Cisco XDR at Black Hat Europe 2025: Building an Open, Integrated Security Operations Platform

#1723597: Cisco XDR at Black Hat Europe 2025: Building an Open, Integrated Security Operations Platform

Description:	Introduction At Black Hat Europe 2025, Cisco XDR quietly demonstrated what modern security operations are supposed to look like: open, deeply integrated, and built for real-world analyst workflows. As the Official Security Cloud provider for the Black Hat Network Operations Center (NOC), Cisco did not simply showcase a product. It operated a living, breathing security platform under constant pressure, real threats, and real data. The result was a powerful validation of Cisco XDR as an integration-first platform designed to unify telemetry, enrich investigations, and accelerate incident response across diverse security tools and vendors. Cisco XDR’s Role Inside the Black Hat NOC Cisco XDR served as the central nervous system of the Black Hat Europe NOC, supporting the core mission of malware analysis and threat detection. Its open integration framework allowed analysts to investigate Indicators of Compromise (IOCs) using a single search interface, dramatically reducing investigation time while increasing context and accuracy. Open Integrations as a Core Design Philosophy Cisco XDR is not positioned as a closed ecosystem. Instead, it operates as an open platform where first-party Cisco tools and third-party intelligence providers coexist, feed data, and enhance correlation. This openness proved essential in the Black Hat environment, where speed, flexibility, and accuracy are non-negotiable. Third-Party Collaboration at Black Hat Europe Several external security intelligence providers donated full licenses to Cisco for use in the Black Hat Europe 2025 NOC. These partnerships enabled deeper enrichment and faster investigations throughout the event. Key Technology Partners Supporting Cisco XDR alphaMountain.ai, Pulsedive, and StealthMole provided full-license access, strengthening threat intelligence coverage across multiple dimensions. Their contributions enabled analysts to pivot rapidly from indicators to context without leaving the XDR interface. Cisco and Third-Party Integration Overview The Cisco XDR ecosystem at Black Hat Europe combined networking, endpoint, DNS, telemetry, and analytics tools with third-party threat intelligence platforms. This hybrid approach ensured that no single data source became a blind spot. Cisco Networking and Security Integrations Splunk Cloud Platform and Splunk Enterprise Security played a central role in data aggregation and SOC workflows. Secure Access, Meraki System Manager, Secure Endpoint for iOS, Secure Malware Analytics, Umbrella DNS, Webex, ThousandEyes, XDR Analytics, and Cisco Telemetry Broker provided deep native telemetry across networks, endpoints, and cloud environments. Third-Party Intelligence and Enrichment Sources The NOC relied on AlienVault OTX, CyberCrime Tracker, Google Safe Browsing, Pulsedive, Shodan, StealthMole, Threatscore, Cyberprotect, Slack, Urlscan, and beta integrations from Palo Alto Networks NGFW and Corelight NDR. These sources enriched alerts with reputation, behavioral, and contextual intelligence. XDR Control Center Visibility The XDR Control Center dashboard displayed the real-time health and status of all integrations throughout the week. This operational visibility ensured analysts could trust their data sources and quickly identify integration issues before they affected investigations. Production, Beta, and Development Integrations Cisco XDR clearly categorized integrations as production-ready, beta, or in development. This transparency allowed the NOC team to balance innovation with operational stability during a live event. Building Deeper Integrations With Corelight The Black Hat NOC has long served as a proving ground for collaboration and innovation. At Black Hat Europe 2024, Cisco XDR was connected to Corelight NDR detections through Splunk as a middleware layer. From Middleware Dependency to Native Integration Customer feedback made one thing clear: organizations wanted a direct Cisco XDR and Corelight integration without relying on Splunk as an intermediary. This demand drove a joint engineering effort between Cisco and Corelight. Engineering the Corelight Integration Cisco XDR engineering worked closely with Corelight to align APIs and detection formats. Zeek-formatted network detections were transformed and sent directly into the Cisco XDR Data Analytics Platform (DAP). Standardization Through OCSF All detections were converted into OCSF (Open Cybersecurity Schema Framework) format. This standardization enabled correlation, analytics, and incident generation across multiple data sources. Proof of Concept to Production In London, a proof-of-concept integration was completed and submitted to Cisco XDR quality assurance. The integration was published as an automation workflow using webhooks and made available in XDR