This month Splunk brought its annual customer conference, .Conf, to Boston, with parent company Cisco along for the ride. As usual, .Conf was a festive event, featuring blue team competitions, fez-wearing Splunk enthusiasts, ponies named Buttercup, and a performance by the band Weezer. But in between the fun, numerous themes and announcements rolled out aimed at filling in Splunk deficiencies, leveraging synergies between Cisco and Splunk, responding to user requirements, and addressing market dynamics.

Here is a look at the main takeaways from .Conf and an analysis of where Splunk should direct its attentions in the months and years ahead.

Machine data can supercharge AI incident response

Naturally, machine data was a primary theme of the event. Traces, events, telemetry, logs, and on and on — Cisco and Splunk speakers claimed that machine data alone represents 55% of worldwide data growth. And while LLMs have become pervasive, they are trained on human-generated data, leaving machine data out in the cold.

Cisco and Splunk believe that LLMs trained on machine data would be much better at recognizing patterns, prioritizing the right remediation steps, and predicting future trends. From a cybersecurity perspective, this could result in better time-series analysis of events across a kill chain, for example. Imagine triggering immediate incident response actions across the network — patching systems, segmenting a network, adding a firewall or detection rule, etc. — purely driven by a small software download on a single endpoint. That’s the vision, and the tandem made several announcements in support of machine data, including the Cisco data fabric and data lake — all built on top of a Splunk foundation.

Resilience resides at the confluence of security and observability

There was also a clear message around resilience — the ability to maintain availability and recover quickly from any IT or security event.

From a Cisco/Splunk perspective, this means a more tightly coupled relationship between security and observability.

I’m reminded of a chat I had with the chief risk officer of a large US bank several years ago. Paraphrasing his statement on resilience: “If the IT systems are down, I don’t care if its due to a natural disaster, a misconfigured router, or a security breach. My job is to identify and mitigate risk so none of these things are likely to disrupt the business.”

In today’s enterprise, barriers to observability/security consolidation are artificial — things like budgets, organizational structures, and staff goals and compensation. But aggregating observability and security would significantly improve IT resilience and sure would make sense to my CRO friend.

Splunk makes additional efforts to play well with others

While vendors own the spotlight at their customer events, .Conf offered a refreshing sub-theme: As a combined entity, Cisco and Splunk, despite their resources and worldwide customer base, can’t do it all.

This sub-theme rang out from a variety of announcements and initiatives.

For example, in the old days Splunk would advise that all log data should be centralized (within Splunk, of course). But this strategy has led to high storage costs, performance issues, and the need to constantly engineer and tune Splunk infrastructure. As a result, some customers have moved on to seek greener pastures.

Over the past few years, however, Splunk has adopted a federated model, in which security teams can store their data on alternative repositories with the ability to perform federated searches. I might move NetFlow data, pure compliance data, or DHCP logs to an S3 bucket — cheaper storage but still available for investigations or audits. Splunk just extended this model with support for Snowflake.

Aside from this and other partnerships, Splunk is also pursuing a more standards-based approach than many of its competitors — something that should have been highlighted in keynote presentations. On the observability side, Splunk has long supported the Open Telemetry (Otel) standard of APIs, SDKs, etc. For cybersecurity, Splunk helped create the Open Cybersecurity Framework (OCSF), an open-source, vendor-agnostic standard that provides a common language for cybersecurity data, allowing different security tools to share, manage, and analyze security events more effectively.

Beyond Splunk, adoption of these standards could improve cybersecurity data integration, processing, and analysis for everyone.

Zeroing in on security operations

Splunk also articulated a focus on easing the burden around security operations. It announced a premier version of Splunk Enterprise Security, an integrated platform that includes SIEM, SOAR, UEBA, threat intelligence management, AI assistant, and an analyst workbench. Splunk also announced Detection Studio for help with detection engineering management — detections as code, rules creation, change management, workflows, etc. Finally, Splunk described agentic AI features and initiatives around threat detection, workflow automation, and incident response that are available today or coming soon.

Challenges and the road ahead

The whole purpose of a user conference is to make customers feel good about their relationship with a vendor. Although .Conf 2025 accomplished that goal, Splunk still faces challenges ahead.

Some Splunk customers remain jaded by high costs, aggressive sales tactics, and lukewarm customer support over the past few years. These may be fringe accounts, but many are being wooed by CrowdStrike, Google, Microsoft, and Palo Alto Networks. Splunk needs to double down on customer communications, relationship management, and technical support as soon as possible.

Splunk also suffers from a “legacy vendor” image as its success was built in the on-prem rather than the cloud era. To counter this narrative, Splunk should aggressively articulate a vision of where security operations is going over the next five years. There were high-level hints of this at .Conf, including the above themes around resilience, federation, and open standards. Now Splunk needs to evangelize a detailed vision to the broad market — not just a captive and supportive audience.

Beyond AI messaging and technical implementation, Splunk must lead with solid use cases and supporting metrics on where AI provides the biggest bangs for the buck for security operations. To be clear, not just where it accelerates processes or enhances human efficiency, but where organizations can achieve measurable improvements in security efficacy and risk mitigation. The more detail and guidance, the better.

Given its large global customer base, I also believe Splunk needs to become a leader in collective defense. In this model, an observation — i.e., a specific type of exposed asset, industry-centric threats, effective runbook, red teaming exercise, etc. — at one customer may be helpful for all customers. Splunk could act as an AI-driven ISAC and security operations sherpa for all its customers. 

Finally, Splunk has done some work integrating risk, vulnerability, and exposure management into its security offering.  Rather than build a separate risk operations center as other vendors are suggesting, Splunk should fully integrate vulnerability and exposure management into the SOC. This would solidify Splunk’s position by providing the whole security enchilada: prevention, detection, and response. 

I’ve worked with enough Splunk customers to see that with the right commitment and resources, Splunk provides a strong and robust foundation for security operations. It’s up to Splunk (and Cisco) to convince the market at large that this is true today and will remain so in the future.