diff --git a/ex1/README.md b/ex1/README.md
new file mode 100644
index 0000000..f19551b
--- /dev/null
+++ b/ex1/README.md
@@ -0,0 +1,30 @@
+# Exercise 1
+
+## Passive Information Gathering
+
+>>>
+Are mail servers hosted by the same company? Depending on the company, the
+answer to this question can be "yes" or "no". Considering each of these
+possibilities, does it make sense targeting mail servers as potential vectors
+for penetration attacks?
+>>>
+
+Yes, it makes sense to target mail servers especially when they are hosted by
+the same company. Servers which are not hosted by the same company are
+presumably not included in the penetration testing contract and attacking those
+external servers might be illegal.
+
+## Profiling Host Activity
+
+>>>
+Imagine using Wireshark for checking all the traffic passing through an
+intermediate routing device. Do you think that you could detect hosts performing
+horizontal scanning? And vertical scanning? Do you consider Wireshark as a
+suitable tool for analyzing large amounts of network traffic data? Why?
+>>>
+
+As soon as the amount of traffic routed through the routing device exceeds
+hundreds of megabytes, it might not be feasible to use wireshark to analyze the
+traffic. Maybe it is possible with a good grip on all the filtering capabilities
+of wireshark, but one definitely has to know what to look for. Big amounts of
+traffic data are better analyzed using programmatic means.