Splunk Inc. recently held its annual .conf24 user conference in Las Vegas, where celebration of the close of its sale to Cisco Systems Inc. was the theme for one of the few targets ever to score more than $1 billion in cybersecurity revenue. However, Splunk admittedly faces several rivals of equal or greater size that aren't limited to its primary security and observability markets. They include the largest tech players more broadly, while a host of innovators and disruptors challenge it at the other end of the spectrum. To succeed in such a daunting environment, the combined Cisco-Splunk must assure customers that they can continue to rely on a company that has achieved a significant presence in security, observability — and well beyond.

The good news for Cisco-Splunk is that .conf24 comes at a moment of competitive opportunity. On Cisco's most recent quarterly earnings call, CEO Chuck Robbins called out 5,000 Cisco customers positioned to become Splunk clients as well. That's in the ballpark of the number of International Business Machines Corp. customers now facing choices in the wake of Big Blue's sunsetting of QRadar, once a significant Splunk competitor in the security information and event management (SIEM) space — and it's a target now of a much larger Cisco sales force.

Of course, other rivals also see the opportunity presented by the sudden removal of one of the largest obstacles to displacement in that market — but security isn't Splunk's only strong suit. Observability further expands its runway given the boom in datacenter buildouts precipitated by AI, where Cisco's networking is present. Splunk also counts among its partners the likes of Amazon.com Inc.'s Amazon Web Services Inc., which also recently held its own security-focused conference, re:Inforce.

During his keynote, Robbins frankly (and humorously) acknowledged what Cisco's number one job will be with Splunk: not to "screw it up." Conference announcements reflected that intent, focusing largely on continuity and fulfillment of current commitments — but they were also somewhat vague about directions beyond 2024, raising questions about where the combined Cisco-Splunk will place its bets going forward.

Security announcements

At .conf24 in Las Vegas, Splunk introduced the latest release of Splunk Enterprise Security, its widely adopted platform for security operations (SecOps). With general availability planned for September, Splunk Enterprise Security 8.0 natively integrates the previously introduced Mission Control interface that brings together multiple functionalities for SIEM, security analytics, threat detection and incident response into a unified experience for security professionals. The Mission Control analyst experience can launch Splunk SOAR playbooks for security automation and orchestration to orchestrate analyst workflows, automate tasks, implement consistent terminology, speed effective response, and enhance efficiencies for the security operations center.

Splunk also introduced its Federated Analytics feature, available in private preview on Splunk Cloud Platform and cloud deployments of Splunk Enterprise Security beginning in July. The feature enables analysis of data regardless of where it might reside, with initial implementation offered for Amazon Security Lake. Federated Analytics was also announced the same week at AWS' security-focused re:Inforce conference in Philadelphia. The intent is to serve organizations by integrating with data sources best fit for purpose, from near-real-time event detection through longer-term storage for use cases such as threat hunting, forensic analysis and compliance.

Not surprisingly given its sale to Cisco, Splunk is also in the process of integrating the former's Talos Threat Intelligence across Enterprise Security, Splunk SOAR and Attack Analyzer (automated malware and phishing attack analysis that became part of the Splunk portfolio following the acquisition of TwinWave in 2022). Cisco Talos will be free to Splunk customers.

AI enhancements

Of course, the pervasive impact of generative AI throughout technology made itself felt at .conf24, given Splunk's role in gathering and analyzing operational and security data and making it actionable. At .conf23, the vendor showcased functionality that transforms natural language prompts into the Splunk Processing Language, accelerating the discovery of useful insight in Splunk data. Formally introduced at .conf24 as Splunk AI Assistant for SPL, the company extended its initiatives by introducing AI Assistants for Observability Cloud as well as for Security.

Additionally, it unveiled a Configuration Assistant and updates for KPI drift detection and entity-level adaptive thresholds for Advanced AI for IT Service Intelligence. These complement further enhancements announced at .conf24, including new data management functionality such as data pipeline builders and ingest processors to transform data and help convert log information into metrics, directing data to Splunk Observability Cloud, Splunk Platform or Amazon S3, with other data lakes coming soon.

Looking ahead

The overall takeaway from .conf24 is that, in the three months since the close of their pairing, Cisco-Splunk has largely been focused on integration and assuring customers that Splunk will continue as they have known it. Announcements reflect that the remainder of this year will be focused on consolidating initiatives announced in 2023 as well as at .conf24.

Going forward, however, the vendor will have to adapt to a changing technology landscape that has led to disruption in Splunk's markets. Cisco has, for example, so far been light on making high-profile commitments to the leaders in generative AI that are driving much of new product evolution among other major technology players (but that's not always a negative, given how much "AI washing" is often overplayed).

Meanwhile, Splunk's edge initiatives seem like an ideal venue for integrating the often smaller and more focused models that other major players are bringing to devices and edge use cases. Disruptors in categories such as SIEM emphasize more direct integration with telemetry via API, lightweight deployment models such as serverless architectures, and greater choice in data management and storage that Splunk has finally acknowledged more openly with its federation initiative.

Regardless, Cisco-Splunk has no shortage of opportunities, such as the 5,000 (and likely more) Splunk prospects that Robbins highlighted at the event — but the company is hardly alone in seeing that. Palo Alto Networks Inc. paid $500 million to transition IBM's QRadar SaaS customers to its XSIAM offering in a deal that also includes incentive for Big Blue to transition its much larger on-premises customer base to Palo Alto. Just recently, Palo Alto was joined on the S&P 500 index by CrowdStrike Holdings Inc., which often is in place alongside Splunk in many organizations.

New entrants in various aspects of the SecOps space also challenge the company in innovation. Competition for attention and wallet share further factored into .conf week. More locally (just across the street in Las Vegas), Cribl held its own event, while Zscaler Inc. was also in town.

But there could be additional factors that will provide further openings for Splunk. Microsoft Corp., for example, is one of Cisco-Splunk's largest rivals in the SIEM sector and has its extended detection and response capabilities — and as .conf concluded, that company's Brad Smith appeared before the US House Homeland Security Committee to discuss Microsoft's own security issues over the past several months.

Whatever strategic directions the combined Cisco-Splunk takes from here, it need to convince Cisco customers who weren't — or didn't want to be — Splunk clients before the deal that Splunk is a good extension of their Cisco investment. It will have an opportunity to do so — if it is true to Robbins' pledge to keep Splunk as valuable to new prospects as it aims to remain to its current customers, and preserve the unique culture of the company and its loyal practitioner base that has made it so attractive for so long.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.

451 Research is a technology research group within S&P Global Market Intelligence. For more about the group, please refer to the 451 Research overview and contact page.