惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
F
Fortinet All Blogs
Cisco Talos Blog
Cisco Talos Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Secure Thoughts
美团技术团队
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
月光博客
月光博客
T
Tor Project blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
I
Intezer
博客园 - 【当耐特】
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
GbyAI
GbyAI
罗磊的独立博客
V
V2EX
Google DeepMind News
Google DeepMind News
D
DataBreaches.Net
Last Week in AI
Last Week in AI
T
Tailwind CSS Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
A
About on SuperTechFans
Scott Helme
Scott Helme
Vercel News
Vercel News
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
C
CERT Recently Published Vulnerability Notes
G
Google Developers Blog
B
Blog
博客园 - 叶小钗
WordPress大学
WordPress大学
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Jina AI
Jina AI
IT之家
IT之家
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
小众软件
小众软件
博客园 - Franky
Microsoft Azure Blog
Microsoft Azure Blog
AWS News Blog
AWS News Blog

Security @ Cisco Blogs

We third-party tested our firewall built for AI-scale. The test tools hit their limit first. SharpHound Recon Attack - How AI enhanced the threat hunt Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Elevating Expertise in the SOC Educate at Event Speed: Cisco Live Security Operations Center What Working the Cisco Live SOC Taught Me About AI, Detection, and Response Cable to Cloud - A Product Engineer's Journey Through the Cisco Live AMER 2026 SOC The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 Ten Years in the SOC at RSAC: What We Learned in 2026 Uplevelling Black Hat Threat Hunters Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Cisco Secure Access with MCP Infrastructure at Black Hat Asia 2026 The Essence of Black Hat – Collaboration with Partners Black Hat Asia 2026: A Decade in Singapore Black Hat Asia 2026: Threat Hunters’ Corner Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat Asia Security in the Post-Mythos Era Cisco SASE with Meraki: Get in the Fast Lane to SASE Extending Zero Trust Across the Agentic AI Workflow Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery Quantum Resilience Needs a Common Language. Here’s Where to Start. Security at Cisco Live: Going Shields Up for the Agentic Era Identity Elevated: A New Unified Identity Experience in Cisco Cloud Control Security Needs a New Operating Model Cisco Secure Access and Microsoft Purview Integration for Simplified Data Protection Cisco Secure Access and Island Browser Enable Zero Trust Everywhere Finding what lives between the alerts: Announcing Cisco Talos Threat Hunting From Log Flood to Threat Signal: Cisco and Splunk Bring Context to Modern Defense Cisco Secure Access and Microsoft Edge for Business Integration Why Network Segmentation Projects Fail: Four Patterns Cisco’s Risk-Based Vulnerability Disclosure in the Age of AI Enhancing Cisco Secure Email Gateway: Safer Clicks and Cleaner Files AI-generated reporting: Lessons learned from Cisco Talos Incident Response Inside the SOC: AI-powered DNS defense against ransomware Security Insights: A Threat-First View for the Platform That Enforces Access From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100 Data Optimization in Security: A Splunk Architect’s Perspective Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders Zero Trust for Agentic AI: Safeguarding your Digital Workforce The Agent Trust gap: What Our Research Reveals About Agentic AI Security Meet Your Incident Responders
Building the Agentic SOC at Cisco Live Americas 2026
Jessica (Bair) Oppenheimer · 2026-07-08 · via Security @ Cisco Blogs

Building on the Cisco Live EMEA SOC, Cisco Live Americas placed the Security Operations Center (SOC) and Network Operations Center (NOC) at the center of the World of Solutions, demonstrating the power of Cisco in bringing Networking, Security and Observability together.

Like any successful SOC, planning starts with a close partnership with the NOC, which deploys a team of engineers to build the network in the weeks ahead of the conference. The Cisco Live Americas Agentic SOC architecture shows how a “One Cisco” approach brings different security tools together to eliminate data silos, in close partnership with the NOC. This directly supported our three missions.

  • To Protect: agentic workflows helped analysts triage and validate incidents faster
  • To Educate: they helped turn complex investigations into clear, human-readable narratives for tours and post-event learning. In the agentic SOC, we trained over a dozen new analysts, empowering them to as Tier 2 analysts, with agentic workflows
  • To Innovate: The live environment is an opportunity to pressure test how Cisco Security and Splunk Security can work together in a next-generation SOC where AI assists, evidence grounds the decision, and humans remain in control

Watch the recording of the live interview at the SOC on Cisco TV.

The SOC at Cisco Live was set up in just two days, thanks to lessons learned and continuous evolution. The ‘SOC in a Box’ is on the left.

The SOC in a Box also included a UCS M8 with three NVIDIA GPUs, giving the team room to test local and protected AI workflows inside the event environment. That mattered because SOC data can include sensitive details. AI Defense and DefenseClaw provided guardrails and auditability around these workflows, helping the team inspect prompts, responses, and agent actions rather than treating AI as a black box.

The SOC Architecture

We connected developing agentic capabilities into a governed SOC workflow so every incident could be summarized, validated, investigated, and audited with a human still in control.

For Cisco Live AMER, we treated agentic AI as an auditable review layer across the SOC, not as a replacement for analysts. Incidents still started from real telemetry and detections, but agentic workflows helped summarize what happened, identify supporting evidence, recommend next steps, and preserve the reasoning for human review. Analysts remained accountable for closure, escalation, and any action that could affect the event network.

Splunk Enterprise Security served as the evidence and investigation plane. When agentic workflows produced a summary or recommendation, analysts could validate the underlying events, searches, detections, malware analysis, and packet evidence rather than relying on an uncited AI answer. Where possible, agentic workflow activity and guardrail events were made searchable so the team could review not just the conclusion, but how the conclusion was reached.