Automate – Exchange. Corelight Integration Capabilities The integration can ingest up to 25 Corelight log bundles per minute into the XDR DAP. Detections appear directly inside XDR incidents, with filtering by source for rapid analysis. Analyst Workflow Improvements Analysts can click directly on detection timestamps to view detailed event data. This streamlined workflow eliminates context switching and accelerates decision-making. Strengthening Integration With Palo Alto Networks Cisco also beta tested an integration with Palo Alto Networks NGFW logs during Black Hat Europe. Logs from the Strata Logging Service were transformed into OCSF format and ingested into the XDR analytics platform. Firewall Logs as Correlated Signals Once normalized, firewall logs could be correlated with endpoint, DNS, and network telemetry. This correlation enables higher-fidelity XDR incidents rather than isolated alerts. Supported Palo Alto Log Types The integration supports Firewall/Threat, Firewall/File, Firewall/URL, and Firewall/DNS Security logs. All payloads are processed in array JSON format for scalability and consistency. Building Your Own Cisco XDR Integration Cisco encourages the security community to build custom integrations using its open XDR framework. Community resources are available to help developers design, test, and deploy integrations. Path to Official Cisco Support Security vendors can work with the Cisco Security Technical Alliance team to validate and publish supported integrations. This process ensures quality, security, and long-term maintainability within the XDR ecosystem. Black Hat as a Real-World Testing Ground Black Hat remains one of the few environments where security platforms are tested under live-fire conditions. The NOC provides unmatched feedback loops between engineers, analysts, and researchers. About the Black Hat Conference Series Founded in 1997, Black Hat is one of the most respected cybersecurity event series globally. It brings together practitioners, researchers, and leaders across regions and disciplines to share cutting-edge research and operational insights. Global Reach of Black Hat Events Black Hat events are held across the United States, Canada, Europe, the Middle East and Africa, and Asia. Each event reflects the needs and priorities of the regional and global security community. What Undercode Say: Cisco XDR’s performance at Black Hat Europe 2025 highlights a critical shift in security operations: platforms are no longer judged by feature lists but by integration depth and operational reality. The ability to normalize diverse data sources into OCSF and correlate them in near real time positions Cisco XDR as a serious contender in enterprise SOC modernization. The Corelight integration is especially significant, as it removes middleware dependencies and demonstrates Cisco’s willingness to meet customer demands head-on. This move reduces architectural complexity while improving detection fidelity, a combination many SOC teams struggle to achieve. The Palo Alto Networks beta integration further reinforces Cisco’s strategy of embracing competitive ecosystems rather than attempting to replace them. In high-pressure environments like Black Hat, theoretical capabilities quickly fall apart, but Cisco XDR showed resilience, scalability, and practical usability. More importantly, the platform emphasized analyst experience, minimizing friction and maximizing context. If Cisco continues to expand its open integration strategy while maintaining strong quality controls, XDR could become a true unifying layer rather than just another security console. Fact Checker Results Cisco XDR was used as the operational platform within the Black Hat Europe 2025 NOC ✅ Corelight and Palo Alto Networks integrations were demonstrated using OCSF normalization ✅ The article’s claims align with publicly described Black Hat NOC practices ❌ Prediction Cisco XDR will continue expanding native third-party integrations beyond beta into full production status 🚀 OCSF-based normalization will become a baseline expectation for XDR platforms 🔮 Future Black Hat NOCs will rely even more heavily on open, vendor-agnostic security architectures ✅
More info:	https://undercodenews.com/cisco-xdr-at-black-hat-europe-2025-building-an-open-integrated-security-operations-platform/

Description:

Introduction
At Black Hat Europe 2025, Cisco XDR quietly demonstrated what modern security operations are supposed to look like: open, deeply integrated, and built for real-world analyst workflows. As the Official Security Cloud provider for the Black Hat Network Operations Center (NOC), Cisco did not simply showcase a product. It operated a living, breathing security platform under constant pressure, real threats, and real data. The result was a powerful validation of Cisco XDR as an integration-first platform designed to unify telemetry, enrich investigations, and accelerate incident response across diverse security tools and vendors.

