NEW BLOG
Cisco Live 2026: How Cisco Assurance is Turning AgenticOps into Trusted Outcomes
READ BLOG →
Login
AMERICAS
EUROPE
ASIA
Platform
Solutions
Industries
Demo
Start Free Trial

Events

Scaling the High-Stakes Edge: Cisco ThousandEyes at Black Hat Asia 2026

By Suman Das
| | 16 min read

Summary

Explore how Cisco ThousandEyes deployed its next-generation sensor fleet at Black Hat Asia 2026, delivering real-time network visibility across the venue: catching DNS Latency issues, network congestions, and bringing new agentic integrations to keep the NOC one step ahead throughout the event.

The energy at the Marina Bay Sands Expo and Convention Centre is always electric, but at Black Hat Asia, the air carries a specific kind of tension. When you gather thousands of the world’s most sophisticated security researchers, hackers, and practitioners under one roof, the network isn’t just infrastructure; it’s the primary target. Attendees actively probe, scan, and stress-test the infrastructure—not maliciously, but as a matter of professional instinct.

For the 2026 event, the Black Hat Network Operations Center (NOC) faced a challenge that follows directly from that reality: keeping every connection visible and every anomaly attributable, in real time, across an entire conference venue.

The Evolution of the 2026 Deployment

Building on the success of 2025, where we transitioned to Orange Pi hardware for our Enterprise Agents, 2026 marked a move toward even more distributed and resilient intelligence. This year, our focus shifted from simply knowing whether something was up or down, to understanding why, where, and—critically—what to do about it. By integrating ThousandEyes telemetry directly into the NOC’s core communication and automation workflows, we helped reduce the time from initial alert to meaningful diagnosis to seconds. This tighter loop between detection, context, and response proved critical in an environment where network conditions changed constantly, and visibility gaps could not be tolerated.

This post walks through what we built, what we observed, and how ThousandEyes helped the team navigate a week of demanding network conditions with clarity and speed.

Infrastructure

As in previous years, the Black Hat event runs in two distinct phases that drive different monitoring strategies:

  • Training days require per-room SSID monitoring. Each training room operates on its own network segment, and issues in one room must be isolated without affecting the visibility picture for adjacent rooms.

  • Conference days consolidate onto a single conference-wide SSID, shifting the focus toward aggregate performance, roaming behaviour, and upstream connectivity.

For Black Hat Asia 2026, we fielded a fleet of 25 ThousandEyes Enterprise agents distributed across the venue. ThousandEyes Enterprise Agents are software‑based sensors running on small‑form‑factor hardware that execute active probes and collect point‑in‑time network and application telemetry.

The deployment used 25 Orange Pi 5 devices, with a mix of Wi-Fi 6 (802.11ax) and Wi‑Fi 7 (802.11be) adapters, each provisioned with 256 GB of local storage—enough to support extended test cycles and buffer telemetry locally if connectivity to the platform was interrupted.

ThousandEyes agent kit prepared for Black Hat Asia 2026.
Figure 1: ThousandEyes agent kit prepared for Black Hat Asia 2026. 

Agent Setup and Automation

Getting these agents configured, named, and connected across a venue the size of Marina Bay Sands before the first training session begins is not a trivial exercise. Our approach leaned heavily on automation.

Rather than manually configuring 25 devices during a compressed setup window, we used an automation script to push the correct Wi-Fi credentials to most of the agents remotely in a single operation, reducing a process that could have taken hours to one that took minutes and significantly reduced the risk of per-device configuration errors.

Once training days concluded, the same script was used to push the conference-wide SSID configuration, rolling the entire fleet over in a single operation.

Team staging ThousandEyes agents before venue deployment.
Figure 2: Team staging ThousandEyes agents before venue deployment. 

Monitoring Coverage

Our test suite was designed to cover the full stack—from the Wi-Fi experience in each room all the way across the Internet; so that the NOC could confidently attribute any observed issue to the right layer without guessing.

The goal wasn’t to control the network; it was to understand how the network was behaving in real time. This distinction is powerful.

Monitoring and Visibility During the Event

Throughout the event, the NOC relied on a combination of active testing, passive monitoring, and platform‑level insights to maintain visibility across the venue and its upstream dependencies.