Cisco XDR provided the incident narrative layer for frontline analysts. Attack Storyboard and Verification helped convert correlated detections into a guided explanation of what happened, which entities were involved, and whether the available evidence supported escalation, closure, or continued monitoring. Every incident could receive agentic review, but agentic review did not mean autonomous response. The workflow was deliberately human-in-the-loop: agents summarized and recommended; analysts validated and decided.

Firepower SnortML and Encrypted Visibility Engine helped answer a critical question in an event SOC: what can the network tell us even when endpoints are unmanaged and much of the traffic is encrypted? These detections gave the SOC high-value signals that could be correlated in XDR and validated in Splunk.

Incidents were investigated in Splunk Security, with threat intelligence provided by Cisco Talos, and licenses donated by  alphaMountain, Pulsedive, and StealthMole along with community sources.

Telemetry creates incidents. Agents accelerate understanding. Splunk grounds the evidence. Cisco XDR guided the incident narrative. AI Defense and DefenseClaw govern the workflow. Humans make the decision. The whole process can be reviewed.

Agentic SOC: Incident -> Agentic Review -> Evidence Summary ->
Human Validation -> Action / Close -> Audit
Agentic Capability Question It Helped Answer
Firepower SnortML + Encrypted Visibility Engine What is the network telling us, even through encrypted traffic?
XDR Attack Storyboard / Verification What happened, and does the incident require action?
Splunk Enterprise Security Triage Agent What does the evidence say?
AI Studio + Endace What packet evidence proves or disproves the hypothesis?
Splunk Attack Analyzer AI Reversing Agent What does this file or URL do?
Foundation AI with Cisco XDR workflows How do we summarize and document the investigation?
AI Defense + DefenseClaw How do we inspect, guardrail, and audit agentic workflows?

The SOC team used Duo Central for Single Sign-On access to the tools, both on-premises and in the cloud, executing from the first customer experience at Black Hat.

By leveraging cloud-based solutions like XDR and Splunk Cloud, this also minimized the amount of work that was needed in a very tight setup window. Configurations and other data were already ready to go from previous events as well, including dashboards in Splunk. The SOC manager dashboard was used to track status of Agentic AI assisted incident investigations and escalations.

There were some use cases where no human involvement was necessary, such as when an attendee’s device or accounts were found to be compromised or unsecure, the SOC team used automation to notify the attendee with Endace and Splunk SOAR, resolving the Incident without human intervention.

The Splunk Packet Peekers Prize Board was the most popular for attendees to view (and hope their account was not one of the redacted on the dashboard).

The Statistics

Statistics are always a popular part of the SOC Tours. Below are the stats from this year’s event. In addition, the perimeter firewalls of the NOC blocked over 10 million external attempts to attack the network, with those logs added to the SOC Splunk Enterprise Security platform.

Year 2026 2025
Attendees (Cisco Live) 20,000+ 22,000+
Total packets captured (Endace) 202.9 billion 99.5 billion
Total logs captured (Splunk) 5.6 billion 4.5 billion
Total sessions (Endace) 1.74 billion 1.49 billion
Total unique devices 62,790 (DHCP) 37,052 (DNS)
Total packets written to disk (Endace) 199 TB
– 100 TB IPv6
– 89 TB IPv4
– 4 GB non IP
78.9 TB (IPv4 only)
Total logs written to cloud (Splunk) 7.4 terabytes (added perimeter firewall logs) 1.99 terabytes
Peak bandwidth utilization (Endace) 10 Gbps (saturated) 4.85 Gbps
DNS Requests (Cisco) 270.4 million / 60.1k blocked 261.3 million / 28.3k blocked
Total clear text username/passwords (Endace) 43,322 2,256
Unique devices / accounts with clear text usernames / passwords (Endace) 686 97
Files sent for malware analysis (Endace) 2.392 million 740,172 file objects reconstructed by Endace
– 23,368 sent to Splunk Attack Analyzer
– Sent to Secure Malware Analytics
740,172 file objects reconstructed by Endace
– 42,813* sent to Splunk Attack Analyzer
– 13.05k sent to Secure Malware Analytics
* De-duplication started afternoon of 11 June 2025, as part of tuning

Agentic SOC Findings and Lessons Learned

Check out the blogs by the engineers who worked inside the SOC at Las Vegas:

Acknowledgements

Our thanks to the engineers who made the first Agentic SOC at Cisco Live a success, by protecting the network and educating attendees (and you).

Network Operations Center Liaisons

  • Freddy Bello, Andy Phillips and Scott Neuman

Cisco Security and Splunk SOC Team

  • SOC in a Box hardware: Aditya Sankar
  • Splunk Security Integrations: Ivan Berlinson, Paul Pelletier and Josh Wilson
  • Splunk Security: Drew Church, Erik Dove, Todd Dow, Daniel Christiansen, Logan Buntrock
  • Cisco Security: Lou Norman and Oscar Ramirez
  • Analysts: John Park, Abhishek Dubey, Manoj Sudhakara, Pujan Trivedi, Bilal Qamar, Michelle Hermosillo, Ray Aragon, Kellie Cottingame, Alfredo Jurado, Jeremy Stanley, Chris Perkins, Paul Jeffery, Chris Lijoi, Adam Alkishawi, Maurali Ananth, Bill Radford, Brian Rees and Chris Ochia-Belen
  • Remote support: Adam Kilgore, Kenneth Bouchard, Aditya Raghavan, Chris Anderson, Kevin Wofford

Endace SOC Team

  • Cary Wright, Barry ‘Baz’ Shaw, Stephen Donnelly, Elliott Hinson and Michael Morris