diff --git a/ex4/README.md b/ex4/README.md
new file mode 100644
index 0000000..b3b7849
--- /dev/null
+++ b/ex4/README.md
@@ -0,0 +1,44 @@
+# Exercise 4
+
+## 2. Metadata and Univariate Analysis
+
+Discovered TCP-Flags and their percentages (rounded):
+
+| TCP Flag | %    |
+|----------|-----:|
+| S        | 77.8 |
+| A        | 9.8  |
+| RA       | 5.3  |
+
+
+
+#### Check carefully the top TCP-flag values discovered and their percentages. Does it make sense for you? Why? Make sure that you understand flag values, their use and meaning.
+TODO
+
+
+#### Does the TTL plot show mountain-like shapes? (see plot team13_ex4_2.jpeg). If so, can you figure out why?
+Since the TTL can be implemented differently, it is normal, that the used TTLs differ. The TTL should be decremented after every HOP
+(stations between source and target).
+
+
+## 3. Bivariate Analysis
+
+#### 
+
+    Think about it...
+
+    Check both flows required in [rep-23]. Can you indentify what kind of traffic it is in each case? Do you think that any of them might be malicious?
+
+    Important! Carefully consider the AGM vector again. Think the kind of flow values/profiles that you would get in the follow scenarios (remember that the AGM-vector can be configured to profile destinations as well as surces):
+
+        Horizontal scan.
+        Vertical scan.
+        Brute Force attack.
+        DDoS attack.
+        Backscatter.
+        Normal server.
+        Vulnerable, flooded server
+
+    You should be able to see that some of the previous traffic scenarios are quite easy to spot by using AGM vector, but not all of them.
+
+TODO
\ No newline at end of file