There’s nothing quite like the energy of the Black Hat Network Operations Center (NOC). I’ve been lucky to experience it three times before—twice in Las Vegas and once in London—and each time I walked away with new lessons, stories, and a deeper respect for the community that makes it all happen.
This year, I had the opportunity to return once again, but under a different banner. A new company, a new NDR platform, and a new team of colleagues meant that I wasn’t just coming back to a familiar mission, I was approaching it with fresh perspectives and fresh tools. Some faces may have been different, but the goal was the same: keep the Black Hat network secure, resilient, and transparent for thousands of attendees who put it to the test in ways you rarely see outside of this conference. That goal is only possible thanks to the collaboration between vendors and engineers across the industry—including our partners Cisco, Arista, Palo Alto Networks, and Lumen—who bring critical technology, services, and expertise to the table.
One of the most striking differences this year compared to my past Black Hat experiences was the type of traffic we observed. In previous years, it wasn’t unusual to see attendees carrying malware on their devices or even engaging in outright malicious activity on the network. That background noise of hostile traffic was always present and part of what made the NOC so intense. This year, that noise was noticeably quieter. Instead of malware-laden devices or obvious attacks, what stood out was the sheer volume of insecure communications from a wide range of applications.
This shift changed the focus of my own work. Rather than triaging malicious activity, I spent much of my time digging into these insecure protocols, weak configurations, and application traffic that exposed far more than users likely realized. That trail eventually led me to one of my most interesting findings of the week: an unsecured corporate messaging application transmitting sensitive data in the clear.
While reviewing HTTP activity across the Black Hat Training network, Corelight’s NDR platform flagged several sessions where passwords appeared to be transmitted in clear text. A closer look confirmed it: login credentials were being sent without encryption.
To understand the scope of the exposure, we pivoted on the unique user-agent string associated with the activity. That allowed us to quickly identify all sessions tied to the same login behavior, and what we uncovered was alarming.
One attendee was using an official corporate messaging application from their employer, a Korean company. Much like Slack or Teams, this app allowed employees to communicate in group channels and access internal resources. Unfortunately, every time the user logged in, the application authenticated over HTTP, exposing not only their username and password but also their company name, email address, and internal department.
The situation escalated when the user downloaded a ZIP archive through the same application. Because the transfer was unencrypted, the file was captured and inspected—and it turned out to be the company’s entire employee database. This included names, birth dates, marital status, email addresses, departments, and more, covering not only active staff but also employees who had left the organization years earlier.
We tracked down and notified the attendee, but this was far from an isolated case. In fact, there were so many instances of exposed credentials during the week that we had to begin prioritizing which cases to escalate, simply due to the volume.
When the conference wrapped up, I was both exhausted and grateful. Exhausted from the pace and the constant stream of analysis, but also grateful for the opportunity to learn from such an experienced group of peers and to contribute to a mission that matters. Each time I’ve been part of the NOC, I’ve walked away sharper than before, and this year was no different.
A huge thank you to the Black Hat team and to our partners Cisco, Arista, Palo Alto Networks, and Lumen for helping make this year’s NOC a success. I’m already looking forward to the next opportunity to join the crew and see what new challenges and discoveries await.