How Cisco Locked Down DNS at Black Hat Europe

Every December, thousands of the world's best hackers descend on London for Black Hat Europe. The irony of running a secure network at a hacker conference isn't lost on anyone—and Cisco, which has operated the Black Hat Network Operations Center for over a decade, just published its full DNS telemetry report from the 2025 event. The findings paint an interesting picture of how conference network traffic is changing, and why encrypted DNS is complicating enterprise visibility everywhere.

66 Million Queries, Fewer Connections

Cisco Secure Access—the company's Security Service Edge (SSE) platform that evolved from Umbrella—handled more than 66.1 million DNS queries during Black Hat Europe 2025. That's a significant volume, but Cisco's Rob DeCooman noted a drop in attendees actually connecting to the conference network compared to previous years.

The likely culprit: Apple Private Relay. As Apple expanded Private Relay support across iOS and macOS, more attendee traffic routes through Apple's own encrypted relay infrastructure, bypassing the conference DNS entirely. It's the same encrypted DNS challenge that enterprises are wrestling with globally—when DNS-over-HTTPS (DoH) or Private Relay traffic skips your resolvers, you lose the ability to inspect, filter, and protect.

This is no small problem. The NSA has specifically warned that encrypted DNS can undermine enterprise defenses when traffic flows to external resolvers instead of designated corporate ones. At Black Hat USA 2025, Cisco took the aggressive step of blocking all encrypted DNS requests on the event network, forcing resolution through Umbrella's infrastructure to maintain full visibility. That approach wasn't detailed for the London event, but the telemetry drop hints at how much traffic now bypasses traditional DNS inspection paths.

GenAI Apps Flooding Conference Networks

One of the more telling data points from the report is the app-tracking trend line. Cisco counted unique applications connecting to the conference network each year:

• 2021: 2,162 apps
• 2022: 4,159 apps
• 2023: 4,340 apps
• 2024: 4,902 apps
• 2025: 6,008 apps

That jump from ~4,900 to 6,000 apps in a single year stands out. DeCooman pointed to GenAI applications as a major driver—attendees are running ChatGPT, Claude, Copilot, and dozens of smaller AI tools that each register as separate application connections. For enterprise security teams, this mirrors what they're seeing on corporate networks: AI tool adoption is outrunning security policy. Cisco addressed this exact concern at their AI Summit earlier this month, where they proposed standardized frameworks for securing AI agent communications.

Cisco's Secure Access platform includes Cloud Access Security Broker (CASB) functionality that can identify and categorize these applications, giving NOC operators visibility into which GenAI tools are hitting the network and whether they're sanctioned or shadow IT.

ApateWeb: Quieter in London Than Vegas

Cisco specifically tracked the ApateWeb campaign—a large-scale scareware and PUP delivery operation that Palo Alto's Unit 42 first documented using more than 130,000 domains. The campaign uses distinctive two- and three-word domain patterns and wildcard DNS to generate virtually unlimited subdomains for delivering malicious payloads.

At Black Hat Europe 2025, Cisco flagged only two ApateWeb-associated domains: gossippass[.]com and kettledroopingcontinuation[.]com. That's a "significant decrease compared to US events," according to the report. The reasons could range from geographic targeting differences (ApateWeb has historically focused more on North American traffic) to the smaller attendee pool connecting through Cisco's resolvers.

Still, the fact that Cisco specifically monitors for ApateWeb at every Black Hat event shows how persistent the campaign remains. It's been active since at least 2022, and its infrastructure—with over 92% of domains using wildcard DNS—makes it hard to stamp out through blocklist-based defenses alone.

Zero Trust at a Hacker Conference

Beyond DNS, the Cisco NOC deployment at Black Hat Europe included Zero Trust Network Access (ZTNA), remote browser isolation, and Duo Directory for single sign-on with role-based permissions. Partners Jamf and Arista rounded out the architecture. It's the same defense-in-depth approach Cisco brought to Super Bowl LX, where they deployed 1,500 Wi-Fi 7 access points and blocked over 400,000 threats.

Running security at Black Hat is partly a showcase, but it also generates real telemetry that feeds back into Cisco Talos's threat intelligence. Conference networks attract probing, scanning, and occasionally real attack traffic from attendees testing tools or demonstrating research. That makes the DNS layer—where Secure Access blocks connections to malicious domains before TCP handshakes even complete—particularly valuable.

What This Means for Enterprise DNS Security

The Black Hat telemetry highlights two trends that enterprise security teams can't ignore. First, encrypted DNS adoption (DoH, DNS-over-TLS, and Apple Private Relay) is eroding DNS-layer visibility at a pace that outstrips most organizations' ability to adapt. If Cisco—running the NOC at a security conference—is seeing meaningful query drops from encrypted bypass, corporate networks are almost certainly losing even more ground.

Second, the GenAI app explosion is real and accelerating. The jump to 6,008 unique applications on a conference network that operates for just a few days suggests corporate networks are dealing with orders of magnitude more. Without DNS-layer and CASB-layer controls, security teams won't even know what's connecting, let alone whether it's safe.

For organizations evaluating their own DNS security posture, the Black Hat deployment is a useful reference architecture. DNS-layer protection that operates at the resolver level, combined with encrypted DNS policy enforcement and application-aware inspection, represents the direction enterprise security tooling is heading—whether you're defending a stadium, a conference center, or a corporate campus.