Last week, Zeek’s Technical Lead Christian Kreibich presented at hack.lu in Luxembourg, a conference that draws around 400 security practitioners spanning both offensive and defensive disciplines.

Christian presenting at hack.lu 2025.

His talk tackled a challenge we hear about constantly from power users: how do you integrate Zeek with the rest of your security infrastructure in real time?

The Integration Challenge

Many people think of Zeek as a network monitor where packets go in and logs come out. But that’s usually not how it works at scale. Organizations running large Zeek deployments need something more dynamic. As traffic flows through Zeek, they want to pull in context from external services, trigger actions in other systems, or enrich data on the fly.

The problem? There are multiple ways to build these integrations, and without clear guidance, it’s overwhelming to know where to start.

How Zeek Clusters Enable Real-Time Integration

Christian’s talk walked through the fundamentals: understanding how a Zeek cluster actually works, and why that architecture makes integration possible.

At its core, a Zeek cluster is a distributed event-based system–a loose, scalable model where components exchange information without tight coupling. This isn’t just theory; it’s the same architecturalpattern that powers complex systems across industries. For Zeek, it means you can extend the cluster’s event-driven model to include external services.

Christian outlined two recommended approaches for interactive integrations:

• WebSockets for incoming connections: If you want to connect to a running Zeek cluster and start exchanging events, WebSocket support provides a clean entry point.

• HTTP APIs via JavaScript: If Zeek needs to reach out to existing services, Zeek’s JavaScript support lets you make standard HTTP requests to any external API.

These aren’t the only mechanisms that exist (Zeek’s history includes several integration paths) but these two provide the clearest, most maintainable routes forward.

A high level view of what’s happening in a Zeek cluster and how clusters communicate.

Real-World Integration Examples

Christian shared examples of how organizations are using these patterns in production:

• Machine learning and threat analysis: When Zeek detects suspicious activity, it can query external ML models in real time to determine whether traffic is malicious or identify specific attack patterns, turning raw observations into actionable intelligence.

• Automated response systems: Organizations use Zeek to identify threats like network scanning and immediately trigger blocking or containment actions via external services. Zeek becomes one component in a coordinated defense system rather than operating alone.

• Cross-layer visibility: By connecting network monitoring with host-based agents (such as our own Zeek agent), teams can enrich connection data with context about users, applications, and processes. With this knowledge, a network flow isn’t just an IP address—it’s a specific person using a particular application.

These examples illustrate the larger point: Zeek works best when it’s part of your security infrastructure, not isolated from it.

Key Takeaways for Building Zeek Integrations

Christian emphasized three takeaways for anyone thinking about building integrations:

• Don’t think of Zeek as an isolated system. It’s designed to integrate with your existing services and security stack.

• Understand the mechanisms available. He recommends starting with WebSockets for incoming connections and HTTP/JavaScript for outbound requests.

• Learn how a Zeek cluster works. The event-driven architecture is your blueprint for structuring integrations properly.

What’s Next

If you’re thinking about building integrations like these, we want to hear from you. Join the conversation on our Slack workspace and share your use case.

Watch Christian’s full talk on YouTube here for a deeper dive into integration patterns, code examples, and Q&A. And if you’re curious about other talks from the conference, check out the full hack.lu 2025 program.

Interested in attending future events with the Zeek team? We’re hosting a two-day workshop at CERN in March 2026. Registration is open.