Cisco Live 2025 SOC Deployed Advanced Threat Detection,Captured Nearly 80 TB of Network Traffic
Protecting over 23,000 attendees,the Security Operations Center (SOC) at Cisco Live San Diego 2025 leveraged advanced packet capture and threat hunting capabilities to safeguard the conference network and provide valuable security insights. The collaborative effort between Cisco and Endace demonstrated the power of real-time network visibility and proactive threat response.
Real-Time Visibility Through Packet Capture
Endace was invited by Cisco to bolster the Cisco Live SOC with its EndaceProbe packet capture technology and a dedicated team of threat hunters.the primary objective was to protect the network and attendees, with secondary goals focused on education and innovation. Two EndaceProbes were deployed within Cisco’s “SOC-in-a-Box,” continuously recording all network traffic across two 10G SPAN ports.
This thorough data capture was integrated with both Splunk Enterprise Security and Cisco Security Cloud, delivering real-time network visibility to the SOC team. This integration enabled rapid detection, location, and mitigation of threats originating from both external and internal sources, significantly streamlining examination workflows.
EndaceProbes provide full packet capture, indexing, and search capabilities, enabling security teams to quickly investigate and respond to threats. Learn more about EndaceProbe technology.
Protecting a Large-Scale Event
The SOC at Cisco Live was specifically designed to protect the more than 23,000 attendees from potential threats on the conference network. When a device was identified as compromised or unsecured, the SOC team prioritized identifying the issue, locating the affected device, and assisting with remediation. Beyond reactive security measures, the SOC also offered public tours, educating attendees about the SOC’s configuration, implemented processes, and the types of threats uncovered during the event.
Attendees learned about the SOC’s architecture, threat detection methodologies, and incident response procedures. This educational initiative helped raise awareness about cybersecurity best practices.
Building on Prior Success at RSAC 2025
The Cisco Live SOC build benefited from experience gained at the RSA Conference (RSAC) 2025, where Endace previously captured 36 TB of data and 45 billion packets. This prior experience allowed for optimization of the approach and a rapid two-day setup for Cisco Live.
Key Metrics from Cisco Live 2025 SOC operations
At Cisco Live, Endace’s technology achieved critically important results:
- Captured 78.9 TB of network traffic, representing 99.5 billion packets.
- Reassembled over 740,000 file objects in real time, forwarding 42,624 files to Splunk Attack Analyzer for deeper investigation.
- Detected 2,256 instances of cleartext passwords being used across 92 unique devices.
- Provided SOC analysts with packet-level forensic evidence for investigating and triaging a wide range of security events.
- Integrated with Cisco XDR, Splunk, Cisco Firepower IDS, Splunk Attack Analyser, Cisco Secure Malware Analytics, and Cisco Secure Network Analytics to create a seamless incident response (IR) workflow.
- Developed new integrations that streamed additional metadata into Splunk, accelerating both investigation and remediation efforts.
The detection of 2,256 instances of cleartext passwords highlights the persistent risk of insecure password practices. This data underscores the importance of multi-factor authentication and password management solutions.
The Power of “PCAP or it Didn’t Happen”
According to a senior official, the collaboration between Cisco and Endace engineers was particularly effective, with teams quickly pivoting to analyze packet data during security incidents. “inspecting the packet data enabled fast decisions because the team could see exactly what was happening on the wire before, during, and after any event,” they stated. This sentiment underscores the importance of complete packet capture, summarized by the industry adage, “PCAP or it didn’t happen!”
The availability of complete packet data at the SOC team’s fingertips highlighted the value of always-on packet capture, providing comprehensive, real-time visibility into threats, performance issues, and anomalous network behavior.
Collaboration and Future Innovation
The collaborative surroundings fostered a dynamic exchange of ideas and learnings between engineers from both companies. The Endace team gained valuable insights that will directly improve EndaceProbe and its partner integrations. The company anticipates participating in similar SOC deployments at future large-scale events, with details to be announced soon.
Learn more about the SOC at Cisco Live San Diego 2025 on Cisco’s blog: https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc.
