During Cisco Live EMEA we noticed a variety of AI tools being used across the network. Let’s take a closer look at what tools were seen in the network traffic.
My interest was piqued when an incident regarding clawbot[.]ai popped into the XDR incident queue. This incident was generated from security intelligence events detected by Cisco Secure Firewall. The incident shows two machines connected to the domain clawbot[.]ai which is marked malicious by Talos and alphaMountain.ai threat intelligence. The domain clawbot[.]ai closely resembles naming patterns used by legitimate AI agent tools, raising the possibility that it may be a typo-squatted domain designed to impersonate or capitalize on user interest in emerging AI platforms.
This quick investigation led me down a separate path of wanting to understand AI tool usage across the network. To better understand which AI tools are the most popular I decided to dig into DNS data. DNS serves as the foundation for nearly all Internet communications—before a device can connect to a cloud-hosted AI platform such as ChatGPT, Claude, or Copilot, it must first resolve the service’s domain name. This makes DNS an excellent high-fidelity indicator of user intent, even if the application itself is encrypted.
Additionally, Cisco Umbrella enriches DNS activity with security intelligence and content categorization, allowing us to not only identify which AI platforms were accessed, but also understand trends, popularity, and potential risks associated with emerging or suspicious AI-related domains.
To quantify AI tool usage across the network, we leveraged Cisco Secure Access DNS telemetry ingested into Splunk. DNS logs provide detailed records of domain resolution activity, including the queried domain, source IP, action taken, and Secure Access’ security and content categorization. Our analysis used two complementary approaches.
First, we queried DNS events categorized under Secure Access’ Generative AI classification to identify emerging and long-tail AI-related destinations. This allowed us to discover AI services beyond well-known platforms and understand broader generative AI adoption trends.
Here is the Splunk query and the results specifically searching for Umbrella DNS events that have been categorized as Generative AI.
The results show top destination domains by DNS events and by unique clients. ChatGPT, Claude and Cursor seem to be quite popular, as enumerated by the quantity of DNS events. This search is querying five days’ worth of DNS logs which is a massive amount of data so we can only estimate that Generative AI related DNS queries made up less than 5% of the total DNS queries on the network. We come to this conclusion by searching on a per day basis the number of total DNS requests categorized as Generative AI and dividing by the total number of DNS requests that day and averaging across the five days of the conference. It will be interesting to see how this number changes conference to conference.
Second, we created a curated lookup table of common AI tool domains—including ChatGPT, Claude, Copilot, Gemini, and others—and used Splunk’s lookup functionality to map DNS queries to specific AI platforms. This enabled us to aggregate usage by platform and measure both total DNS activity and the number of unique client systems interacting with each tool.
Here is the CSV file added to Splunk as a look up table. This avoids running multiple regex matches within the SPL search, helping the search complete faster.
Here is the exact SPL using the look up table and the results of the search.
Below is a chart of the AI Tool Usage by DNS requests.
Among all observed tools, OpenAI’s ChatGPT stood out as the most widely used AI service by a significant margin. More than 11,000 unique client systems queried ChatGPT-related domains, far surpassing the next most popular tools, Anthropic’s Claude and Microsoft Copilot. Google Gemini also saw meaningful adoption, while newer or more specialized platforms such as xAI Grok, Mistral, and DeepSeek appeared in smaller but still notable numbers. The strong presence of Claude, Copilot, and Gemini highlights growing diversification in the AI ecosystem, particularly as vendors integrate AI capabilities directly into productivity tools and development workflows.
As generative AI continues to become embedded in daily workflows, security teams must maintain visibility into how these tools are accessed, ensure users are interacting with legitimate services, and remain vigilant against malicious infrastructure masquerading as trusted AI platforms.
Ultimately, the data confirms what many security practitioners have observed anecdotally: generative AI is no longer experimental—it is actively and broadly used in real-world enterprise environments. Cisco Live EMEA provided a unique snapshot of this shift, with ChatGPT clearly emerging as the most dominant AI platform based on observed DNS activity. ChatGPT’s early market entry, strong brand recognition, and broad applicability across use cases from coding assistance to research and troubleshooting, have made it the default AI assistant for many users.
Stayed tuned for our next event: RSAC Conference in San Francisco. We have more AI projects to come, including running models on premise, using an Nvidia GPU in our ‘SOC in a Box’!
Check out the other blogs from our SOC team in Amsterdam 2026.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
