Accelerating Security Operations with Splunk and Foundation AI’s First Open-Source Security Model

Cisco Foundation AI’s Foundation-sec-8b model brings a new wave of innovations and efficiency to security operations. As a purpose-built, open-weight Large Language Model (LLM) designed specifically for cybersecurity, Foundation-sec-8b enables security teams to act faster, reduce fatigue, and scale operations without compromising accuracy. Its domain-specific training on real-world security data - such as vulnerability databases, MITRE ATT&CK frameworks, and threat intelligence reports - ensures unparalleled relevance and effectiveness for security workflows.

Value for Security Operations

Splunk enables a robust data collection and advanced analytics across all security relevant data. Now with Foundation AI’s model, literally any part of this data collection can be combined and enriched with AI. Security teams can elevate their ability to detect, analyze, and respond to threats, delivering better outcomes across the entire security lifecycle. Regardless if you work with core Splunk Enterprise or Splunk Enterprise Security, your most valuable security data can be enhanced with AI analytics at machine speed. This can include detection engineering, investigation workflows or accelerated threat hunting with LLM models - just to name a few examples.

Ease of Integration

A key differentiator of the Splunk platform is how quick and easy any advanced AI models can be integrated. The Splunk App for Data Science and Deep Learning (DSDL) allows seamless integration of Foundation-sec-8b, available via Hugging Face. This means security teams can quickly embed the model into their existing workflows and more importantly with their own specific security data to tackle their security challenges with the help of AI.

There are different ways to serve the model. On the basic level you can simply load the model with the transformers python library and run it for fast inference on a GPU. In a similar way you can use tools like vLLM or ollama to load the model and serve it. However not every model might be readily available in every tool, so you would need to check what’s available in your environment.

Using the latest features of DSDL 5.2 that enable highly customizable LLM and RAG based AI operations, we were able to easily get a few quantized versions of the model loaded over ollama by using the UI of DSDL as shown in the following image:

Being an open-weight model, Foundation-sec-8b offers deployment flexibility - whether on-premises, air-gapped, or in secure cloud environments - while maintaining full control over data privacy and compliance. Security teams gain access to cutting-edge AI without sacrificing security or operational control. However, please also take into consideration to robustly secure and monitor your systems as AI security is an additional topic to keep in mind for mission critical applications. Splunk’s observability and security solutions can be greatly helpful alongside Cisco’s AI Defense to protect and secure your AI applications.

A Note about Quantization

Quantization is the process of reducing the precision of a machine learning model's weights and activations—typically from 32-bit floating point to lower-bit representations such as 8-bit or even 4-bit integers. This technique significantly reduces the model's memory footprint and computational requirements, allowing it to run more efficiently on a wider range of hardware, including edge devices and constrained cloud environments. For large language models like Foundation-sec-8b, quantization is a critical step in making the model more accessible and practical to deploy at scale, especially when real-time responsiveness or limited GPU availability is a concern.

For SOC analysts and Splunk customers, quantization of the Foundation-sec-8b model is particularly impactful. Many security teams operate under strict performance, budget, and compliance constraints, where deploying full-precision models may not be feasible. A quantized version of foundation-sec-8b makes it possible to integrate AI-driven insights directly into security workflows—such as alert triage, detection engineering, and threat investigation—without needing expensive GPU infrastructure or sacrificing response times. This aligns perfectly with the operational demands of modern SOCs, enabling teams to harness advanced AI capabilities in environments that prioritize speed, cost-efficiency, and reliability.

The AI for security community has already produced several quantized checkpoints of Foundation-sec-8b and published them on Hugging Face, allowing teams to experiment right away. The Foundation AI team will also release an officially supported, high-quality quantized build in the coming days, giving SOC teams a ready-to-deploy option that balances accuracy and efficiency while preserving the open-weight flexibility that security operations demand.

Use Cases and Future Applications

The combined capabilities of Splunk AI and Cisco’s Foundation-sec-8b unlock multiple use cases, including:

• Adding Context: Merge and fuse security data with the right context insights quickly to accelerate your security investigations
• Automating Alert Triage: Summarize incidents and prioritize alerts with AI-driven insights.
• Proactive Threat Defense: Simulate attacks, identify vulnerabilities, and model threats tailored to organizational infrastructure.
• Streamlining Investigations: Extract critical information from unstructured logs, threat intelligence and incident reports.

In this blog, we delve into how the Foundation-sec-8b model integrates with Splunk DSDL to enhance security operations through two practical examples.

Example 1: Analyze security events in Splunk Enterprise Security

Splunk Enterprise Security (ES) is a powerful tool that generates security events by processing log data and applying detection rules. For security analysts, understanding these events in depth is essential for effective investigation and triaging. However, the process of translating raw event data into actionable insights can be time-consuming and complex. This is where the Foundation-sec-8b model steps in, offering significant value by accelerating security operations.

