For nearly a decade, Cisco has secured Black Hat events with Umbrella DNS security. This year, we took another step forward and deployed Cisco Secure Access, the evolution of Umbrella into a full Security Service Edge (SSE) platform. While Secure Access delivers comprehensive protection including secure web gateway, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and remote browser isolation, we focused its power on where Black Hat needed it most: DNS-layer security and visibility.
Our team arrived in London armed with insights from Black Hat USA 2025, where we successfully implemented encrypted DNS blocking and refined our detection strategies. The ApateWeb campaign—that persistent PUP delivery operation using distinctive two and three-word domain patterns—remained on our radar.
At Black Hat Europe, our monitoring confirmed the campaign’s continued activity, though at notably lower volumes. We detected only two ApateWeb-associated domains during the conference: gossippass.com and kettledroopingcontinuation.com. This represented a significant decrease compared to US events. For more detailed technical characteristics of this campaign, see our previous analysis.
DNS Year-Over-Year Statistics
This year, we saw over 66.1 million DNS queries, as more attendees decided not to connect to the conference network vs recent years.
We can see the jump in queries due to forced DNS redirection at the edge, and the drop due to the expansion of Apple Private Relay (see previous blog section for detailed analysis).
The top categories for 2025 (and 2024) are below.
Secure Access tracks unique apps connecting to network. We saw a marked a large increase in GenAI. If needed, we can block apps that demonstrate a threat to the conference.
| 2021: 2,162 apps | 2024: 4,902 apps |
| 2022: 4,159 apps | 2025: 6,008 apps |
| 2023: 4,340 apps |
Duo Directory
We also used Duo Directory as the Single Sign-On provider for Black Hat, allowing rapid provisioning of tools, with role-based permissions, as part of our zero trust architecture, with new integrations with partners Jamf and Arista.
See you at Black Hat Asia!
You can read the other blogs from our colleagues at Black Hat Europe.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
