Why a product engineer ended up in a SOC
As a product quality engineer, our days are usually spent building/testing the thing — writing code, closing bugs, arguing about edge cases and emulating attack scenarios. We rarely get to stand downstream and watch our product catch a real attacker, on real traffic, in real time.
As part of the Cisco XDR (Extended Detection and Response) product engineering group, a few of us got exactly that chance. Thanks to Tony Harrison and our other product leaders and Jessica Bair Oppenheimer, some of us were invited to be part of the Cisco Live AMER 2026 Security Operations Center.
This blog is my journey — from Day 0, watching folks plugging in cables, to the last day, when “SOC in a Box” came apart. Spoiler: it was a lifetime of learning and memories packed into one week.
The three missions of the SOC: Protect. Educate. Innovate. I walked in determined to checkmark all three. (And I did.)
Day 0 — Before the drama began: building the box
I flew into Las Vegas a day early on purpose. I wanted to understand “SOC in a Box” — the ship-anywhere hardware stack — from the ground up, not just see it running.
It was amazing watching the Cisco and Endace folks get the box back on its feet: Firewall, the EndaceProbe packet-capture appliance, and the UCS compute all racked and cabled along with the Switches and Fiber panels. The magic moment was understanding the feed: the Cisco Live conference Wi-Fi arrives as a SPAN (mirrored traffic) feed into our SOC in a Box, and that’s the river we fish in for detections.
Seeing it all click together — cable, switch, SPAN, cloud, capture — was the first “oh, this is how it actually works” of the week.

Setup — assembling the orchestra
Next came the software layer, and honestly it felt like tuning an orchestra before a concert. The experienced SOC folks stood up the full portfolio:
Cisco XDR, Splunk Enterprise Security + Splunk Cloud, Cisco Secure Access, Secure Network Analytics, Splunk Attack Analyzer & Secure Malware Analytics, Foundation AI
And our Endace partners’ packet capture sat underneath it all — being able to drop from an alert straight to the actual packets, and analyze them, was incredible to watch alongside our own products.
Every product had a part to play for a network as traffic-heavy as Cisco Live. When they all came in together, it really was like music.
We even installed Cisco Secure Endpoint, the Endpoint Visibility Module, and the Network Visibility Module on the floor machines (The photo below captures us moving from machine to machine across the floor, getting each of these products installed). The Network Operations Center team agreed to add our Endpoint installer to future gold builds, saving that future ‘sneaker net’ work.

Training
One day before go-live, we got thorough training: the rules of engagement (what to do, what not to do), the Splunk indexes available to us, and hands-on with Endace and XDR.

Each morning, we were eager to make it to Mandalay Bay show floor from the MGM Grand and get started early — and just as keen to stay till the end of the day. I think I learned more in that week than any certification or course could teach; the perspective you get from live operations is just different.
And let’s be honest about the daily ritual: the morning Starbucks coffee queue that seemed to stretch the length of the Strip, followed by the 15-minute march from the Uber drop-off to the show floor (If there’s a next time — a coffee machine inside the SOC, please? 😄)
Incidents start flowing (and we got “promoted”)
Then the incidents started flowing, and watching our own products in action was a thrill. We picked them up one by one and started analyzing — with plenty of help from the seasoned SOC crew, who patiently walked us through Tier 1 → Tier 2 → Tier 3 and what it really takes to run a SOC.
After a couple of days, the pattern of the work emerged, and it looked like this:

Anchoring each day were the morning standups — and these were a highlight in their own right. The team would walk through the previous day’s findings and lay out the plan for the day ahead. Listening to the experts dissect what they’d seen, share their story was motivational.
Here’s the fun part: we were effectively promoted to Tier 2 on our first day — because the Agentic SOC kicked in as the Tier 1 analyst and did the heavy lifting for us. In this era of AI and Agentic flows, We got to play with:
- Cisco XDR Agentic Incident Attack Storyboard
- Splunk Triage Agent
- Foundation AI with Cisco XDR


