CERT concentrates on the technical basis for identifying and preventing security flaws and for preserving essential services if a system is penetrated and compromised, and provides guidance to help organizations improve the security of networked computer systems. Our agenda consists of three elements: research, technology development, and technology transfer. In our research activities, we aim to replace informal methods with precise software, security, and survivability engineering. In our technology development work, we create software, security, and survivability standards, technologies, and automation. In technology transfer, we attempt to incorporate results into key acquisition and development projects. While all of these elements are necessary to achieve success, the focus of this report is on CERT's research work. Our research agenda is driven by the need to develop theoretical foundations and engineering methods to ensure the security and survivability of critical systems. We believe the projects described in this report are necessary elements in support of this agenda. We provide brief abstracts for our major research projects, followed by more detailed descriptions of the projects.