In the very recent past (Cisco Live Americas and RSAC Conference) we ran our 'SOC in a Box' on 10-year-old hardware. As we tried to keep up with new demands, we started having issues with scaling and resources being available to us. Because of these issues, we refreshed the entire box, thanks to the support of Michelle Hermosillo, Senior Director of Operations for Threat Detection and Response, who has been a long-time champion of the SOC.

We went from using a single 4100 Firewall to dual 3130's, Now our firewall won't be the single point of failure for us. We had two UCS M5s and while we kept those, we added a single M8 with Nvidia GPUs for AI workloads. We replaced the single Catalyst 3850 switch with a Catalyst 9500X and a Meraki MS125. We added two Meraki APs for local access to the SOC infrastructure and for our analysts to have internet access.

Additionally, our partner Endace donated some hardware to provide full packet capture capabilities to the SOC.

In this image you can see how we diagrammed it out and what we actually ended up with:

Because we did a "rip & replace" everything in this box had to be configured from scratch with about a week to do it from the install time to the time the box needed to be shipped out. First, I went onsite, removed all the gear, installed the new gear, and got the Firewall running, then I had to get the UCSs running so we could run more services.

Once those two were done, I installed the Secure Access Resource Connector and Secure Access Umbrella DNS virtual appliances. This enabled us to get remote access to the firewall, switch, Endace probes, and the UCSs running ESXI. Since I needed to leave after about 36 hours of being there to get it all running, the rest needed to be done remotely.

That's why I did it in the order below:

1. Remove old gear
2. Rack new gear
3. Firewall setup (self-managed)
4. UCS setup
5. Cable management
6. ESXI install
7. Secure Access Umbrella virtual appliance
8. Secure Access Remote Connector

Following these steps, the box is accessible for remote access and further service installation and configuration remotely.

Once I was back home, I had a week to get as much setup as possible before the gear needed to be shipped to the GovWare event. I was able to get the Firewall Management Center, Cisco Telemetry Broker, Secure Network Analytics, additional DNS servers, a DHCP server, and a few other services set up. The Splunk team was able to set up a Heavy Forwarder for us as well, and that played a pivotal role in our success onsite.well, and that played a pivotal role in our success onsite.

Here, you can see most of the services that were setup beforehand with a few more being added once we got there:

The SOC in a Box then flew from Singapore to Melbourne for Cisco Live APJ. From there, it will go to Cisco Live Amsterdam 2026 and RSAC 2026 Conference, before Cisco Live Americas 2026. It is a well-traveled Box, with state-of-the-art hardware to support Cisco Events SOC team.

Check out the other blogs by my colleagues in the GovWare SOC.

About GovWare

GovWare Conference and Exhibition is the region's premier cyber information and connectivity platform, offering multi-channel touchpoints to drive community intel sharing, training, and strategic collaborations.

A trusted nexus for over three decades, GovWare unites policymakers, tech innovators, and end-users across Asia and beyond, driving pertinent dialogues on the latest trends and critical information flow. It empowers growth and innovation through collective insights and partnerships.

Its success lies in the trust and support from the cybersecurity and broader cyber community that it has had the privilege to serve over the years, as well as organisational partners who share the same values and mission to enrich the cyber ecosystem.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X