Matilda Bailey is a veteran in the networking and security space, specializing in the complex intersections of wireless technology and next-generation infrastructure. Her experience with large-scale, high-density deployments makes her a leading voice in dissecting the machinery behind the RSAC 2026 Security Operations Center. In this conversation, we explore the technical and logistical feats required to protect 44,000 attendees at the Moscone Center, utilizing a portable “SOC in a box” that bridges the gap between massive data capture and real-time threat mitigation. We dive into the workflow of full packet capture, the automation of user notifications for credential leaks, and the critical role of AI in reducing the burden on human analysts.
How do you design a portable security infrastructure that can be fully operational in under four hours at major venues? What are the specific hardware and connectivity requirements needed to ensure seamless integration between the security operations center and the local network operations center?
Designing for speed requires a preconfigured “SOC in a box” architecture that can be rolled into a venue and plugged directly into the local network operations center. At the heart of this setup are two Cisco Unified Computing Systems equipped with embedded AI and GPUs, which provide the necessary local compute for virtualization and event services. To handle the massive north-south and east-west traffic, we deploy a pair of Cisco Secure Firewalls running in detection mode at the network edge to monitor activity without disrupting the user experience. This rapid deployment is only possible because the entire stack is designed to be mobile, having already protected high-profile environments like the Super Bowl in Santa Clara and major events in Amsterdam. By the time the machines begin their characteristic whirring behind the partitioned walls of the expo hall, the infrastructure is already feeding telemetry into a unified security stack, ensuring that the 44,000 attendees have a secure connection from the moment they join the Wi-Fi.
Managing 240 terabytes of storage to record every network packet during a massive event presents unique challenges. Could you walk through the workflow for investigating a specific incident and explain how full packet capture allows analysts to reconstruct events occurring before, during, and after a detection?
The power of having 240 terabytes of dedicated storage is that it allows for an “always-on” recording of every single packet from the start of the conference until the final booth is packed away. When a detection occurs, such as a firewall flagging a potential threat, analysts don’t just see a high-level alert; they can pivot directly into the raw network packets to see the granular details of the interaction. This workflow enables a team to determine if there was lateral movement across the Moscone Center network or if any sensitive data was successfully exfiltrated. By generating Zeek logs and metadata alongside the full packet capture, analysts can reconstruct the entire timeline of an incident to see what a malicious actor did before the security stack was even triggered. It provides a level of certainty that simple log files cannot match, allowing the team to hunt for zero-days and advanced threats that might otherwise slip through the noise of a busy public network.
When monitoring a high-traffic public network where dozens of hosts might broadcast passwords in cleartext, how do you balance automated mitigation with manual investigation? What does the notification process look like for vulnerable users, and how does this automation affect the workload of tier-one analysts?
Monitoring cleartext passwords is a constant battle at major tech conferences, and at RSAC 2026, we saw 11 hosts broadcasting their credentials across 217 different events. In the past, this was a grueling manual process where analysts had to investigate each incident, track down the specific user, and personally inform them of their vulnerability. We have now moved toward an automated notification system where the network identifies the insecure broadcast and automatically sends an email to the attendee from RSAC, advising them of the risk. This shift is significant when you consider that a similar event at Cisco Live in Amsterdam saw 400 hosts broadcasting passwords in the clear, which would have overwhelmed a manual response team. By automating these low-level but high-volume security issues, tier-one analysts are freed up to focus on more complex threats, significantly reducing the “alert fatigue” that often plagues large-scale operations.
AI and GPUs are increasingly used to help analysts map data and process threats, which can significantly reduce the number of alerts escalated to senior staff. How do these models identify specific AI applications running on a network, and what criteria determine if an application should be blocked?
In our current SOC environment, AI is used as a force multiplier that helps tier-one analysts process vast amounts of data and map threats more effectively than human intuition alone. This efficiency is best illustrated by the fact that over a 24-hour period at the conference, only two out of 35 security alerts required escalation to senior tier-two or tier-three analysts. Beyond internal efficiency, the SOC uses specialized dashboards to identify exactly which AI models and applications attendees are running on the network. We monitor whether these applications are licensed versions or unauthorized models that could potentially drain bandwidth or introduce security risks. If an AI application is found to be adversely affecting the conference’s network stability or violating security protocols, the SOC team has the immediate capability to block that specific traffic flow.
Integrating disparate tools like XDR, malware analytics, and SOAR is critical for securing global events. What are the practical steps for implementing a single sign-on portal and role-based access to ensure analysts have immediate productivity on day one, and how do these workflows evolve between major deployments?
The evolution of the SOC in a box has been driven by the need to eliminate the “warm-up” period where analysts struggle to gain access to various tools from different vendors. Previously, it could take incident responders up to three days just to get the necessary permissions for platforms like Palo Alto, Corelight, or Jamf, which is unacceptable for a week-long event. To solve this, we implemented a centralized single sign-on portal and strict role-based access controls that grant analysts full visibility into the security stack—including Cisco XDR, Splunk Attack Analyzer, and Cisco Duo—from the very first hour. These workflows are refined after every major deployment, whether it’s at Black Hat or the Mobile World Congress, to ensure that the handoff between different security teams is seamless. This standardized approach allows a rotating team of analysts to step into any venue in the world and immediately understand the spider charts of network connections and the strength of the TLS versions being used across the floor.
What is your forecast for the security operations center industry?
I expect the industry to move toward a model where the “agentic SOC” becomes the standard, especially as we look toward massive global events like the 2028 LA Olympics. We are going to see a much deeper integration of AI capabilities where the system doesn’t just surface alerts but actively suggests and implements containment strategies before a human even looks at the screen. The focus will shift from simply capturing data to using advanced local compute units to perform real-time, high-fidelity analysis on encrypted traffic without needing to decrypt it. As networks become more transient and portable, the ability to deploy a fully functional, AI-driven security perimeter in a matter of hours will be the baseline requirement for any organization operating in a high-stakes environment.
