Splunk.conf: Cisco and Splunk expand agentic SOC vision

At Splunk’s annual .Conf event, the Cisco-backed observability and data security specialist made its first run at the agentic artificial intelligence (AI) enhanced security operations centre (SOC), unveiling two agent-powered security operations (SecOps) tools for users to explore.

In a Tuesday keynote address, Splunk security senior vice president and general manager Mike Horn said that SecOps must to evolve and the need to simplify workflows, accelerate and enhance SOC operations, and expand detection capabilities and threat visibility were clear.

Splunk Enterprise Security Essentials Edition and Splunk Enterprise Security Premier Edition – delivered within version 8.2 of the firm’s Enterprise Security (SEC) security information and event management (SIEM) solution – unify a number of security workflows in the threat detection, investigation and response (TDIR) sphere.

Essentials Edition unifies SEC 8.2 with Splunk AI Assistant in Security and is available today, while Premier goes a step further adding Splunk SOAR and Splunk UEBA, and enters controlled availability later in September.

Splunk and Cisco – which have made significant and speedy progress on technical integration since coming together in 2024 – claim that the new features will place agentic AI at the heart of the SOC in order to extend security intelligence across the network.

“Our security offerings unify detection, investigation, and response into a single, intuitive workspace, eliminating tool fragmentation and significantly boosting efficiency,” said Horn.

“Built-in AI can help cut alert noise and reduce investigation time from hours to minutes. Now every SOC can better position to stay ahead of advanced threats and empower analysts at every level.”

“With today’s increasingly sophisticated threats and sprawling attack surfaces, security teams can’t afford to waste time switching between fragmented tools and operating with siloed visibility,” added Michelle Abraham, research director for security and trust at IDC.

“By integrating multiple security capabilities into a single, cohesive environment, security platforms empower organisations to move from reactive to proactive security, streamlining workflows, improving detection and response, and ultimately reducing risk.”

In addition to this, parent Cisco plans to release a number of additional AI features to power the agentic SOC, with the intent of enabling cyber pros to keep focus on more strategic aspects of their roles while agent bots sift the raw security data and perform proactive, autonomous SecOps.

Some of the agentic capabilities in development include triaging to evaluate, prioritise and explain security alerts; malware reversal to explain malicious scripts; playbook authoring to translate natural language intent into functional SOAR playbooks; response importer, using multi-modal large language models (LLMs) to import standard operating procedures into security response plans; detection library to help turn detections from hypotheses to production, and personalised detection SPL generator to personalise detections within the library to align with customer SOC environments.

Additionally, Splunk expanded the integration of Cisco Isovalent Runtime Security (eBPF) into Splunk, enhancing workload visibility and better pinpointing issues, and announced that Splunk Cloud Platform’s Federated Search for Amazon S3 and Security Analytics and Logging (SAL) will allow cyber pros to run security analytics on Cisco firewall logs stored in SAL directly, without needed to ingest.

These features and capabilities will come on-stream within the next 12 months.