Many Eyes on Black Hat Europe: How ThousandEyes Delivered Full-venue Visibility

Inside the Black Hat Europe NOC with ThousandEyes Enterprise and Endpoint Agents

At an event like Black Hat Europe, the network is part of the experience. Thousands of attendees move constantly between briefings, trainings, registration desks, and the business hall, creating a highly dynamic environment where network conditions can change within minutes.

For the second year in a row, ThousandEyes was deployed inside the Black Hat Europe Network Operations Center (NOC) to provide real-time visibility across the venue. The role of ThousandEyes was not to control or configure the network, but to observe it end to end, giving the NOC a clear and continuous understanding of what was happening across the conference at any given moment.

Visibility Where It Matters

The Black Hat network is never static. Traffic patterns shift throughout the day, Wi-Fi clients roam aggressively between access points, and demand can spike suddenly when large sessions end.

To observe this behavior, ThousandEyes Enterprise Agents and Endpoint Agents were deployed across key areas of the venue. This allowed the NOC to monitor wireless performance, internal network paths, internet connectivity, and access to external services commonly used by attendees. Rather than looking at individual components in isolation, the NOC/SOC could monitor in real time the user experience from the different rooms and venue areas.

Dedicated dashboards inside the NOC presented this information in near real time. Latency, packet loss, DNS behavior, and routing changes were visible minute by minute, providing a reliable picture of network conditions across the venue.

Entrance of the Black Hat NOC/SOC and public facing dashboards — Figure 1. Black Hat NOC/SOC Entrance

Detail of the dashboard wall inside the NOC/SOC — Figure 2. Dashboard wall inside the NOC/SOC

Why Our Agents Were Called “Precog”

All ThousandEyes agents deployed for the event were intentionally named “Precog,” inspired by the movie Minority Report, where precogs can sense events before they happen.

Precog Sensors based on Raspberry Pi during the configuration — Figure 3. Precog Sensors under configuration

While the name was attached to the agents, the true “precognitive” capability lives in the ThousandEyes platform itself. Agents simply collect point-in-time observations about network and application behavior each time a probe is executed. It is the ThousandEyes platform, through its analytics, correlation, and rich visualizations, that turns this raw telemetry into historical context, trend analysis, and early signals of emerging issues.

In other words, the agents provide the eyes, but the platform provides the foresight.

The “Precog” sensors were positioned across the venue and placed strategically to spot possible network degradation and Wi-Fi issues:

Strategic placement of the Precog sensors — Figure 4. Precog Sensors strategic placement

Seeing the Conference Through the Network

Throughout the week, ThousandEyes made attendee behavior visible through network signals.

When briefings ended, roaming activity increased across multiple areas of the venue. Authentication and DNS traffic rose sharply during these transitions. Latency and packet loss patterns closely followed where large groups of people were physically gathering.

This visibility did not always mean immediate remediation was possible. However, it removed uncertainty. The NOC could see when a change started, how widespread it was, and whether conditions were improving or deteriorating over time.

What We Were Monitoring

To support this level of insight, several key dashboards were continuously monitored inside the NOC.

Room Bandwidth Utilization and Application Response Time

This dashboard showed real-time bandwidth consumption per room and area of the venue. It made crowd movement immediately visible, especially during session changes and peak hours.

Dashboard Widget details – room throughput — Figure 5. Room throughput dashboard

Public Cloud Provider Status Pages

Leveraging ThousandEyes automated interaction, we continuously inspected the major Cloud Provider Status Pages to spot any failure or outage as reported by the providers themselves:

Dashboard widget details – Public Cloud, Status Page monitoring — Figure 6. Public Cloud – Status page monitoring

Public Cloud Access

Many trainings and demos relied on AWS, Azure, and other cloud services. This dashboard showed the quality of connectivity from the venue to major cloud providers, helping the NOC quickly understand whether issues were local or external.

