Introducing Splunk Agent Launchpad: Turn Operational Signals Into Agent-Powered Action
Artificial Intelligence Sancha NorrisKey takeaways
- Splunk Agent Launchpad lets security and IT teams build and run AI agents inside Splunk with a no code experience and existing user permissions.
- Agents launch directly from Splunk alerts and searches, using existing data and context to help investigate issues faster.
- Admins control approved tools and access, while teams can review every agent's actions and evidence before deciding what to do next.
By now, you’ve heard about agentic AI—how it can automate and take action on your behalf and somehow make your work life easier by troubleshooting and investigating your alerts faster. But how will that happen? Splunk released its MCP server about a year ago, and this allowed you to build an agent, connecting your corporate LLMs and tools to query the Splunk Platform. The agent is built outside of the Splunk Platform and initiates the interaction. A specialist like a data scientist and/or engineer from your company will need to build the agentic system—the model, harness, tools connection, etc. to build the agent.
Today, we are announcing the general availability of Splunk Agent Launchpad, a no-code way of building agents within your Splunk environment with your RBAC. These custom agents that you build can be triggered by searches and alerts, and arrive with context for the agent to reason with and take action. No data scientist or AI specialist is required. If you are the IT, Security, Network domain SME, and you know the workflow and what knowledgebases you need, you can build an agent to make your job easier..
Agent Launchpad is a part of the Cisco Data Fabric powered by the Splunk Platform to activate and accelerate agentic operations.
Splunk already tells you when something happens. An alert fires. A scheduled search flags an anomaly. A detection surfaces suspicious activity. The problem is what comes next. Investigating that signal usually means pivoting across tickets, chat, runbooks, knowledge bases, cloud consoles, identity systems, and threat intelligence tools. Every pivot costs time, and the work depends on whoever happens to know where to look. Automation ideas that would fix it get stuck behind an engineering backlog.
That gap between signal and action is where investigations stall.
Splunk Agent Launchpad closes it. As a component of the Splunk AI Toolkit, Agent Launchpad lets security, IT, engineering, and network teams build AI agents, launch them from the Splunk workflows where signals first appear, and review exactly what each agent did. No coding required.
Start from the signal, not a blank prompt
Most agent tools start with an empty box and ask you to describe what you want. Agent Launchpad starts with the operational signal you already trust. Agents can be triggered from alerts, searches, scheduled searches, search commands, detections, and investigations. The moment Splunk identifies something worth looking at, the right agent can pick it up with the context already attached.
That context is the difference. Every run is grounded in Splunk data: SPL results, logs, metrics, detections, anomalies, and investigation history. Agents reason over the operational reality your teams work in, not a generic description of it. You spend less time assembling context and more time acting on it.
No coding skills required
The people who best understand what should be automated are the analysts, operators, and engineers doing the work. They are rarely the people who can write the integration code to automate it. Agent Launchpad removes that dependency.
Analysts and operators create agents through a point-and-click experience. No custom models. No scripting. No waiting on someone else's sprint. An analyst who runs phishing triage every day can build an agent that runs it for them, using the same logic they already apply. The expertise that lives in your team's runbooks and heads becomes a repeatable agent instead of tribal knowledge.
Governed by admins, by design
Ease of use for practitioners cannot come at the cost of control. Agent Launchpad keeps the two roles separate and explicit.
Splunk admins configure the approved MCP tools, external connections, and knowledge sources that agents are allowed to use. Practitioners build and launch agents inside those boundaries. They never handle credentials or stand up their own integrations, and access follows existing Splunk roles and permissions. Run history supports filtering, RBAC, and audit over time, so platform teams can see what has been running across the environment.
Practitioners get a simple building experience. Platform teams keep governance where it belongs.
Review every run before you act
Trust in an agent comes from being able to see what it did. Every completed run in Agent Launchpad carries a full record: run history, the tools it called, an evidence trace, any errors, its response, and follow-up questions scoped to that run.
Agents do not act on your behalf in the dark and ask you to agree later. You inspect the evidence, then decide the next step. That review model is what makes the automation safe to adopt inside a SOC or an operations center, where a wrong action carries real consequences.
What teams are building
Agent Launchpad has been in alpha with customers since January 2026. Real use cases have surfaced across teams:
- Phishing triage with enrichment and recommended next steps
- Alert triage and investigation
- Cross-stack investigation across multiple Splunk environments
- Infrastructure health checks and operational handoffs
- Ticketing, notification, and runbook-assisted workflows
Agents can also chain. In one pattern, a first agent identifies and collects risk events and extracts the relevant risk IDs. A second agent receives that output through an SPL query, analyzes the events, generates a summary, scores the risk, and decides whether to open a ticket. The data stays inside Splunk between the agents, so a multi-step workflow never leaves the platform.
One alpha customer, a SOC analyst at a major internet service provider, described building a custom phishing triage agent:
The agent handles the repetitive investigative work. The analyst makes the call.
Why Splunk Agent Launchpad
Plenty of platforms let you create agents. The harder problem is activating the right agent at the right time with the right context. Agent Launchpad does that from inside the workflows where your teams already detect, investigate, troubleshoot, and respond. The signal, the analytics, the operational context, and the governance are already in Splunk. Agent Launchpad brings the agents to that context instead of pulling your teams into a separate AI surface disconnected from where the work happens.
Availability
Splunk Agent Launchpad is available on the Splunk Cloud Platform as a component of the Splunk AI Toolkit starting July 15, 2026.
Learn more here: Agent Launchpad. Join our webinar on August 6th to learn more and see a demo.
Related Articles

Splunk and Zscaler Utilize Data and Zero Trust to Eradicate Threats

Boss of the SOC (BOTS) Investigation Workshop for Splunk
