On October 20, 2025, the Zeek team hosted a full-day training at the NCAR facility in Boulder as part of the NSF Cybersecurity Summit. With 52 registrations and about 50 people showing up, the room was packed with a diverse crowd: professors, postdocs, students, security engineers, and analysts.

The day started with collaborative problem-solving as people got their systems ready. Some worked with the instructors to get Docker set up on Windows machines, while others dove straight into the exercises, eager to test configurations and explore examples beyond what the slides required. A few were returning attendees who wanted a refresher on deployment best practices.

By 4:30pm, people shut their laptops after seven hours of focused learning. So what is it that makes people commit an entire day to learning Zeek?

What You’ll Actually Learn (And Why It Matters)

The NSF community is known for being exceptionally engaged and responsive—a community where people show up ready to learn and support each other. This isn’t your typical “intro to Zeek” training, much like NSF isn’t your typical cybersecurity conference.

The focus is on how to deploy and manage Zeek in production environments, with three main goals:

• Get familiar with what Zeek is and what it does. If you’re evaluating Zeek or considering adoption, you’ll understand its capabilities and whether it’s the right fit for your environment.

• Learn how to deploy Zeek in production. You’ll see real-world Zeek cluster architectures running in production right now. You’ll learn the important network components to consider: tap aggregation, packet brokers, load balancers, tapping interfaces, and how to scale based on traffic volume.

• Understand key frameworks for managing Zeek. Once Zeek is running, you’ll learn about the essential frameworks Zeek provides: logging (filtering and splitting logs), notices (custom alerts and automation), telemetry, and the new Zeek Management Framework shaping future deployments.

The training includes hands-on exercises and resources, so when you leave, you have the knowledge of the basic building blocks to deploy Zeek in your own environment.

Zeek Training at NSF Cybersecurity Summit 2025

Why In-Person Training Makes a Difference

You can read documentation. You can watch YouTube tutorials. So why dedicate a full day to in-person training?

• It creates a safety net for experimentation. Learning something as complex as Zeek on your own can feel intimidating. In-person training gives you the freedom to try things, fail, and troubleshoot with experts right there to help. One attendee went through all the exercises and then started implementing every example on the slides, even ones marked “just for reference”—a chance to learn beyond what was formally presented.

• Questions benefit everyone, not just the person asking. When someone asked whether the notice framework could automatically trigger ServiceNow tickets, the discussion about REST API calls and automation helped the entire room. Those questions might never surface when you’re reading documentation alone.

• You have dedicated time with zero distractions. Let’s be honest: when you’re learning on your own, life happens. A Slack message pings, you get hungry, you remember that thing you were supposed to do yesterday. You tell yourself you’ll come back to the tutorial later. (Narrator: You will not come back to the tutorial later.) In-person training means you’ve committed the day, and there’s healthy peer pressure to stay engaged.

• Corridor conversations add unexpected value. Some attendees were already running Zeek in production and shared insights during breaks about problems they’d encountered and how they solved them. Learning from your peers’ real-world experiences is an opportunity that only happens in person.

• The confidence boost is real. Seeing Zeek run successfully (even if you’re just following commands) gives you proof that you can make it work. That small victory makes it far more likely you’ll return to the material later and dive deeper.

Learning Alongside a Diverse Community

The room was full of people from different backgrounds, and the questions that were asked throughout the session reflected this clearly:

• “How does Zeek behave in cloud environments like AWS or Azure?”
• “What’s the difference between Zeek and Wireshark?” (a perennial favorite)
• “What packet brokers should we use, and how do we handle deduplication?”
• “Can we automate ServiceNow ticketing based on Zeek notices?”

These are the real challenges people face when deploying and managing Zeek. In a room full of practitioners, those questions become learning opportunities for everyone.

What’s Next

If you want to move beyond reading documentation and actually deploy Zeek in a production environment, in-person training gives you the structure, support, and real-world examples to do it confidently.

Interested in attending future training? Keep an eye on our website for upcoming sessions. We’re also hosting a free, two-day workshop at CERN in March 2026, which includes training and community talks.

Have questions about training or want to connect with others learning Zeek? Join the conversation on Slack or Discourse.

Thanks to Fatema Bannat Wala, Christian Kreibich, Keith Lehigh, and Michael Dopheide for making this training happen, and to the NSF Cybersecurity Summit for hosting such a strong community event.