In the bustling RSAC 2026 Conference expo hall, a subtle hum of activity resonates behind a partitioned wall. Inside, the security operations center (SOC) is hard at work, showcasing the industry’s commitment to cybersecurity. Five monitors continuously flash vibrant alerts, charts, and critical statistics, while around two tables, a dozen analysts are intensely focused on their sticker-covered laptops.
This setup represents the forefront of cybersecurity during one of the world’s largest cybersecurity events, where nearly 44,000 attendees have gathered to explore the latest advancements in the field, engage in conversations about security issues, and, undoubtedly, connect to the event’s complimentary Wi-Fi. The SOC is tasked with monitoring the intricate flow of data—both north-south and east-west—across the Moscone Center in San Francisco.
Cary Wright, the vice president of products at Endace, notes the scale of the operation. “We’re recording everything that goes across the network,” he states, emphasizing the impressive storage capabilities that allow for around 240 terabytes of data. This extensive storage means that analysts can meticulously investigate any incidents that occur, delving deeply into the network activity before, during, and after any particular event. The team’s diligence is focused on identifying potential zero-day vulnerabilities, advanced threats, and any unusual activity that might go unnoticed by standard security measures.
The SOC team includes representatives from Cisco, Splunk, and Endace, all collaborating to safeguard the network during the conference. Their work is critical as attendees engage in high-stakes discussions related to cybersecurity while potentially putting their devices at risk by connecting to unmonitored networks.
The preconfigured SOC, specifically designed for the RSAC, can be deployed rapidly, becoming operational in less than four hours. This efficiency is achieved through advanced technology: two Cisco Unified Computing Systems equipped with embedded AI and GPUs facilitate local computing tasks and virtualization needs. At the network’s edge, Cisco Secure Firewalls operate in detection mode, complemented by Endace appliances that ensure comprehensive packet capture and generate thorough metadata, including Zeek logs.
Data telemetry flows seamlessly into the security stack via Splunk Enterprise Security, allowing for detailed analysis and rapid response capabilities. If a threat is discovered by a firewall, analysts can easily pivot to examine the related network packets, assessing potential lateral movement, data downloads, or possible malware dissemination.
The extensive array of tools employed in this SOC includes Cisco XDR (Extended Detection and Response), Cisco Secure Network Analytics, and various Splunk applications, ensuring that the analysts have a robust capability to respond to any incidents swiftly. Additionally, threat intelligence is gathered from multiple sources, including Cisco Talos, to enhance the SOC’s capabilities.
Visual displays within the SOC provide invaluable insights into network activity. One monitor presents a spider chart illustrating traffic over the past three days, depicting communication patterns among attendees and the volume of data exchanged. Another screen reveals that 20% of network traffic is encrypted, detailing encryption strengths and the specific TLS versions employed.
Alerts generated by the system have become increasingly automated. For example, one dashboard indicates that 11 devices on the network are transmitting their passwords in the clear, showing a total of 217 incidents. In response to this, hosts are now informed automatically via email about their insecure passwords—a significant time-saver compared to the labor-intensive manual process of alerts used in previous events. Interestingly, during RSAC, attendees exhibited better password protocols than those at previous conferences, highlighting an improvement in security awareness.
Additionally, screens continuously track which AI applications are in use at the conference, allowing analysts to determine if unlicensed or potentially harmful models are in operation. Such vigilance is crucial to maintaining the integrity of the network throughout the event. AI technologies are increasingly integrated to enhance the SOC’s efficiency, evidenced by the low escalation rate of alerts—a testament to the effectiveness of automated processes and initial tier analysis.
The SOC in a box, a government initiative to enhance security at major events, has been operational at numerous high-profile gatherings previously. Following its deployment at RSAC, it has moved from the NFL Super Bowl in February to various international events, and it is set to protect the network during the NFL Draft in Pittsburgh in April.
As technological advancements continue, the SOC will evolve. For future events, such as the 2028 Summer Olympics in Los Angeles, plans are underway to incorporate even more sophisticated AI capabilities, demonstrating an ongoing commitment to improving security measures in a rapidly changing digital landscape.
Through dedicated teamwork and cutting-edge technology, the SOC at RSAC exemplifies the rigorous protective measures necessary to safeguard the communications and data exchanges underpinning modern cybersecurity discourse.