Center Luxembourg (CIRCL) from the Luxembourg House of Cybersecurity and including Restena, the University of Luxembourg and Tenzir GmbH.

Who is impacted?

NGSOTI project will impact anyone who is interested ranging from companies, non-governmental organizations (NGOs), Computer Security Incident Response Teams (CSIRTs), students, etc.

Specifically, on Restena side, this mainly impacts: Connected Establishments, Higher-Education Establishments, Research Institutes, Cultural Institutions, Primary and Secondary Schools, Hospital.

What is blackhole traffic?

The blackhole traffic, unwanted traffic, can be considered as worthless traffic. However, this is far from being the case. That traffic includes attack indicators and information about incorrect technical configurations. The national research and education network (RESTENA network) blackhole traffic’s IP addressing being close to the HOME addressing (192.168.X.X), the collected data provide some interesting information to analyse.

To go further, discover an example of the blackhole traffic as used within the NGSOTI project described in the publication ‘AN EXTENDED ANALYSIS OF AN IOT MALWARE FROM A BLACKHOLE NETWORK’ published in 2017 and jointly written by Restena, CIRCL and Université Catholique de Louvain.