Black Hat stands as one of the world's most challenging cybersecurity events, where researchers unveil zero-day exploits, trainers demonstrate attack techniques and thousands of security professionals gather to push the boundaries of what's possible. The conference demands a unique approach to network security, one that must simultaneously protect critical infrastructure while allowing controlled chaos to unfold in training environments.
In a recent episode of Threat Vector, the cybersecurity podcast of Palo Alto Networks, our host David Moulton, senior director of thought leadership for Unit 42, spoke with two engineers who live this reality. Jason Reverri, manager of technical product engineering at Cortex®, brings years of experience bridging product development with frontline defense. James Holland, distinguished engineer for technology innovation, leads automation and incident response initiatives. Together, they manage the Palo Alto Networks engagement within the Black Hat network operations center (NOC), where multiple partners are chosen by the Black Hat NOC leadership team to collaborate on the ultimate test: defending against threats that emerge moments after being disclosed on stage.
Zero-Hour Defense Against Live Exploits
The NOC team operates in a perpetual state of zero-hour response, where the normal flow of threats and response are blended together.
"Someone will go up on stage and talk about something that is brand new, that has never been seen before,” Riverri said. “And we're on the network looking at the data, protecting the infrastructure, and we will see people start to mess around with those sorts of activities."
This dynamic creates unprecedented challenges. At Black Hat London, a security researcher disclosed SSH vulnerabilities just before the conference began. The NOC team had to rapidly develop and deploy detections for threats that didn't exist in any signature database. The response required immediate collaboration between Palo Alto Networks researchers, Unit 42 Threat Intelligence teams, and partner Corelight to create custom detections for Cortex XSIAM®.
Architecture Built for Controlled Chaos
Black Hat's network architecture reflects the unique requirements of hosting security professionals who routinely exploit systems as part of their work, learning new techniques in real time.
"You've got people being trained in the training classes at all levels, from basic to advanced. You put all that together and it's a network that you can't just leave wide open,” Holland said. "You need visibility. You need control to be able to manage that situation."
The infrastructure centers around a highly segmented network, with visibility and control provided by Palo Alto Networks PA-5430 firewalls deployed in high availability pairs. Network segmentation prevents training classes from interfering with each other while maintaining internet access for all attendees. The firewalls operate in a contextual security model: They detect and log malicious activity but only block traffic based on its source, destination and intent.
"If this attack has come from a training class to a benign destination or a destination that is part of the training class, we don't want to block that,” Holland said of the nuanced approach needed. “If this is someone from somewhere else on the internet attacking the registration server, we are definitely blocking it, and we're putting your IP in a block list straight away."
Managing Nearly One Billion Threat Events
The conference generates close to one billion threat events annually, with activity patterns that mirror the conference schedule. Training days produce the highest volumes of malicious traffic as students practice newly learned techniques. The NOC team developed the concept of "Black Hat positives." These would normally be considered legitimate attacks that trigger security controls but represent expected behavior within training environments.
"It is a real attack and it's not a false positive because the CDSS signatures have seen it and said, 'Hey, we've seen a SQL injection,'” Reverri explained. “Well, yeah, but we expect to see that as long as it's not against the real live website."
Beyond managing intentional attacks, the team encounters unexpected security issues. They regularly identify attendees unknowingly transmitting sensitive data in cleartext, including personal financial information, email credentials and location data from poorly designed applications. The team has developed protocols for discreetly notifying affected individuals, turning security incidents into educational opportunities.
AI-Driven Automation Transforms Operations
Cortex XSIAM® has fundamentally changed NOC operations through intelligent automation. The platform automatically enriches security incidents with threat intelligence from multiple sources, including Unit 42, Cisco Talos and Corelight, before analysts review them. This automation eliminates hours of manual research that previously consumed analyst time.
The team's morning operational checklist exemplifies practical automation. Previously, technicians manually verified firewall status, registration system availability and overnight incident logs. Now, automated playbooks generate comprehensive status reports at 6 a.m., delivered directly to team communication channels. Holland emphasized the operational impact:
We want to know about something being an issue before any attendee or anyone else from the conference comes to complain to the NOC.
Advanced automation includes dynamic firewall rule deployment. When the platform detects attacks against protected infrastructure from external sources, it automatically implements IP blocks without human intervention. The system's contextual awareness prevents it from blocking legitimate training activities while immediately stopping external threats.
Multi-Vendor Integration in High-Stakes Environment
The Black Hat NOC operates as a real-world laboratory for multivendor security integration. Partner organizations, including Arista, Cisco, Corelight and Lumen collaborate despite competitive relationships outside the conference. This cooperation reflects the enterprise reality, where organizations rarely deploy single-vendor security stacks.
Reverri explained the collaborative spirit:
Any beef we have out on the street, we leave it out there. And in there, we're friends, we're partners. The team lead from Cisco is a good friend of mine, and we work great together.
The partnership extends beyond operational cooperation to joint product development. Teams use the conference environment to build and test integrations that benefit customers who deploy multiple vendors' solutions.
"We've worked on an integration this year at this event,” Holland noted. “It's been improved, it's been enhanced. It now works much better than it used to, and everyone's going to benefit from that."
Crisis Response and Rapid Adaptation
The NOC team has demonstrated remarkable adaptability when facing unexpected challenges. During one conference, weather delays grounded aircraft carrying critical server infrastructure. The team pivoted to cloud deployment within hours, establishing a hybrid infrastructure that maintained full conference functionality.
"That's how we pivoted quickly. We were like, 'Well, we need somewhere to host some servers because the servers aren't here.'" Holland said of the incident. “We have virtual firewalls in the cloud. We can bring up a secure VPN to allow traffic to flow between them."
The solution involved on-premises iPads for registration scanning, cloud-based processing servers, as well as secure VPN connections bridging the environments. Registration continued seamlessly despite the infrastructure crisis, demonstrating the value of experienced teams with access to flexible security platforms.
Lessons for Enterprise Security Teams
The Black Hat NOC offers three critical lessons for enterprise security leaders. First, network visibility through strategic firewall placement provides immediate value even before implementing restrictive policies.
"The visibility you get from a highly segmented network is so valuable,” Holland emphasized. “Just by having next generation firewalls in the right place in your network, even with a fairly relaxed rulebase, the visibility you'll get will give you so much more insight into what's going on in your network."
Second, automation becomes essential as attack volumes and sophistication increase. Security operations can no longer function at a human scale when facing AI-enhanced adversaries and massive alert volumes. Successful automation requires quality data feeds and intelligent enrichment to enable analysts to focus on genuine threats.
Third, security tools must integrate into analysts' existing workflows rather than demanding separate interfaces. The NOC's chatbot integration allows team members to query security platforms directly from communication tools, meeting analysts where they already work and reducing friction in security operations.
Scaling AI-Driven Security Operations
The Black Hat NOC demonstrates how AI-driven security operations platforms can handle extreme threat volumes while enabling human analysts to focus on critical decisions. Organizations looking to implement similar automated threat detection and response capabilities can explore how Cortex XSIAM's unified security operations platform and orchestration capabilities transform security team effectiveness in high-stakes environments.