  1. Active Network and Application Tests: The following active tests continuously generated real-time telemetry from each ThousandEyes Enterprise agent:

    • Internal throughput tests: A 50 MB download test from each agent, used as a per-room signal for Wi-Fi and SSID health.

    • HTTP and DNS availability tests: Probes targeting Cisco Umbrella (the DNS security service used to filter and monitor web traffic at the event) testing both the internal DNS resolver and external Internet reachability.

    • Bidirectional Network tests to public cloud providers: Network tests between venue agents and AWS, Azure, and Google Cloud, reflecting the cloud platform performance. These are most heavily used by training labs and conference demos.

  2. Passive Routing Visibility

    • In addition to active testing, we monitored changes in how Internet traffic was routed to and from the venue, watching for upstream path shifts that could impact performance or availability before issues became visible to users.

  3. Regional and Ecosystem Context

    • Finally, Internet Insights provided macro‑level visibility into network and application disruptions affecting key SaaS providers, ISPs, and DNS services across the region. While not a test itself, this view added critical external context that the venue’s own measurements could not capture.

Black Hat NOC team monitoring event infrastructure.
Figure 3: Black Hat NOC team monitoring event infrastructure. 

Incidents and Observations

A Quiet Registration Desk That Wasn't

In the early hours of the second conference day—well before staff arrived on site—ThousandEyes had already flagged a problem at the registration zone. When we reviewed the overnight telemetry that morning, the cause had already been characterized. On the surface, everything looked fine.

But ThousandEyes was already telling a different story:

ThousandEyes detects registration-zone latency spikes.
Figure 4: ThousandEyes detects registration-zone latency spikes. 

While the wired sensor showed no issues, the wireless agent stationed near the main registration zone flagged elevated network latency and intermittent high HTTP response times against the badge application endpoint. The anomaly was subtle, but the telemetry was clear: something was degrading the wireless path.

On-site inspection revealed that the dual antennas of the wireless sensor had shifted from their intended vertical orientation and were lying horizontally, resting directly against the aluminium structural extrusion of the registration desk framing. This unintended contact with a dense, conductive metallic surface had resulted in antenna detuning: the metallic surface disrupted the antenna's ability to radiate signal cleanly, degrading the connection quality between the sensor and the access point. Weaker signal means more retransmissions, and retransmissions are exactly what elevated latency and HTTP response time variability look like in the telemetry.

Misplaced antenna causing wireless signal degradation.
Figure 5: Misplaced antenna causing wireless signal degradation. 

The antennas were repositioned within minutes. The wireless telemetry returned to baseline almost immediately, with HTTP response times and jitter realigning with the wired agent's readings.

The Common Sync: When Three Clouds Blinked at Once

Unrelated to the registration desk issue, and on a different day of the event, the monitoring picked up something that took a moment to make sense of—a synchronized packet loss event hitting AWS, Azure, and GCP's Singapore regions simultaneously. The precision of the timing—down to the same two-minute window—provided a textbook example of how multi-cloud observability can rapidly isolate a fault domain to shared local congestion rather than any individual cloud provider.

What the Timing Revealed: Temporal Correlation

The most telling signal wasn't the magnitude of the loss—it was synchronicity. All three ThousandEyes data show the red loss spike originating in the same 01:48 GMT+1 bucket, with matching ramp-up and decay curves—meaning the loss didn't just start simultaneously; it built and cleared at the same rate across all three providers, a pattern that would be statistically implausible if the causes were independent.

AWS Asia test showing synchronized packet loss. Apr 24 01:48-01:50 GMT+1: note the spike starting in the same window as Azure and GCP.

Figure 6: AWS Asia test showing synchronized packet loss. 

Apr 24 01:48-01:50 GMT+1: note the spike starting in the same window as Azure and GCP. 

Azure Asia test showing the same loss window. Apr 24 01:48-01:50 GMT+1: the spike rises and clears in step with AWS and GCP.

Figure 7: Azure Asia test showing the same loss window. 

Apr 24 01:48-01:50 GMT+1: the spike rises and clears in step with AWS and GCP. 

