Defending at Machine Speed: Splunk Advances the Agentic SOC

AI has changed the economics of cyber defense. The same capabilities helping enterprises innovate faster are also giving attackers new speed, scale, and precision. Adversaries can craft more convincing phishing campaigns, iterate faster on exploit paths, probe identities continuously, and move with automation that does not wait for human working hours.

The traditional SOC was not built for this pace. Analysts are still asked to absorb alerts, pivot between tools, enrich investigations manually, and escalate what matters, even as data volumes rise and attack surfaces expand. AI-armed attackers are compressing the time defenders have to detect, investigate, and respond.

At Cisco Live this week, Splunk is advancing the Agentic SOC.

The Agentic SOC is not about replacing analysts. It is about amplifying human expertise with purpose-built AI, deep security context, and automation embedded directly into SOC workflows. The goal is a shift from human-driven and AI-assisted to agentic-led and human-governed, so teams can act with greater speed, consistency, and confidence.

That is the heart of the Splunk Security announcements at Cisco Live: agentic SOC capabilities across threat detection, investigation, and response (TDIR), Automated Threat Analysis in Splunk Enterprise Security (ES) Premier, new Entity Insights and Entity Analytics in Exposure Analytics, and Splunk Enterprise Security for AWS Security Hub Extended.

Purpose-Built Agents for the SOC

To defend against machine-speed threats, security teams need AI that does more than summarize. They need role-specific capabilities that remove bottlenecks across the work analysts, detection engineers, and automation engineers do every day.

Splunk is extending agentic security capabilities across the SOC to help teams build detections, codify procedures, prioritize alerts, analyze threats, and scale response. The Detection Builder Agent helps detection engineers move from hypothesis to production faster with support for creation, testing, tuning, and tagging. The SOP Agent turns standard operating procedures into response plans. The Triage Agent helps evaluate and explain findings, so analysts can focus on what matters. The Malware Threat Reversing Agent gives analysts rapid insight into malicious scripts by explaining behavior, extracting indicators, and surfacing evasion techniques in seconds instead of hours. The Guided Response Agent and Automation Builder Agent help convert approved procedures into scalable response actions.

Together, these capabilities reduce repetitive work and investigation friction, giving analysts more room to focus on judgment, strategy, and high-impact response.

Automated Threat Analysis in ES Premier

Modern attacks rarely unfold as single-step events. Phishing payloads, malicious links, scripts, redirects, downloaded files, and command-and-control behaviors can span a chain of activity that takes time to reconstruct manually.

Automated Threat Analysis in Splunk Enterprise Security Premier (GA today) helps execute and analyze that chain inside the ES experience. It shows what happened, which indicators matter, and what actions can reduce risk. For analysts, that means fewer pivots, less manual sandboxing, more complete threat understanding, and faster decisions. For SOC leaders, it means more consistent investigations inside the platform their teams already use.

Entity Insights and Entity Analytics in Exposure Analytics

You cannot protect what you cannot see, and you cannot prioritize what you do not understand.

Exposure Analytics helps security teams continuously discover assets and users from the data already flowing into Splunk. At Cisco Live this week, Splunk is highlighting new value in Exposure Analytics for Enterprise Security Essentials with Entity Insights and Entity Analytics (GA coming).

These capabilities give teams stronger visibility across discovered asset and user entities, helping expose risk before it escalates. When attackers move faster, defenders need to know whether an alert touches a sensitive identity, a newly discovered asset, a risky entity, or a behavior pattern that deserves attention. Entity Insights and Entity Analytics help teams move from isolated alerts to entity-aware investigations, making prioritization faster and more defensible.

Splunk Enterprise Security for AWS Security Hub Extended

Security teams do not need more places to check. They need their most important signals normalized, correlated, and ready for action.

Splunk Enterprise Security for AWS Security Hub Extended deepens our work with AWS to streamline cloud security operations and accelerate response. As a founding partner for the Security Hub Extended initiative, Splunk helps bring AWS findings into Enterprise Security as high-fidelity, normalized findings that can be correlated with on-premises, hybrid, and multicloud data.

Cloud findings rarely tell the whole story on their own. A suspicious IAM event, GuardDuty finding, network connection, or workload behavior becomes more useful when it is connected to identity context, asset context, threat intelligence, historical activity, detections, and response workflows. With Splunk Enterprise Security for AWS Security Hub Extended, teams can reduce manual parsing and alert noise while moving faster from signal to decision.

Defining the Agentic Future of the SOC

Splunk is helping customers move toward a different model: one where analysts are empowered by agentic capabilities, investigations are grounded in entity context, threat analysis is automated inside ES, and AWS security findings become part of a unified workflow.

That is the promise of the Agentic SOC: not AI theater or autonomy for its own sake, but a practical, human-governed operating model for defending at machine speed. At Cisco Live, Splunk is showing that we are not just participating in the agentic future of the SOC. We are helping define it.