Cisco XDR’s Role Inside the Black Hat NOC
Cisco XDR served as the central nervous system of the Black Hat Europe NOC, supporting the core mission of malware analysis and threat detection.
Its open integration framework allowed analysts to investigate Indicators of Compromise (IOCs) using a single search interface, dramatically reducing investigation time while increasing context and accuracy.

Open Integrations as a Core Design Philosophy
Cisco XDR is not positioned as a closed ecosystem.
Instead, it operates as an open platform where first-party Cisco tools and third-party intelligence providers coexist, feed data, and enhance correlation.
This openness proved essential in the Black Hat environment, where speed, flexibility, and accuracy are non-negotiable.

Third-Party Collaboration at Black Hat Europe
Several external security intelligence providers donated full licenses to Cisco for use in the Black Hat Europe 2025 NOC.
These partnerships enabled deeper enrichment and faster investigations throughout the event.

Key Technology Partners Supporting Cisco XDR
alphaMountain.ai, Pulsedive, and StealthMole provided full-license access, strengthening threat intelligence coverage across multiple dimensions.
Their contributions enabled analysts to pivot rapidly from indicators to context without leaving the XDR interface.

Cisco and Third-Party Integration Overview
The Cisco XDR ecosystem at Black Hat Europe combined networking, endpoint, DNS, telemetry, and analytics tools with third-party threat intelligence platforms.
This hybrid approach ensured that no single data source became a blind spot.

Cisco Networking and Security Integrations
Splunk Cloud Platform and Splunk Enterprise Security played a central role in data aggregation and SOC workflows.
Secure Access, Meraki System Manager, Secure Endpoint for iOS, Secure Malware Analytics, Umbrella DNS, Webex, ThousandEyes, XDR Analytics, and Cisco Telemetry Broker provided deep native telemetry across networks, endpoints, and cloud environments.

Third-Party Intelligence and Enrichment Sources
The NOC relied on AlienVault OTX, CyberCrime Tracker, Google Safe Browsing, Pulsedive, Shodan, StealthMole, Threatscore, Cyberprotect, Slack, Urlscan, and beta integrations from Palo Alto Networks NGFW and Corelight NDR.
These sources enriched alerts with reputation, behavioral, and contextual intelligence.

XDR Control Center Visibility
The XDR Control Center dashboard displayed the real-time health and status of all integrations throughout the week.
This operational visibility ensured analysts could trust their data sources and quickly identify integration issues before they affected investigations.

Production, Beta, and Development Integrations
Cisco XDR clearly categorized integrations as production-ready, beta, or in development.
This transparency allowed the NOC team to balance innovation with operational stability during a live event.

Building Deeper Integrations With Corelight
The Black Hat NOC has long served as a proving ground for collaboration and innovation.
At Black Hat Europe 2024, Cisco XDR was connected to Corelight NDR detections through Splunk as a middleware layer.

From Middleware Dependency to Native Integration
Customer feedback made one thing clear: organizations wanted a direct Cisco XDR and Corelight integration without relying on Splunk as an intermediary.
This demand drove a joint engineering effort between Cisco and Corelight.

Engineering the Corelight Integration
Cisco XDR engineering worked closely with Corelight to align APIs and detection formats.
Zeek-formatted network detections were transformed and sent directly into the Cisco XDR Data Analytics Platform (DAP).

Standardization Through OCSF
All detections were converted into OCSF (Open Cybersecurity Schema Framework) format.
This standardization enabled correlation, analytics, and incident generation across multiple data sources.

