SI-CERT: How a 13-Person Team Manages 6,000 Annual Incidents

Slovenia’s national CSIRT, SI-CERT, processes 6,000 cyber incidents annually with a core staff of just 13. By deploying a specialized three-line triage model a…

SI-CERT: How a 13-Person Team Manages 6,000 Annual Incidents

On June 3, 2026, an interview published by Help Net Security revealed the operational metrics of a unique case within the European Computer Security Incident Response Team (CSIRT) ecosystem: SI-CERT. The Slovenian national team, currently composed of approximately 13 personnel with a target of 15, manages roughly 6,000 cyber incidents per year. Manager Gorazd Božič detailed the evolution of an organization that handled only 300 annual cases fifteen years ago, now operating through a three-line triage structure and increasing specialization that serves as an alternative model to the internal corporate SOC.

Key Takeaways
  • SI-CERT manages approximately 6,000 incidents annually with a team of 13, up from 300 cases per year 10–15 years ago.
  • The operational structure utilizes three triage lines: routine reports, serious incidents, and phishing reports, classified using an adapted ENISA taxonomy.
  • The team maintains specialized capabilities in malware analysis, digital forensics, and threat intelligence, providing resources that individual organizations cannot sustain internally.
  • SI-CERT is funded by the Government Information Security Office and is a member of FIRST, TF-CSIRT, and Trusted Introducer, confirming its institutional mandate.

From 300 to 6,000: Three Decades of Exponential Growth

The history of SI-CERT dates back to 1994, when Gorazd Božič submitted the original proposal to ARNES, the public agency for the Slovenian academic and research network. The center became a department within ARNES and established cooperation with law enforcement as early as 1998. According to Božič, the workload has increased twenty-fold: from approximately 300 incidents per year to 6,000. This growth is exponential rather than linear, reflecting the expansion of the national attack surface and increased reporting awareness.

These quantitative figures are particularly relevant within the European context of NIS and NIS2 mandates, which require member states to maintain incident response structures. Slovenia has opted not to replicate a "mega-SOC" model, instead maintaining a lean, specialized team integrated into the academic network. The source does not specify SI-CERT’s annual budget or provide direct comparisons with other European national CERTs regarding team size relative to incident volume.

Triage Geometry: Three Lines to Filter the Noise

The technical core of SI-CERT’s operations is its three-line triage structure. The first line handles routine reports, the second manages serious incidents, and the third focuses on phishing reports. Every case is classified using the ENISA taxonomy, adapted with specific subcategories. This system separates volume from value: while not all 6,000 incidents require deep-dive analysis, all must be categorized for trend tracking and institutional reporting.

Team specialization has stratified over time. Beyond operational triage, SI-CERT maintains expertise in malware analysis, digital forensics, and threat intelligence. The source cites the analysis of the residential proxy side of Anatsa—an Android banking malware—as a concrete example of their work. This level of analysis does not scale by simply adding generalist staff; it requires analysts with specific technical skills that medium-sized companies cannot economically justify as a fixed internal cost.

"The center now records about 6,000 incidents a year, up from roughly 300 ten to fifteen years earlier."
— Gorazd Božič, SI-CERT Manager

The Shared Service Model and the Corporate Boundary

Božič outlined a clear position on the relationship between a national CERT and corporate security structures. The Slovenian model positions SI-CERT as a provider of capabilities that a single internal SOC cannot maintain: in-depth malware analysis, advanced forensics, and national-level threat intelligence. This approach reduces cost duplication and concentrates expertise at a single point in the national network, accessible to all requesting organizations.

SI-CERT’s institutional standing is formalized through funding from the Government Information Security Office, identified as the "competent national authority." Membership in FIRST (Forum of Incident Response and Security Teams), TF-CSIRT, and Trusted Introducer accreditation places the team within the international CSIRT cooperation network. These elements confirm the government mandate but do not specify contractual terms or SLAs with assisted organizations.

The source notes a recurring tension: SI-CERT’s role is "still misunderstood as an inspectorate or a branch of law enforcement." Božič reiterated that the function is technical support, not investigation. This distinction is operational: the CERT lacks coercive powers but can aggregate data on phishing campaigns or malware distribution that individual companies tend to manage in silos.

The Limits of Automation: Why AI Won't Solve Triage

In the interview, Božič expressed skepticism regarding the ability of Artificial Intelligence to replace human analysts in a SOC context. His argument is technical: understanding the significance of an alert requires accumulated knowledge, organizational context, and the ability to correlate heterogeneous signals. Automation can filter noise, but it cannot yet manage the classification of meaning.

This stance has direct consequences for staffing models. If AI does not reduce the need for qualified analysts, the growth from 13 to 15 personnel represents only a marginal increase against a volume that may continue to rise. The source provides no estimates for the future trajectory of the 6,000 annual incidents, nor does it indicate if the team plans further expansions or modifications to the triage structure.

Strategic Implications

The dossier does not specify the percentage distribution of the 6,000 incidents across the three triage lines, nor does it provide resolution rates or average response times. Data on the exact number of cooperative cases with law enforcement in 2025 is unavailable, beyond the historical mention of 1998. Direct comparisons with other European national CERTs are not provided, making it impossible to rank Slovenia’s efficiency relative to its peers.

The source does not document specific corrective measures or explicit operational recommendations for organizations interacting with SI-CERT. The "shared service" model is described as an established practice rather than a formalized framework with standardized access procedures. The exact annual budget remains undisclosed, as do the prioritization criteria for requests from public versus private entities.

For corporations and the public sector, the Slovenian case demonstrates that a small, structured team can manage high volumes through specialized triage and public-private cooperation, despite the scalability limits inherent in a two-person staff increase. For policymakers, the remaining challenge is funding sustainability across electoral cycles, despite NIS/NIS2 mandates. For professionals, the evolution from generalist to specialist documented by SI-CERT serves as a case study in how CERT maturity is measured by depth of analysis rather than breadth of coverage.

Information has been verified against cited sources and is current as of the time of publication.

Sources