By leveraging the model, analysts can transform raw event data into natural language summaries and gain recommendations for investigation steps. To utilize the Foundation-sec-8b model for security event analysis, Splunk users can execute the simple SPL query below. This query searches the security event index and sends the raw event data to the Foundation-sec-8b model using the Fit command from Splunk DSDL. Along with the event data, a prompt is provided to guide the model: "Analyze the provided security event and summarize it".

|`es_notable_events`
| eval text=_raw
| eval Query="Analyze the provided security event and summarize it."
| fit MLTKContainer algo=llm_rag_ollama_text_processing model_name="hf.co/roadus/Foundation-Sec-8B-Q4_K_M-GGUF:Q4_K_M" 
prompt="Analyze the provided security event and tell me what is going on." 
text into app:llm_rag_ollama_text_processing as LLM 
| table text Query LLM_Result

The outcome of the SPL query is displayed in the image below, where two key fields are highlighted. The "text" field contains the raw security event data retrieved from Splunk, while the "LLM_Result" field showcases the output generated by the Foundation-sec-8b model.

The Foundation-sec-8b model, as a domain-specific large language model (LLM), follows a structured reasoning process to analyze security events. It begins by providing a concise summary of the event, offering a high-level understanding of the incident. Next, it extracts key details from the event fields, ensuring analysts can quickly access the most relevant information without having to sift through raw data manually. Following this, the model performs an incident analysis to evaluate the urgency of the event and identify critical focus areas for investigation, helping analysts prioritize their efforts. Finally, the model delivers actionable investigation steps tailored to the specific event, complete with detailed guidance related to the security incident.

By reviewing the analysis provided in the "LLM_Result" field, security analysts can easily understand the context and significance of the event, recognize its urgency and focus areas, and follow clear steps to investigate and address the incident. This streamlined approach significantly enhances the efficiency of security operations, reducing the time and effort required for manual investigation while equipping analysts with actionable insights.

Example 2: Detection content suggestion from Splunk Security Content

In security operations, configuring the correct detection rules is crucial to effectively identify and respond to threats. Splunk offers over 1,800 detection rules through the Splunk ES Content Update (ESCU) app, covering a wide range of threats and attack techniques. While this extensive library is invaluable, selecting the most relevant detections for your specific use case can often be a daunting and time-intensive task. This is where the Foundation-sec-8b model steps in again to simplify and accelerate the selection process.

In this example, the model assists in identifying the appropriate detection rules for a specific detection requirement. First, we retrieved the detection contents from the Splunk Security Content page. Following the instructions outlined in the DSDL documentation, we stored the detection rules in a vector database to facilitate efficient querying.

With the detection content prepared, we executed an SPL query to prompt the Foundation-sec-8b model with the following question: "Identify the detection rules to be used to detect malware with Cisco Firewall and the data source needed".The Fit command in the SPL query triggers a Retrieval-Augmented Generation (RAG) process through DSDL, leveraging the Foundation-sec-8b model and the vector collection named "escu_detections" containing knowledge on the detection contents.

| makeresults 
| eval query = "Identify the detection rules to be used to detect malware with Cisco Firewall and the data source needed" 
| fit MLTKContainer algo=llm_rag_script model_name="hf.co/roadus/Foundation-Sec-8B-Q4_K_M-GGUF:Q4_K_M" collection_name="escu_detections" top_k=2 query into app:llm_rag_script as RAG
| table query RAG_Response

The output of the SPL query is displayed in the image below. Based on the knowledge retrieved from the vector database, the Foundation-sec-8b model recommended two specific detection rules: "Cisco Secure Firewall - Malware File Downloaded" and "Cisco Secure Firewall - File Download Over Uncommon Port". For each rule, the model also outlined the relevant data sources and detection logic, ensuring a comprehensive understanding of how these rules function.

In addition to identifying the suitable detection rules, the model provided implementation requirements for both, offering guidance on how to configure and deploy these rules effectively. It not only simplifies the detection rule selection process but also ensures that security teams have the necessary information to integrate these rules seamlessly into their monitoring systems.

What’s Next?

Looking ahead, this integration example underpins the possibilities of Splunk and Cisco better together and paves the way for more innovations in security analytics and automation. As Cisco continues to develop its Foundation AI ecosystem, we can anticipate more advanced models, enhanced explainability for complex workflows, and new capabilities to operationalize AI for specific organizational needs. We are looking forward to seeing more innovations with those powerful models and tools combined.

Start innovating today with Splunk AI and Foundation AI’s open-weight model!

Huaibo Zhao and Philipp Drieger

Many thanks to the team at Foundation AI (Robust Intelligence) for the great collaboration and insights.