Official website of the South African National CSIRT

Incident Management Process

The Cybersecurity Hub is the country’s National Computer Security Incident Response Team (CSIRT). The aim of the Cybersecurity Hub is to establish sector-CSIRTs and to co-ordinate activities and incidents across these sector-CSIRTs and constituents (of which you – the public – is one).

The Cybersecurity Hub does not resolve cybersecurity incidents, but routes cybersecurity incidents received, to the applicable authorities for resolution. As an example, where we receive a cybersecurity incident related to the banking industry, we will route the cybersecurity incident to the banking sector CSIRT, who in turn will route the cybersecurity incident to the bank in question. Cybersecurity incidents related to cybercrime or cyberbullying is routed to the South African Police Service (SAPS) for resolution. These authorities are then responsible for the investigation and resolution of the incidents.

The Cybersecurity Hub currently operates from 08:00 to 16:30 weekdays, and excluding public holidays. The Cybersecurity Hub incident management process works as follows: 

  1. An incident is submitted through this website, or through e-mail.
  2. Once you have clicked on submit, you will receive a reference number via e-mail.

    Please keep this safe since you will be asked to provide the reference number during future correspondence with the Cybersecurity Hub.

    You might want to contact the Cybersecurity Hub as you become aware of more information which could assist in the investigation and resolution of the incident, or where you have not received feedback in a timely fashion (please see 5 below)

  3. The Cybersecurity Hub will route your incident to the appropriate authority. This happens during office hours, from the time the Cybersecurity Hub receives the cybersecurity incident.
  4. The identified authority will respond to the Cybersecurity Hub with a reference number of its own. This reference number is then captured as part of your cybersecurity incident.

    Once this step is complete, the identified authority is responsible for the resolution of the incident.

  5. The identified authority will correspond with you directly as part of the incident investigation and resolution process. The Cybersecurity Hub has no control over the incident investigation and resolution process.

    If you have not received feedback after 5 working days, please contact the Cybersecurity Hub through an e-mail, quoting your reference number. The Cybersecurity Hub will then contact the identified authority for feedback.

  6. You will receive confirmation on closure of the incident.


Incident coordination

Receiving, triaging, and responding to requests and reports, and analysing cyber incidents and events.

Cybersecurity assessment and advisory

Detailed review and analysis of constituent's publicly viewable assets.


Gather and develop security advisories and intrusion alerts to help constituents to protect their systems and networks.

Security-related information dissemination

Provision of a comprehensive and categorised collection of relevant publicly available documentation that aids in improving security.

Cybersecurity awareness building

Increase security awareness for citizens through the dissemination of various artefacts.

Identification of national standards

Identification of appropriate de facto rigorous, semantically correct,clear, and understandable standards.

Promotion of national standards

Promote the use of the de facto national standards, which facilitate threat sharing between the constituents of the Cybersecurity Hub via implementation of threat sharing platforms.

Establishment of Sector-CSIRTs

Promotion of collective capacity via public-private partnerships for the advancement of cybersecurity best practises all via the establishment of sector-CSIRTs.

Skills and training

Development and promotion of a national cybersecurity skills framework approved by relevant national institutions.