Proof of Concept to Production
In London, a proof-of-concept integration was completed and submitted to Cisco XDR quality assurance.
The integration was published as an automation workflow using webhooks and made available in XDR Automate – Exchange.

Corelight Integration Capabilities
The integration can ingest up to 25 Corelight log bundles per minute into the XDR DAP.
Detections appear directly inside XDR incidents, with filtering by source for rapid analysis.

Analyst Workflow Improvements
Analysts can click directly on detection timestamps to view detailed event data.

This streamlined workflow eliminates context switching and accelerates decision-making.
Strengthening Integration With Palo Alto Networks
Cisco also beta tested an integration with Palo Alto Networks NGFW logs during Black Hat Europe.
Logs from the Strata Logging Service were transformed into OCSF format and ingested into the XDR analytics platform.

Firewall Logs as Correlated Signals
Once normalized, firewall logs could be correlated with endpoint, DNS, and network telemetry.
This correlation enables higher-fidelity XDR incidents rather than isolated alerts.

Supported Palo Alto Log Types
The integration supports Firewall/Threat, Firewall/File, Firewall/URL, and Firewall/DNS Security logs.
All payloads are processed in array JSON format for scalability and consistency.

Building Your Own Cisco XDR Integration
Cisco encourages the security community to build custom integrations using its open XDR framework.
Community resources are available to help developers design, test, and deploy integrations.

Path to Official Cisco Support
Security vendors can work with the Cisco Security Technical Alliance team to validate and publish supported integrations.
This process ensures quality, security, and long-term maintainability within the XDR ecosystem.

Black Hat as a Real-World Testing Ground
Black Hat remains one of the few environments where security platforms are tested under live-fire conditions.
The NOC provides unmatched feedback loops between engineers, analysts, and researchers.

About the Black Hat Conference Series
Founded in 1997, Black Hat is one of the most respected cybersecurity event series globally.
It brings together practitioners, researchers, and leaders across regions and disciplines to share cutting-edge research and operational insights.

Global Reach of Black Hat Events
Black Hat events are held across the United States, Canada, Europe, the Middle East and Africa, and Asia.
Each event reflects the needs and priorities of the regional and global security community.

What Undercode Say:
Cisco XDR’s performance at Black Hat Europe 2025 highlights a critical shift in security operations: platforms are no longer judged by feature lists but by integration depth and operational reality.
The ability to normalize diverse data sources into OCSF and correlate them in near real time positions Cisco XDR as a serious contender in enterprise SOC modernization.
The Corelight integration is especially significant, as it removes middleware dependencies and demonstrates Cisco’s willingness to meet customer demands head-on.
This move reduces architectural complexity while improving detection fidelity, a combination many SOC teams struggle to achieve.
The Palo Alto Networks beta integration further reinforces Cisco’s strategy of embracing competitive ecosystems rather than attempting to replace them.
In high-pressure environments like Black Hat, theoretical capabilities quickly fall apart, but Cisco XDR showed resilience, scalability, and practical usability.
More importantly, the platform emphasized analyst experience, minimizing friction and maximizing context.
If Cisco continues to expand its open integration strategy while maintaining strong quality controls, XDR could become a true unifying layer rather than just another security console.

Fact Checker Results
Cisco XDR was used as the operational platform within the Black Hat Europe 2025 NOC ✅
Corelight and Palo Alto Networks integrations were demonstrated using OCSF normalization ✅
The article’s claims align with publicly described Black Hat NOC practices ❌

Prediction
Cisco XDR will continue expanding native third-party integrations beyond beta into full production status 🚀
OCSF-based normalization will become a baseline expectation for XDR platforms 🔮
Future Black Hat NOCs will rely even more heavily on open, vendor-agnostic security architectures ✅

More info:

https://undercodenews.com/cisco-xdr-at-black-hat-europe-2025-building-an-open-integrated-security-operations-platform/

Date added	Feb. 9, 2026, 5:03 p.m.
Source	Undercodenews
Subjects	Cisco - Company Conferences and Seminars Europe