GCP Asia test confirming shared packet loss timing. Apr 24 01:48-01:50 GMT+1: the matching spike and decay curve confirms synchronized impact.

Figure 8: GCP Asia test confirming shared packet loss timing. 

Apr 24 01:48-01:50 GMT+1: the matching spike and decay curve confirms synchronized impact. 

Think of it this way: if the problem were inside AWS, only AWS would show it. The fact that all three failed together means that the cause of the failure must be something they all share: the path from the venue to the Internet, not inside any provider's network. That immediately ruled out cloud-specific causes and pointed directly at the venue's own network or its first-hop connection to the Internet.

The congestion cleared on its own before it was ever formally escalated. Measured in impact, it was a minor blip—a handful of minutes, single-digit aggregate loss; no tickets were raised. Measured in insight, it was anything but minor. This is the quiet power of multi-cloud observability: it turns three separate mysteries into one clear answer, often before anyone needs to ask the question.

The Slack Bot - ThousandEyes MCP Integration

One of the more notable operational changes at Black Hat Asia 2026 was how the NOC team queried ThousandEyes data during live incidents. Previously, the flow was passive: ThousandEyes pushed the alerts and engineers had to context-switch to the UI to investigate. This year, we tried closing that gap by testing a Slack Bot backed by the ThousandEyes MCP (Model Context Protocol) server, powered by a locally hosted LLM model.

Why Local?

The ThousandEyes MCP server processes detailed operational telemetry: agent configurations, path visualizations, BGP paths, SSID details, and live network data that collectively provide a comprehensive view of the venue's infrastructure. Running the model locally contained all inference within the NOC's infrastructure boundary—network topology, test configurations, and telemetry data never left the controlled perimeter.

Slack bot querying active ThousandEyes tests.
Figure 9: Slack bot querying active ThousandEyes tests. 

Local MCP-powered Slack workflow in action.
Figure 10: Local MCP-powered Slack workflow in action. 

From Dashboards to Conversational Observability

While this Slack Bot integration was tested as a controlled capability rather than a scaled production workflow, it showed an important direction for AI-assisted network observability. By combining ThousandEyes telemetry, MCP-based tool access, and an approved LLM runtime, engineers could query operational data in natural language from the same chat tool where incident coordination was already happening.

Instead of switching between team messaging apps, dashboards, test views, path visualizations, and API outputs, the NOC could ask questions such as “which tests are failing?”, “which agents are affected?”, or “summarize the latest packet loss across cloud providers” and receive a contextual response directly in the conversation. The LLM becomes an interface layer that translates intent into the right observability query, retrieves the relevant telemetry, and summarizes the evidence for human review.

The broader implication is clear: as LLM tools mature and integrate safely with observability platforms, network operations can move toward a future where insight is available where teams already collaborate. Dashboards and detailed views remain essential, but the first layer of diagnosis can happen inside a chat workflow, reducing context switching and helping teams move from alert to understanding much faster.

ThousandEyes dashboard for event-wide visibility.
Figure 11: ThousandEyes dashboard for event-wide visibility. 

Application and cloud health dashboard view.
Figure 12: Application and cloud health dashboard view. 

Cisco team supporting Black Hat Asia 2026.
Figure 13: Cisco team supporting Black Hat Asia 2026. 

About Black Hat

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through briefing presentations, training courses, summits, and more. Black Hat is an event series where all career levels and academic disciplines convene to collaborate and network, with events held in the United States, Canada, Europe, the Middle East and Africa, and Asia. For more information, please visit BlackHat.com.

Looking Ahead

As Black Hat Asia 2026 wraps up, the lesson is clear: in an era of hyper-connectivity, visibility is essential to stay ahead of the chaos. Whether it’s managing automated bot integrations or troubleshooting high-density wireless congestion, having a clear view of critical network paths help ensure the NOC stays in control.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

