Cisco and Endace Reveal Shocking Findings from RSAC 2025 Security Operations Center

Introduction

At the RSAC 2025 Conference in San Francisco, Cisco and Endace once again teamed up to run the Security Operations Center (SOC), turning the event’s wireless network into a living laboratory for cybersecurity research. For nearly a decade, this SOC has been more than just a monitoring hub — it has served as a live demonstration of how attackers exploit open, unsecured networks and how defenders can respond with cutting-edge tools. This year’s Findings Report, unveiled at the Moscone Center, highlights real-world insights from thousands of connections made by attendees and provides a behind-the-scenes look at the battle between security engineers and potential threats.

Key Highlights from the Findings Report

The SOC at RSAC 2025 showcased how Cisco and Endace blended advanced threat detection with real-time packet capture to secure one of the busiest conference networks in the world. Their joint report captures the lessons learned, the attacks observed, and the technologies that helped mitigate risks.

The infrastructure relied on EndaceProbe, a packet capture platform capable of recording all network traffic. Integrated with Cisco’s suite of security tools, it enabled SOC analysts to investigate anomalies with pinpoint accuracy. Cisco’s Security Cloud, fortified by the Breach Protection Suite, User Protection Suite, and Secure Firewall, played a central role in defending the SOC’s infrastructure. On top of that, Cisco Identity Intelligence and AI Defense were deployed to spot and block suspicious behavior at scale.

Threat intelligence came from Cisco Talos, enriched with community data and third-party sources such as alphaMountain and Pulsedive. Endace’s system not only recorded packets but also generated metadata like Zeek logs and NetFlow, feeding them into Cisco Secure Network Analytics (SNA) and Splunk. This combination gave the SOC the ability to reconstruct files, sandbox malware, and conduct deep behavioral analysis using Cisco Secure Malware Analytics and Splunk Attack Analyzer.

Integration was another highlight. Endace worked seamlessly with Splunk Enterprise Security, Cisco XDR, Secure Network Analytics, and Secure Firewall, streamlining investigations. Packet-level data provided SOC engineers with visibility before, during, and after alerts, helping them track lateral movement, hunt for Indicators of Compromise (IOCs), and identify potential command-and-control (C2) activity. Importantly, no decryption of data was performed, ensuring user privacy while still enabling effective detection.

The report dives into crucial areas, including network statistics, SOC technology, intrusion detection, secure access, and threat hunting techniques. A section titled Tales of Insecurity shared real-world scenarios that occurred on the event’s open network, underlining why education and visibility remain vital.

Attendees could also tour the SOC in person, experiencing firsthand how security teams operate under pressure in a live-fire environment. The Findings Report closes with acknowledgments to the engineers and organizations who supported the SOC, while also inviting readers to download the full report and prepare for the next edition of RSAC in March 2026.

What Undercode Say:

The SOC at RSAC 2025 is not just a technical showcase, it is a microcosm of the cybersecurity challenges organizations face every day. The collaboration between Cisco and Endace demonstrates the growing importance of visibility and integration in modern defense strategies. Here are the deeper takeaways:

First, packet capture remains the cornerstone of forensic investigation. While many enterprises rely on alerts and logs, full packet data ensures nothing is missed. Endace’s approach allowed analysts to reconstruct attacks, correlate metadata, and verify suspicions. In corporate settings, this kind of capability can drastically reduce mean time to detect (MTTD) and mean time to respond (MTTR).

Second, integration across platforms is no longer optional. By embedding packet data directly into tools like Splunk and Cisco XDR, SOC engineers reduced the cognitive load of switching between dashboards. This reflects a broader industry trend toward extended detection and response (XDR) ecosystems, where multiple technologies share intelligence and context.

Third, AI-driven defense and identity intelligence represent the next leap in SOC maturity. Cisco’s AI Defense was able to flag unusual patterns in authentication and traffic, augmenting human decision-making. As attackers increasingly use AI to craft polymorphic malware and evasive techniques, defensive AI will be critical.

Another vital insight is the importance of community-driven intelligence. The inclusion of threat data from open sources like Pulsedive highlights how collaboration across organizations and industries strengthens defense. In real-world enterprise environments, no company can survive in isolation; intelligence sharing is key to combating global threat actors.

The Findings Report also underscores a delicate balance between privacy and security. By choosing not to decrypt traffic, the SOC respected user confidentiality while still gathering actionable telemetry. This approach aligns with evolving regulations and ethical standards, proving that security does not always have to come at the cost of privacy.

From a business perspective, the SOC serves as a live marketing stage for Cisco and Endace, showcasing the value of their products in the toughest conditions. Yet, beyond the commercial angle, the initiative builds trust with the wider cybersecurity community by being transparent about incidents, methods, and outcomes.

Finally, the RSAC SOC highlights the future of education in cybersecurity. Tours and live demos transform abstract security principles into tangible experiences for attendees. This educational angle may be just as important as the technology itself because it fosters a new generation of professionals who understand both the theory and practice of defense.

In conclusion, the RSAC 2025 SOC Findings Report is not just a summary of threats observed during a conference. It is a roadmap for how modern SOCs should operate — with deep visibility, seamless integrations, AI augmentation, community intelligence, and a respect for user privacy. Organizations that adopt these principles will be better equipped to face tomorrow’s cyber threats.

🔍 Fact Checker Results

✅ Cisco and Endace did release the SOC 2025 Findings Report at RSAC.
✅ EndaceProbe and Cisco Security Cloud were deployed with full integration.
✅ No decryption of attendee traffic was performed, protecting privacy.

📊 Prediction

As conferences and large-scale events become even bigger targets for attackers, future SOCs will likely rely more heavily on autonomous AI-driven detection systems that act in real time without waiting for human input. By RSAC 2026, we can expect to see predictive threat modeling, where SOCs anticipate attacks before they occur, blending global intelligence feeds with machine learning models. This shift could mark the beginning of a new era in live cyber defense.