Presented by Splunk
AI has changed the economics of cyber fraud.
An attacker can now generate thousands of convincing phishing lures, fake identities, and tailored pretexts before a defender can complete a single change-control cycle. This is the new security challenge: Cheating became faster and cheaper, while verification did not.
Most of the discussion about AI for defense centers around detection models. Screening matters, but it is not the only obstacle. The deeper disruption is evidence of: where the data lives, whether it is available when needed, how quickly it can be correlated, how long it is retained, and whether analysts or agents can trust what they receive.
Defense in the AI age is a data problem before it is an identity problem.
The protector’s advantage is true
Attackers can afford to lie at the enterprise level. They can test endless combinations of messages, identities, domains, and attack paths, and most can fail at almost no cost.
Defenders don’t have that luxury. Their advantage is truth: knowing instantly what happened, where, when, which identities were involved, which assets were affected, what changed, and which business processes may be at risk.
That truth must be documented, governed, heard, and defended. Attackers are using AI for deception, impersonation, social engineering and measuring speed. Defenders need AI to enhance verification.
The goal is not simply to act faster than the attacker. It’s about taking action that people and machines can trust.
Fragmented data breaks modern security
Consider a suspicious login from a contractor account. In itself, this is just another authentication anomaly. To know whether it matters, a security team may need identity history, endpoint activity, cloud access logs, ticketing records, asset ownership, configuration changes, network telemetry, and business context.
If those records are kept in different tools, expire at different times, or require multiple teams to recover, defenders are not investigating the incident. They are interacting with their own data estate.
When signals can be delivered to the right place and correlated quickly, the issue is no longer whether the login looks unusual or not. It becomes whether the enterprise has sufficient evidence, in sufficient context, to defend the action.
This challenge becomes even more urgent with AI assistants and agents. AI can only reason based on what it can achieve in time. AI does not produce the truth if the data is partial, outdated, fragmented, missing, or out of context. This intensifies uncertainty.
The system of record should become a defensive control plane
For years, enterprises treated security platforms, SIEMs, and data lakes as passive repositories: places to store data for later search and analysis. That model is no longer sufficient.
Organizations now need a defensive control plane: a layer that connects what happened, what it means, and what the enterprise is allowed to do about it. Architecturally, it ties together raw machine data, business context, and policy. It doesn’t just store evidence. This makes evidence useful for decisions and actions that need to be explainable and credible.
In practice, this means doing four things well: preserving evidence, accessing data wherever it resides, adding business context, and controlling action. More details on each below.
The old system of records answered one question: What is the official record?
A defensive control plane answers questions that are operationally important: What happened? What does it mean? What evidence supports that conclusion? And what action can we count on?
AI does not obviate the need for official records. It raises the standard of what those records should do.
A defensive control aircraft must do four things
- Keep the evidence safe. Logs, metrics, traces, events, identity records, configuration changes, tickets and asset status all help establish what happened. Their value often becomes apparent only after an event begins.
-
Make data accessible wherever it is. Security-relevant data is already spread across object stores, cloud platforms, operational tools, and business systems. Moving each byte to one location is often too slow, too expensive, and too difficult to control. Bringing analytics to the data is a better model.
-
Add business references. Correlation of machine data with business information turns “anomaly on host X” into “the system supporting payment services for top accounts is being investigated.” This is what allows organizations to prioritize correctly.
-
government action. In the agentic age, systems will do more than summarize events. They will enrich alerts, open cases, trigger workflows, segregate assets, update policies and drive decisions. Enterprises need to know what evidence the agent used, what policy governed the action, whether it stayed within scope, and how the decision can be reviewed later.
The real SOC problem is not too little data
Modern SOCs do not suffer from a lack of data. They suffer from a lack of useful context.
According to the Splunk State of Security 2025 report, SOC analysts continue to struggle with too many alerts (59%), too many false positives (55%), and alerts lacking context (46%). The issue is not about data volume. This is the difficulty of converting fragmented signals into reliable decisions.
Today, analysts are left piecing together contexts manually, fumbling with disconnected tools, and making high-risk decisions without the full picture in a timely manner. Even though AI is improving, outcomes still depend on whether humans are willing to approve change in a fragmented environment.
This creates a daily crisis of context. Teams are forced to make consequential decisions based on data they cannot easily see, correlate, or trust. This results in latency, inconsistency, missed opportunities, and unnecessary risk.
Credible action is sustainable profit
A data fabric architecture provides a way forward by creating a unified, intelligent layer across data sources spanning SecOps, ITOps, and NetOps. The goal is not centralization for its own sake. This aims to break down silos and provide context-rich insights at the speed required for AI-powered operations.
It is an operating model before it is a product. AI-powered defense depends on a foundation that can preserve evidence, access data where it lives, add context, and maintain a reviewable link between data, decisions, and action. This is the architectural change behind the Cisco Data Fabric, powered by the Splunk Platform, which brings together machine data, federation, business context, governance, and provenance to help teams move from signal to trusted action.
Attackers will continue to make deception cheaper, faster, and more personalized. Defenders don’t win the race by creating more noise. They win by making the truth faster and basing everything on evidence that people and machines can trust.
Learn more about Cisco Data Fabric powered by Splunk Platform.
Seth Brickman is VP, Global Product – Splunk Platform, Cisco.
Sponsored articles are content produced by a company that is either paying for the post or that has a business relationship with VentureBeat, and they are always clearly marked. Contact for more information sales@venturebeat.com.
<a href