Published On

Author Portrait:Suman Das
Suman Das
Implementation Engineer
Categories:
Events
Topics:
Alerts Enterprise Agent Integrations Network Monitoring
Share This!
  Back to ThousandEyes Blog

related blogs

Blog Thumbnail: Assuring the First Mile: How Wireless Active Testing Powered Cisco Live Amsterdam 2026
Assuring the First Mile: How Wireless Active Testing Powered Cisco Live Amsterdam 2026
Cisco Live Amsterdam is always a whirlwind of innovation, but the 2026 event at the RAI Amsterdam reached a new level of complexity. With over 20,000 attendees, hundreds of live demos in the World of Solutions, and a massive surge in AI-driven mobile applications, the pressure on the event’s Wi-Fi infrastructure was a constant reality. At Cisco Live, the network is always under the spotlight and simply must perform. This is a standard requirement, with the bar rising year after year as attendees demand a flawless experience on a network designed by the industry’s leading vendor and the best engineers in the field.
By Federico Lovison, Mike Hicks, Hatam Shukur 01 Apr 2026
Cisco Live Endpoint Agent Enterprise Networks Network Monitoring
Blog Thumbnail: Many Eyes on Black Hat Europe: How ThousandEyes Delivered Full-venue Visibility
Many Eyes on Black Hat Europe: How ThousandEyes Delivered Full-venue Visibility
Explore the innovative uses of Cisco ThousandEyes at Black Hat Europe 2025, where real-time data, visual dashboards, and integrations enabled rapid incident resolution and optimized the overall network experience.
By Roberto D'Amato, Susheela Francis 13 Feb 2026
Enterprise Networks Network Monitoring
Blog Thumbnail: ThousandEyes and the Black Hat USA 2025 Experience: A Network Perspective
ThousandEyes and the Black Hat USA 2025 Experience: A Network Perspective
Explore the innovative uses of Cisco ThousandEyes at Black Hat USA 2025, where real-time data, automated alerts, and integrations enabled rapid incident resolution and optimized the overall network experience.
By Mauro Caballero, Daniel Gaona Campos 11 Dec 2025
Alerts Enterprise Agent Integrations Network Monitoring
Blog Thumbnail: How ThousandEyes Became a Black Hat NOC Essential
How ThousandEyes Became a Black Hat NOC Essential
Learn how ThousandEyes boosts NOC visibility and enables seamless connectivity, solving network issues for an exceptional Black Hat attendee experience.
By Shimei Cridlig 20 May 2025
End-user Experience Network Monitoring Security
Blog Thumbnail: ThousandEyes Charms the Audience at Networking Field Day 12
ThousandEyes Charms the Audience at Networking Field Day 12
On August 12th, 2016 ThousandEyes dazzled the geek squad at Networking Field Day 12 in Santa Clara, California. ThousandEyes was one of the nine companies presenting at the three day event to a curated group of well known network industry experts and thought leaders including Ethan Banks of Packet Pushers, Justin Cohen and Brandon Mangold. Check out the delegates’ reaction to ThousandEyes and NFD12.
By Archana Kesavan 16 Aug 2016
Blog Thumbnail: Monitoring the Remote Workforce with Endpoint Agents at AIM Specialty Health
Monitoring the Remote Workforce with Endpoint Agents at AIM Specialty Health
Yesterday we launched a brand new product and our newest innovation, the Endpoint Agent. Extending the periphery of network intelligence all the way to the end user, the Endpoint Agent provides real user perspective on critical applications and the impact of the underlying network on application performance.
By Archana Kesavan 11 Aug 2016
Blog Thumbnail: Six ThousandEyes Sessions You Can’t Miss at Cisco Live 2024
Six ThousandEyes Sessions You Can’t Miss at Cisco Live 2024
Don’t miss these ThousandEyes sessions at Cisco Live 2024, covering strategies for proactive network and application monitoring, BGP, last-mile visibility, and more.
By Mike Hicks 28 May 2024
Cisco Live
Blog Thumbnail: Optimizing WAN to Deliver SharePoint Online Globally
Optimizing WAN to Deliver SharePoint Online Globally
In this post from ThousandEyes Connect New York, we’ll summarize the talk by Scot Clark, Enterprise Infrastructure Solutions Manager at a Forbes Top 150 multinational consumer goods company. During his talk, Scot described how his company’s WAN has evolved, as well as the business’ continuing migration to the cloud.
By Young Xu 16 Dec 2016

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.
Join Blog Community Keep Reading