By Dr Stephen Donnelly, Chief Technical Officer, Endace
Cisco Live AMER is a huge event, attracting more than 20,000 attendees to see the latest products, technology, and innovations from Cisco and its partners. In 2026, Cisco Live AMER had a dedicated SOC for the second time, out on the main show floor for everyone to see. The SOC mission is threefold:
- To Protect: The primary goal of the SOC is to protect attendees, partners, and staff using the Cisco Live network from threats from outside or within the network
- To Educate: The SOC educates attendees about modern Agentic SOC operation, current threats, and best practices. Over a dozen new analysts were trained in the SOC, empowered by agentic workflows.
- To Innovate: The live environment is an opportunity to pressure test how Cisco Security, Splunk Security, and Endace can work together in a next-generation SOC where AI assists, evidence grounds the decision, and humans remain in control
Endace (a Cisco Solutions Plus Partner) was invited to collaborate in the SOC again this year.
We have a great relationship with the SOC team and have assisted at multiple events by providing our always-on full packet capture capability. Capturing all the network traffic at the event not only provides incontrovertible evidence to confirm incident investigations but allows SOC analysts to ‘zoom out’ from a single alert to see the full context of the event.
Visibility of the network activity before and after an incident helps determine the attack chain, and any indications of compromise, such as malware downloads, C2 beaconing, reconnaissance, or lateral movement. A complete record of traffic for the event also enables systematic threat hunting, as well as providing the ability to help train AI on real-world traffic for the Agentic SOC.

Endace’s Always-On Packet Capture
To capture all the traffic at the event, Endace supplied two EndaceProbe appliances for use in Cisco’s ‘SOC-in-a-Box’. Each capture appliance features 100 Gigabit Ethernet capture interfaces and NVMe storage, capable of sustained capture at 100Gbps. Each appliance also supports multiple virtual machines which have access to the live captured data in real-time and can host analytics tools. An Endace InvestigationManager VM provides federated search across both appliances, with integrations for Cisco XDR and Splunk, and an MCP server for AI agents.
As incidents are raised in XDR or Splunk Enterprise Security, they are automatically enriched with links to the Endace InvestigationManager. These links allow AI agents and SOC Analysts to easily access full PCAP captures for the related traffic, or pivot to wider searches as needed.

How much is enough?
At 2025 Cisco Live AMER in San Diego, the EndaceProbes captured a total of 78.9TB of network data during the whole event: a record volume of traffic at the time. We expected 2026 to be even bigger, so we configured 160TB of packet storage across the two appliances.
Full packet capture started as soon as the SOC was stood up on the Friday before the show, capturing the network traffic as the show floor and booths were constructed. By the end of the second full day of Cisco Live we had already captured 100TB, and it was looking like our 160TB allocation might be insufficient. This would have meant overwriting traffic captured at the start of the event, so we reconfigured the storage to increase the total packet storage to 192TB. Metadata and search indexes are on top of this figure, allowing retrieval of any captured flow in seconds.
By the end of the show, the EndaceProbe appliances had captured more than 200 billion packets, consuming 199TB of storage, without dropping any packets from the SPAN or overwriting any data since the start of the event. How was that possible with only 192TB of storage configured?
The EndaceProbe appliances support hardware compression of packet data prior to storage. Of the 199TB of traffic collected, 37% was unencrypted, which compresses well. The overall compression ratio for the packet data was 1.25:1, so our 199TB of traffic consumed only about 159TB of storage space. Our original 160TB configuration was pretty close after all!

Why was so much traffic unencrypted, isn’t it a security risk? In some cases yes, the SOC detected 685 unique accounts exposing login credentials in the clear, mostly because of misconfigured email clients using SMTP, IMAP, and POP3 without encryption. The SOC even automated a playbook to contact affected users and warn them of their exposure, inviting them to the SOC for a demonstration and help with remediation.
A surprising amount of traffic still uses unencrypted http. This is commonly used for downloading unencrypted (but signed) software update packages such as Microsoft .cab and Android .apk files, plus EDR rule updates etc. The contents of these files are freely available and frequently cached so transport encryption is not necessary, provided package signatures are verified to confirm authenticity.
The Cisco Live SPAN was configured to capture not only the attendee WiFi network, but also a large amount of infrastructure traffic including CiscoTV, one of the largest users of the network. Some of that traffic was also unencrypted, such as syslog data from IDS appliances. This also contributed to the relatively high percentage of unencrypted traffic seen.
Packet Loss
If the EndaceProbe appliances captured all the traffic from the SPAN without drops and did not overwrite any data, did we get everything? Looking at the bandwidth arriving on the 10GE SPAN port the traffic was reaching 10Gbps early in the day, suggesting the SPAN may be saturated and dropping. Without access to the SPAN port statistics this can be difficult to quantify, but one approach is to look at the sequence numbers seen in TCP flows.

When a TCP flow encounters packet loss in the network, a retransmission will occur to fill in the missing data. When this flow is captured by analysis tools they may or may not see the initial lost packet, but they can see the retransmission and infer the loss. Conversely, if the analysis tools see many TCP flows with missing segments but no retransmissions, this can indicate multi-path routing (not applicable at Cisco Live), or packet loss at the SPAN port.
Examining these indicators showed estimated packet loss exceeding 30% during peak times, or around 13-14Gbps of traffic. This could be easily solved in future by upgrading the SPAN port to 25G or 40G Ethernet, a definite learning opportunity.
File Reconstruction
The EndaceProbe appliances also extracted files from unencrypted connections. Over Cisco Live Americas 2026 a total of 2,392,180 files were extracted. These files were filtered by type and deduplicated, with 23,368 submitted to Splunk Attack Analyzer and 5,427 to Cisco Secure Malware Analytics for deeper inspection.
Examining the rate of file extraction over time, we noticed it did not follow the overall bandwidth curve. This is counterintuitive, as more files should be transferred and extracted as the network bandwidth increases during the day.
This anomaly may be caused by the SPAN being overloaded and dropping packets before they reached the EndaceProbes. Files cannot be successfully reconstructed and extracted when packets are lost, and a packet loss rate exceeding 10% implies that most file transfers would have at least one packet missing. With a higher bandwidth SPAN to the SOC we are confident the file extraction counts would have been significantly higher.
Conclusion
Never underestimate Cisco Live! We will be back next year with a faster SPAN and more storage to support the SOC in 2027 (and at Cisco Live APCJ in Melbourne this November), helping protect, educate, and innovate. Hope to see you there!
Acknowledgements
Our thanks go to the Cisco SOC team, led by Jessica Oppenheimer and Ivan Berlinson, for the opportunity to integrate EndaceProbes with the Cisco Live Agentic SOC architecture.
The SOC team is a collection of Cisco and Splunk experts across many domains who were a pleasure to work and innovate with, and we came away with a great appreciation for the power of the Cisco Security and Splunk tools.
The Endace and Cisco teams were able to prove out integration innovations and test them in earnest in a real-world environment in preparation for making them generally available to the market.
More from Endace, Splunk and Cisco in the SOC series
Read more from Endace about the Cisco Live USA 2026 SOC:
Read related Cisco Team Blogs from the Cisco Live USA 2026 SOC:
https://blogs.cisco.com/security/clamer-soc-2026
For more Endace blogs in our SOC series, see here:
https://blog.endace.com/tag/soc/
Event SOC Website
Visit Cisco’s Event SOC website for full details of the SOC setup, and download the whitepaper written by Jessica Oppenheimer:
https://www.cisco.com/site/us/en/products/security/event-soc-report.html


