Innovate — we built our own AI Tier-2 analyst
Once we’d internalized the pattern, we couldn’t help ourselves — we’re engineers. So, we built AIM: AI SOC Tier-2 analyst tailored to Cisco Live.
Under the hood: Claude Opus 4.8, MCP servers for Endace and Splunk, the Conure API for XDR, and the full context of the Cisco Live environment baked in. The result was a bundle that takes a single XDR incident and — agentically — walks XDR → Endace → Splunk, then emits a detailed report with findings and a recommendation.
A lot of folks enjoyed working with it. Even though the product was created closer to the end of SOC, it automated a chunk of our job, and it surfaced with some genuinely cool incidents along the way.
I’ve written a separate deep-dive on how we built this. See – “AIM – Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026”

Educate — the XDR booth and a great crowd
I also got to work on the sidelines of the Splunk Security booth, helping demo Cisco XDR — explaining how it does AI defense vs. AI attackers, fielding customer questions, and showing why the portfolio stands out.
The people were the highlight. Customers, partners, fellow engineers, threat hunters, solution specialists — even the LA28 Olympics solution engineers were in the SOC, and I learned a ton from them. Demoing XDR Attack Storyboards and showing how our products power an Agentic SOC sparked great conversations, and the innovation was very positively received — feedback and suggestions I’m bringing straight back to our product engineering.
Protect — from simple to complex, one after another
And then there were the incidents themselves. From something as simple as a malicious website access to genuinely complex multi-stage incidents, it was satisfying to work them as a team — checking one after another, coordinating with the NOC, all in service of keeping Cisco Live safe.
We focused our attention on three things:
- Attacks on the network or attendees
- Compromised devices
- Insecure attendee communications that could expose confidential documents
Bonus — threat hunting with Splunk ES
A great add-on was getting to threat hunt in Splunk Enterprise Security. Using entity analytics, SPL queries, and the other analytics, it was nice to see how complex, hypothesis-driven hunting comes together on the Splunk platform.

After hours — because it’s Vegas
Let’s be clear: Vegas is a great place to do this. Days were all SOC, but the evenings were all fun. We caught Cirque du Soleil’s “O” (worth seeing again, every time), enjoyed the Maroon 5 concert, and generally soaked in the city after hours. The mix — adrenaline on the SOC floor by day; the Strip lit up by night — is a big part of why the whole week felt unforgettable.
The last day — a broken-hearted farewell
On the final day, we left with broken hearts — watching SOC wrap up, packed up, and the adrenaline rush quietly wind down. A week earlier we’d plugged those cables in; now it was being dismantled.
It was, simply, one of the most fun and rewarding things I’ve done. (PS : Flaunting the SOC T-shirts was fun)
Acknowledgements
A heartfelt thank you to Cisco and the entire SOC team — you are all amazing.
- To Jessica Bair Oppenheimer, Tony Harrison and our other leaders, for the opportunity.
- To the Cisco XDR, Splunk, Secure Access, and Secure Firewall engineering teams.
- To our Endace partners, for the packet-capture superpower and the great collaboration.
- To the NOC team, for the partnership all week.
- To every seasoned SOC analyst who patiently leveled us up from Tier 1 to Tier 2.
- To Abhishek Dubey, and Pujan Trivedi for being part of the journey throughout.
Check out the other blogs from our team at the Cisco Live Americas 2026 SOC at Las Vegas:
- Building the Agentic SOC at Cisco Live Americas 2026
- Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026
- The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth
- What Working the Cisco Live SOC Taught Me About AI, Detection, and Response
- Educate at Event Speed: Inside the Cisco Live SOC
- Elevating Expertise in the SOC
- Machine Speed, Human Judgement: How AI Changed the SOC in 2026
- SharpHound Recon Attack – How AI enhanced the threat hunt
- Endace: Using LLMs and Endace Full Packet Capture for Incident Response
- Endace: Never Underestimate Cisco Live!
- Endace: Supporting Encryption vs. Using Encryption: When the best laid plans go astray