During .conf25, Splunk is presenting a series of innovations to its own range. Its owner Cisco is integrating with the existing range, while AI agents and automation should lead to a smoother security experience.
Splunk Enterprise Security (ES) already existed, but is getting a significant upgrade. Two flexible options are launching today: Splunk Enterprise Security Essentials and Splunk Enterprise Security Premier. The former is logically more compact and serves as a springboard for the Premier edition, which is comprehensive. We will therefore discuss them in that order.
Splunk Enterprise Security Essentials: old becomes new
Splunk Enterprise Security 8.2, the latest release, is the first piece of the Essentials puzzle. The well-known Splunk AI Assistant within Security is part of this solution, while Detection Studio completes it. This feature revolves around all phases of detection, from the test period to continuous monitoring. In short: Essentials flattens out some things that would otherwise be separate options. However, the intention is to see this integration as a platform for agents. AI agents “orchestrate and automate complex workflows” within ES, including agents for triage, reversing malware infections, and creating SOAR playbooks.
Agents must also adhere to the best practices and SOPs (standard operating procedures) of a SOC. Multimodal AI models help to provide ES with these SOPs, which then become the agents’ basic knowledge. Within the Essentials package, Splunk ES also makes it possible to expand detection libraries and personalize detections in Splunk Processing Language (SPL). As a Cisco hook, there is even an agentic option for automatically setting up a “war room” via Webex when a specific incident triggers.
Those who opt for the larger Splunk Enterprise Security Premier get access to Splunk SOAR and UEBA (User and Entity Behavior Analytics) on top of the Essentials components. Once again, Splunk intends to offer a unified user experience.
Cisco’s SOC ideas
As part of Cisco, it makes sense that this year’s .conf25 announcements herald a deep integration between Splunk and its owner. We discussed yesterday’s Platform revelations that the low-hanging fruit has now been picked, with more meaningful alignment between Cisco and Splunk products from now on. The new capabilities are contextualized by Cisco’s ideas about the SOC of the future. In this context, security analysts within an “agentic SOC” should spend their time on strategic choices, while AI takes care of daily routine tasks. With that in mind, Splunk’s security announcements are intended to promote that philosophy.
Isovalent Runtime Security, for example, provides “immediate, granular visibility across all your workloads,” immediately flagging any leaks and irregularities. In addition, Cisco Security Analytics and Logging (SAL) ties into Splunk Cloud’s Federated Search for Amazon S3. Firewall logs from SAL no longer need to be ingested to be consulted from the Splunk Cloud Platform.
Conclusion: the data-driven SOC
The sum of the security offerings from Splunk on the one hand and Cisco on the other is enormous. It will therefore take some time before the two parties are truly one, if that is the intention at all. For now, the integration is about promoting the same values, with as little friction as possible as the main goal. That is why things like Cisco’s firewall must feel like native components within Splunk and the shipping of data back and forth must be prevented. Agents are the jack-of-all-trades that simplify ease of use and ultimately make the SOC of the future informed, but free from routine drudgery.