Quick Buzz Feed
During Cisco Live EMEA we noticed a variety of AI tools being used across the network. Let’s take a closer look at what tools were seen in the network traffic.
An incident involving the malicious domain 'clawbot.ai', which resembled legitimate AI tools, prompted an investigation into AI tool usage across the Cisco Live EMEA network. The primary goal was to understand the popularity and trends of various AI platforms by analyzing network traffic, specifically focusing on DNS data.
The first method utilized Cisco Secure Access DNS telemetry ingested into Splunk, specifically querying events categorized under 'Generative AI'. This analysis revealed that generative AI-related DNS queries constituted less than 5% of total DNS requests during the five-day conference. ChatGPT, Claude, and Cursor were identified as the most popular AI tools based on the volume of DNS events.
The second, more refined approach involved creating a curated Splunk lookup table containing domains of common AI tools like ChatGPT, Claude, Copilot, and Gemini. By mapping DNS queries against this table, the analysis precisely quantified usage by platform. ChatGPT emerged as the most dominant platform with over 11,000 unique client systems, significantly surpassing Anthropic's Claude and Microsoft Copilot, highlighting a diversified yet OpenAI-led AI ecosystem.
The research confirmed that generative AI tools are no longer experimental but are widely adopted and actively used in real-world enterprise environments, with ChatGPT being the clear leader. These findings underscore the critical need for security teams to maintain comprehensive visibility into AI tool access, ensure users interact only with legitimate services, and remain vigilant against malicious domains masquerading as trusted AI platforms to mitigate evolving cyber risks. Future projects include running AI models on-premise.