Barcelona is a metropolis of marvel, outlined by the architectural genius of Antoni Gaudí. For the 100,000+ attendees of the Cellular World Congress 2026, these landmarks have been must-see locations. However the place there’s excessive curiosity, there’s excessive alternative for cybercriminals.
This was a part of the backdrop for our mission in early March. As essentially the most influential mobility and networking occasion on the planet, MWC 2026 was a whirlwind of innovation. On the heart of this high-stakes surroundings, our crew was on the bottom, working the Safety and Community Operations Middle (S/NOC) to make sure that the huge infrastructure powering the occasion remained bulletproof, and the attendees utilizing its community have been safe.
Our SOC was primarily based on cutting-edge applied sciences offered by Cisco, consisting of the just lately launched AI prepared ultra-high-end Safe Firewall 6160, our main Safety Service Edge answer Cisco Safe Entry , our AI safety answer Cisco AI Protection, our premium SIEM answer Splunk Enterprise Safetyand our cloud-native detection and response answer Cisco XDR.
Safe Entry
Because of the nature of the occasion, we have been solely utilizing the DNS capabilities of Safe Entry, additionally out there within the Safe Entry DNS Protection answer, with safety utilized on the DNS stage. The DNS queries of the related units have been forwarded to the Safe Entry public resolvers the place we block threats earlier than a connection is established. All the safety occasion logs have been pushed on to XDR, whereas Splunk ES was pulling all of the anonymised logs, and AI Protection was gathering App Discovery logs for Generative AI functions to present extra insights of the AI fashions used on the community of the occasion.
Splunk Platform
Within the picture above, you may see a customized dashboard we created on Splunk ES consuming all of the logs it was receiving from the Firepower Menace Protection 6160 firewall, and the DNS requests despatched to the Safe Entry public resolvers. On this particular screenshot, we’re displaying the info for the final seven days from the afternoon of the final day of the occasion, the 5th of March (as an alternative of the final 24 hours showing on the titles of the graphs, which was what we have been usually observing).
Please be aware that the community of the venue stays protected on the DNS stage by Cisco Safe Entry outdoors the occasion. Consequently, there are DNS logs outdoors the dates of the MWC, because the community was actively used in the course of the setup.
XDR
Within the customised XDR dashboard under, you may see some high-level info extracted from the DNS visitors of the community. This contains the overall variety of DNS requests for the final 30 days, and the blocks for Malware, Command and Management, and Phishing for a similar interval.
There are once more occasions outdoors the dates of the MWC. It’s value noting {that a} phishing marketing campaign seems to have taken place on the venue throughout a earlier occasion in mid-February.
On the right-hand aspect, you may see incidents that have been robotically created on XDR after correlating the DNS logs from Safe Entry and the firewall logs from the FTD 6160, and MITRE ATT&CK Incidents.
AI Protection
Whereas Generative AI is a strong instrument, it imposes vital dangers that organisations want to pay attention to and handle accordingly. In the picture under, you may see an App Discovery report from AI Protection displaying the AI functions found on the community of the venue. The Composite Threat Rating happens by combining Enterprise Threat, Utilization Threat, and Vendor Compliance to calculate a standardised measure of the chance they could suggest.
Entry to those AI fashions may be managed with Safe Entry to safe AI aside from simply leveraging AI for safety. In a non-anonymised surroundings the place the visitors is routed by means of the Safety Service Edge (SSE)’s cloud-hosted Safe Internet Gateway, the functions may be scanned to implement AI guardrails by means of the Safe Entry DLP (information loss prevention) coverage and management what information is shipped to the AI functions, whereas tenant controls may also be utilized.
When the guard is down
Whereas attendees have been busy planning their sightseeing outdoors the occasion, attackers have been busy crafting traps. We noticed a surge in subtle phishing campaigns focusing on the very individuals attending the convention. Fraudsters stood up convincing, pretend web sites completely mimicking official ticket portals for the town’s prime sights, designed to reap bank card particulars and drain accounts earlier than the victims even reached the entrance doorways of the breath-taking Basílica de la Sagrada Família on this instance.
It was a stark reminder: even essentially the most seasoned tech consultants who spend their careers constructing defenses and searching threats might go away a digital door unlatched once they step away from work. The identical AI-powered vigilance we apply to world enterprise networks is simply as vital in our private digital lives. At MWC 2026, we weren’t simply monitoring the community; we have been witnessing a masterclass in how rapidly a second of leisure can flip into fraud.
Throughout the occasion, Safe Entry blocked entry to a kind of phishing domains.
Whereas Safe Entry was implementing solely on the area stage, with XDR Examine we might correlate logs from each Safe Entry and the FTD 6160 firewall to offer additional info, like the precise URLs customers tried to entry, showing as Attributes on the right-hand backside of the picture above.
Safe Entry Examine, as showing above, gives real-time actionable risk intelligence by analysing world information from the Safe Entry community utilizing AI to detect, rating, and predict rising threats. It permits safety groups to proactively uncover malicious infrastructure (domains, IPs, ASNs) and speed up incident investigation by means of API-driven, high-context information enrichment.
XDR can then correlate occasions additional to present extra Incidents which aren’t as apparent because the above phishing occasion. Its AI-powered incident evaluation (showing above) gives AI-generated Classification, Affect, and a Abstract together with the Reasoning, Proof and Detections for each incident. The extra AI-generated Evaluation and Suggestions are invaluable for the integrations with Safe Entry and Splunk ES to automate responses for each incident, whereas they facilitate escalations to senior safety analysts when additional handbook motion is required. On this particular case, XDR categorised this incident as a possible false optimistic with medium confidence. Based mostly on that, the SOC crew can prioritise different incidents of upper precedence.
Concluding
The AI-powered Safety and Community Operations Middle (S/NOC) at Cellular World Congress 2026 demonstrated Cisco’s dedication to leveraging cutting-edge applied sciences to safe and optimise large-scale, high-profile occasions. By integrating superior options such because the AI-ready Safe Firewall 6160, Cisco Safe Entry, Cisco AI Protection, Splunk Enterprise Safety, and Cisco XDR working all collectively as a single platform, the S/NOC offered complete, multi-layered safety that proactively blocked threats, together with phishing campaigns, and delivered actionable insights by means of AI-driven analytics and correlation.
This deployment highlighted the ability of mixing AI, automation, and unified safety telemetry to boost risk detection, investigation, and response in actual time, whereas additionally enabling granular management over AI software utilization. The occasion underscored the significance of a holistic, AI-enabled safety structure that not solely protects vital infrastructure but additionally educates and innovates to remain forward of evolving threats in advanced environments with various person populations.
Take a look at the classes discovered from the Occasion SOCs we deploy all over the world, with the white paper and newest blogs.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
