Black Hat USA 2025: 10 Years Protecting Black Hat

Cisco is a proud partner of the Black Hat NOC (Network Operations Center), as the Official Security Cloud Provider, celebrating our 10th year protecting Black Hat, the longest of any partner.

We work with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

The core objective of the NOC is to ensure continuous network stability. Additionally, the partners deliver seamless security, comprehensive visibility and automation by embedding a SOC (Security Operations Center) within the NOC, built in Las Vegas in five days.

Screens positioned outside the NOC showcased partner dashboards, allowing attendees to monitor the network traffic's volume and security status in real time.

Cisco became a partner of the Black Hat NOC in 2016, initially offering automated malware analysis through Threat Grid. Over time, Cisco's role expanded to support the evolving demands of the Black Hat conference by integrating additional elements of the Cisco Security Cloud into the network and security operations.

• Breach Protection Suite
  • Splunk Attack Analyzer with Cisco Secure Malware Analytics (Formerly Threat Grid): sandboxing and integrated threat intelligence
• User Protection Suite
  • Cisco Umbrella: DNS visibility for the conference network and protection for iOS devices
  • Cisco Secure Access: Zero Trust Architecture
  • Cisco Duo, with Identity Intelligence: Single Sign-On
  • Cisco Security Connector: iOS device security and visibility, managed with Meraki Systems Manager
• Cloud Protection Suite
  • ThousandEyes: Network observability/availability

Black Hat carefully selects its network and security industry partners; entry into the NOC is strictly by invitation only, emphasizing partner diversity and a commitment to full collaboration. Our NOC team, composed of diverse technologies and organizations, is dedicated to ongoing innovation and seamless integration to deliver a comprehensive SOC cybersecurity architecture solution.

At each conference, we see plain text data on the network, as you will read in our Black Hat USA blogs below. As the malware analysis provider, we also deployed Splunk Attack Analyzer as the engine of engines, with files from Corelight and integrated it with Splunk Enterprise Security.

The NOC leadership enabled Cisco and other partners to introduce additional software and hardware solutions, enhancing our internal efficiency and expanding our visibility capabilities; however, Cisco is not the official provider for Extended Detection & Response, Security Event and Incident Management, Firewall, Network Detection & Response or Collaboration.

• Breach Protection Suite
  • Cisco XDR: Threat Hunting / Threat Intelligence Enrichment / Executive dashboards / Automation with Webex. The Cisco XDR Command Center dashboard tiles made it easy to see the status of each of the connected Cisco Security technologies (check out the XDR Threat Hunter's Corner blog by Adi Sankar)
  • Cisco XDR Analytics (Formerly Secure Cloud Analytics/Stealthwatch Cloud): Network traffic visibility and threat detection (read the Case Studies blogs by Bilal Qamar below for examples)
  • Splunk Cloud Platform and Splunk Enterprise Security: Integrations and dashboards
  • Cisco Webex: Incident notification and team collaboration

In addition, we deployed proof of value tenants for security:

• Cisco Secure Access: Merge with zero trust architecture and expand to include DNS
• Cisco Firepower Treat Defense Virtual: Intrusion detection with Snort ML

We appreciate alphaMountain.ai and Pulsedive donating full licenses to Cisco, for use in the Black Hat USA 2025 NOC.

Enriching Cisco XDR Incidents With Endace

Black Hat is an incubator for innovation.

• Ivan Berlinson built an integration with Cisco XDR and Palo Alto Networks firewalls two years ago for Black Hat USA 2023. From the inspiration, we are helping the engineering teams build a production integration with Cisco XDR and the firewalls via Strata Logging Service.
• Ryan Maclennan did a Hack-a-Thon with Corelight for direct integration with Cisco XDR, coming soon to your XDR tenant.
• Continuous Packet Capture partner Endace also joined the Cisco team in the NOC/SOC, along with Mobile Device Manager partner Jamf, and we made integration advancements with both partners, as you will read below.

While Cisco XDR has its own powerful network detection engine, it operates primarily by consuming NetFlow and does not store full packets. To enhance the investigation experience for Black Hat SOC analysts, Matt Vander Horst worked with Baz Shaw of Endace for rapid development of an automated workflow in Cisco XDR automation that enriched incidents in XDR with links to various resources in Endace immediately upon incident generation. As shown below in an XDR incident, a worklog note was automatically added to the incident with a link to investigate in EndaceVision or download a CSV or PCAP of full-packet traffic related to the incident.

Looking at the Endace side, we can see a selection of files that were generated for the various incidents that were being created in Cisco XDR. These files are preserved in Endace's Vault and can be downloaded by analysts to see full detail captures of traffic related to their security incidents.

Black Hat is a time of rapid innovation and Matt is working to assist the Endace team to publish the workflows in the XDR Automate Exchange.

Mobile Device Management

We want to share special thanks to Paul Fidler for years of support of Black Hat events with mobile device management (MDM) using Meraki Systems Manager, along with Connor Laughlin. Since Black Hat USA 2021, Meraki SM was the official MDM. Paul and Connor became valued members of the Black Hat registration team, developing innovative solutions and automations for managing and security thousands of iOS devices over the last six years.

Starting at Black Hat Europe 2025, we recommended our partners at Jamf assume the mantel of MDM provider to Black Hat. Paul worked with Adam Derrick of Jamf Pro to share best practices, automation, insights and client requirements. Together, they managed and secured over 1,000 iOS devices for Black Hat USA.

Their combined effort made Registration, Training and Briefing Check-in and sponsor lead management a joint success for Black Hat.

Jamf Pro also has an integration with Cisco XDR Assets, so we will continue to have visibility into the posture of the devices at Black Hat.

Learn More About Cisco at Black Hat USA

Dig deeper into the innovation, threat hunting and integrations with our Black Hat USA blogs:

• Driving Cisco XDR integrations with 3rd Party Partners at Black Hat
• Splunk Innovation at Black Hat USA
• Case Study: Conference Hopping - Training Attendee Scanning Def Con
• Case Study: Black Hat Training Attendees Scan Aviation Organization
• Black Hat Investigation: Attempted Exploitation of Registration Server
• Refining SSO at Black Hat USA
• Securing DNS with Umbrella at Black Hat
• Cisco Secure Firewall: SnortML at Black Hat USA 2025
• The Value of PCAP in Firewall Investigations
• ThousandEyes and the Black Hat USA 2025 Experience: A Network Perspective
• Elevating Incident Response at Black Hat with the Ultimate Network Forensics - PCAP Or It Didn't Happen
• Accelerating Security Operations at Black Hat: Fast Queries and automated PCAP Workflows

We are already planning for more innovation at Black Hat Europe, held in London the second week of December 2025.

Acknowledgements

Thank you to the Cisco NOC/SOC team:

• Security Cloud Innovation: Ryan Maclennan
• Integrations: Ivan Berlinson
• Breach Protection: Steve Nowell, Aditya Sankar, Matt Vander Horst and Bilal Qamar
• User Protection: David Keller and Adam Kilgore, with Justin Murphy
• Meraki Systems Manager: Paul Fidler
• ThousandEyes: Mauro Caballero and Daniel Gaona Campos
• Splunk: Tony Iacobelli

Also, to our NOC partners Palo Alto Networks (especially James Holland and Jason Reverri), Corelight (especially Mark Overholser and Eldon Koyle), Arista Networks (especially Jonathan Smith), Lumen, Endace (especially Michael Morris and Cary Wright), Jamf (especially Adam Derrick) and the entire Black Hat / Informa Tech staff (especially Grifter 'Neil Wyler', Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Jung and Steve Oldenbourg).

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X