Public Cloud Health and Global Internet Status

Thanks to globally distributed agents from ThousandEyes, the NOC also had visibility beyond the conference itself. Global internet conditions and widespread service disruptions were visible in real time, using data collected from thousands of observation points worldwide.

Dashboard widget details – Public Cloud health and availability — Figure 8. Public Cloud health and availability

Dashboard widget details – Public Cloud global latency — Figure 9. Public Cloud global latency

DNS and Umbrella Monitoring

Leveraging distributed DNS monitoring, the NOC gained real-time visibility into domain-resolution performance and failures across meeting rooms. DNS availability, response times, and possible resolution errors were continuously observed, enabling rapid identification of DNS-related issues impacting application and Internet access.

Dashboard widget details – DNS and Umbrella — Figure 10. Infrastructure monitoring – DNS and Umbrella

Spotting a Global Zoom Outage

During the conference, this global visibility proved valuable when a widespread outage affected Zoom and other applications. ThousandEyes clearly showed that the issue was not related to the Black Hat venue but that it was part of a broader Internet and service disruption.

Having this confirmation immediately available helped avoid unnecessary troubleshooting and allowed the NOC to communicate confidently about the nature of the issue.

Internet Insights – Global Internet Outages Monitoring — Figure 11. ThousandEyes Internet Insights – Global outages monitoring

Observing Congestion in the Business Hall

One moment midweek clearly demonstrated the value of end-to-end visibility.

As several briefings concluded at the same time, many attendees moved toward the business hall. ThousandEyes immediately showed packet loss increasing across specific wireless segments, rising latency on internal paths, and growing contention in shared areas of the venue network.

This was visible in real time, not inferred from user reports. While direct remediation was not always possible, the NOC had a precise understanding of what was happening, how long the congestion lasted, and when conditions began to recover. That clarity removed guesswork during a very busy operational window.

Dashboard widget details – application performance monitoring per area — Figure 12. Application performance – application delays per area

Proving Network Innocence

On Day One, an issue was reported from the registration desks. ThousandEyes helped prove network innocence, assisting in isolating the problem.

Dashboard widget details – application health monitoring per area — Figure 13. Application health - errors per area

Providing Context Inside the NOC

ThousandEyes acted as a shared source of context within the NOC. When other tools or teams observed anomalies, it helped answer basic but critical questions quickly. Was the behavior limited to one area or widespread? Was it inside the venue or upstream? Was it transient or persistent?

By grounding discussions in observable data, the platform helped align teams around a common understanding of network conditions, even when control over the infrastructure was limited.

What Attendees Experienced

From the attendee perspective, most of this activity remained invisible.

Connectivity across the venue was generally stable despite intense usage, frequent movement, and short-lived peaks. When performance fluctuated, the NOC understood why it was happening and could track its evolution in real time.

In a live event environment, that level of understanding is critical, even when not every issue can be actively resolved.

Looking Forward

Black Hat Europe continues to be a demanding and valuable environment for operational learning. Observing a high-density, temporary network at this level provides insights that carry forward into future events.

ThousandEyes will continue to support the Black Hat NOC by delivering accurate, end-to-end visibility, helping teams understand the network exactly as it behaves, minute by minute, throughout the conference.

Acknowledgments

Thank you to the Cisco NOC team:

Cisco Security: Jessica Oppenheimer, Ivan Berlinson, Paul Fidler, Piotr Jarzynka, Rob DeCooman, and Ryan Maclennan
Splunk: Tony Iaconbelli
ThousandEyes: Roberto D'Amato and Susheela Francis

Also, to the Black Hat NOC/SOC vendors Palo Alto Networks, Corelight, Arista Networks, and the entire Black Hat / Informa Tech staff (especially Michael Spicer, Grifter "Neil Wyler", Bart Stump, Steve Fink, James Pope, Jess Jung and Steve Oldenbourg).

About Black Hat

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.BlackHat.com.