Defending in the post-Mythos Era: What Frontier AI Changes for the Security Operations Center​

The real disruption from frontier AI is not that it will replace the SOC. It is that it will expose every weakness in how the SOC operates today. Cisco is a launch partner in Anthropic's Project Glasswing (Claude Mythos) and OpenAI’s Daybreak (GPT-5.5), putting us inside the AI labs’ own vulnerability-discovery work, which is ahead of the industry on what AI-enabled adversaries will be capable of. Since Mythos, frontier AI continues to advance, with models like Claude Fable 5 now publicly accessible. Our mission is to outpace the adversary. By using these AI capabilities to simulate real-world attacks, we’re turning offensive insights into a defensive advantage – finding and fixing vulnerabilities before they become a target.

That distinction matters. The conversation should be about our operating model for critical infrastructure. Anthropic describes Project Glasswing as an initiative to secure critical software for the AI era, and our focus is on testing and leveraging advanced AI-powered security tools for defensive purposes. However, when it comes to critical infrastructure, having AI isn’t the finish line. The real test is whether your network, identity, cloud, and SOC security can work as one system to stop AI-enabled adversaries. Can your team really operationalize the insights AI is surfacing?

SOCs are already flooded with alerts, telemetry, and competing priorities. What they struggle with is validation. What is normal in my environment? Which systems are exposed? Which identities are involved? What deserves action now? Frontier AI will not eliminate those questions. It will make them more urgent. The agentic SOC will be defined less by model capability and more by the ability to validate, prioritize, and act with confidence. As frontier AI helps adversaries move faster, SOC teams need the Splunk and Cisco ecosystem to validate, prioritize, and act on what they find.

To build that confidence, the bottleneck must move from finding to validating. If AI helps defenders’ surface possible weaknesses faster, the next constraint is whether the SOC can connect those findings to real assets, users, and business services. A technical finding without context is just noise. We are moving faster from “this looks important” to “this is relevant now, and here is why.” With the introduction of features like Exposure Analytics, Automated Threat Analysis and the Triage Agent (private alpha), we are providing the capabilities to automatically pull and analyze context to give the SOC the why, the what and the how.

Simultaneously, detection engineering must become more adaptive. The old rhythm of slow content updates and manual tuning is already under strain. In the next phase, that model will age even faster, accelerating both defense and adversary capability. In turn, defenders will need tighter cycles for how they draft, test, refine, and operationalize detection content. This is not a case for handing control to AI. It is a case for using AI to accelerate the work while keeping human defenders firmly responsible for quality, validation, and judgment. With the Detection Studio feature, we are building toward AI-guided detection creation, with recommendation validation and testing coming soon.

Ultimately, trust must become the foundation of the SOC. The future SOC will not run on alert volume. It will run on confidence. Confidence that a finding is real, the context is complete, and the recommendation is grounded in evidence. The goal is to use advanced AI defensively, with expert humans reviewing and actioning on the critical decisions.

The SOC cannot depend on a narrow view of the environment. Security-relevant data is distributed across endpoints, identities, networks, clouds, and applications. Adversaries move across silos in minutes. Your defense has too as well. The SOC can only validate and act on what the infrastructure surfaces, which is why the SOC’s effectiveness depends on whether identity, network, and security are operating as one system, not three. The challenge is making it usable fast enough to support real decisions. Splunk Enterprise Security helps teams manage, search, and analyze data across a wide range of domains, clouds, and devices.

That is also why the Cisco and Splunk architecture matters. Cisco Data Fabric powered by the Splunk Platform is the data management, routing, storage, and search layer designed to help organizations work with machine data across distributed environments. Splunk sits above that as the security operations layer. In other words, Splunk is the AI-native security and data platform built to operationalize data accessed through Cisco Data Fabric.

Cisco Data Fabric frames the architecture around making machine data AI-ready, while Splunk Enterprise Security focuses on turning that data into threat detection, investigation, and response. This combination provides the critical foundation the modern SOC requires: seamless access to distributed data and the power to operationalize it immediately. The SOC after Mythos is not a story about AI replacing analysts. It is a story about weak operating models for critical infrastructure getting exposed. Teams that rely on fragmented context, stale asset understanding, and slow validation loops are going to feel that pressure first. Teams that can validate faster, investigate distributed data, and combine AI-generated insight with expert human judgment will be in a much stronger position.

The takeaway is simple: the SOC after Mythos will belong to the teams that can turn visibility into validation, validation into action, and action into a more defensible operating model. If you want the clearest view of what that shift means, read Shields up: Guidance for defending in the age of AI-enabled attacks. Cisco's experience with Mythos has changed how it models near-future AI-enabled attackers and how it thinks about defense. This moment matters because it changes what defenders should do next. That is the bar now. And that is where the conversation should be.

^{This blog post may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this blog post.}

^{For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Cisco Investor Relations website at investor.cisco.com or the SEC's website at www.sec.gov. The forward-looking statements made in this blog post are made as of the time and date of this blog post. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law.}

^{In addition, any information about our roadmap outlines or our general product direction is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in alpha or beta or in preview (used interchangeably), or to include any such feature or functionality in a future release.}