Splunk AI makes deception cheaper, so defenders must scale verification with truth

Attackers can now scale deception with AI by generating thousands of convincing phishing lures, fake identities, and tailored pretexts before a defender finishes a single change-control cycle. In other words, the advantage attackers used to need (time, budget, iteration) is getting automated, and the defender's advantage of thoroughness is getting outpaced.

The core problem is not that defenders lack detection models. The source is blunt: “The defender’s advantage is truth,” meaning defenders must quickly know what happened, where, when, which identity was involved, which assets were affected, and what business process may be at risk. That truth has to be documented, governed, auditable, and defensible. Without that, even strong detection becomes a game of uncertainty, and uncertainty is where response breaks.

This is why the conversation about AI in security is starting to shift. For years, many organizations treated detection as the primary story: build better models, reduce false positives, catch more attacks. But the more urgent constraint is evidence: where data lives, whether it is available when needed, how quickly it can be correlated, how long it is retained, and whether analysts or agents can trust what they retrieve. In plain English, defenses stall when they cannot prove what they think is happening, or cannot connect it to business context fast enough to take action.

The source frames the attacker economics and the defender economics as mismatched. Attackers can afford to lie at enterprise scale because AI lets them test endless combinations of messages, identities, domains, and attack paths, and most attempts can fail at low cost. Defenders do not get the same freedom. Their advantage is truth, and that means they must make it operational: not just “we saw something,” but “we can show the chain of evidence that supports an action.” In the agentic era, that requirement intensifies. AI assistants and agents can only reason over what they can retrieve in time to matter; if the data is partial, stale, fragmented, unavailable, or stripped of context, AI does not produce truth. It accelerates uncertainty.

A useful way the source illustrates this is with a suspicious contractor login. On its own, it is just another authentication anomaly. To know whether it matters, a security team may need identity history, endpoint activity, cloud access logs, ticketing records, asset ownership, configuration changes, network telemetry, and business context. If those records sit in different tools, expire at different times, or require multiple teams to retrieve, the team is not “investigating” the incident so much as negotiating with its own data estate. That is a structural latency problem. When signals can be reached in place and correlated quickly, the question changes from “does this login look unusual?” to “does the enterprise have enough evidence, in enough context, to take action it can defend?”

So the proposal is architectural: move from a passive system of record to what the source calls a defensive control plane. The old model answered one question: “What is the official record?” The defensive control plane answers the questions that matter operationally: What happened? What does it mean? What evidence supports that conclusion? And what action can we trust? Importantly, the source argues this does not remove the need for authoritative records. It raises the standard for what those records must do: preserve evidence, reach data wherever it lives, add business context, and govern action.

In practice, the source lays out four operational requirements. First, preserve evidence: logs, metrics, traces, events, identity records, configuration changes, tickets, and asset state help establish what happened, and their value often becomes clear only after an incident begins. Second, make data accessible wherever it lives: security-relevant data is already spread across object stores, cloud platforms, operational tools, and business systems, and moving everything into one place can be too slow, too expensive, and too difficult to govern. The alternative is bringing analytics to the data. Third, add business context so correlations translate into priorities, not just alerts. Fourth, govern action so that in the agentic era systems that enrich alerts, open cases, trigger workflows, isolate assets, update policies, and escalate decisions do so with traceable evidence, policy constraints, scope boundaries, and reviewable decisions afterward.

The source also grounds the “usable context” problem in specific SOC pain: according to the Splunk State of Security 2025 report, SOC analysts continue to struggle with too many alerts (59%), too many false positives (55%), and alerts that lack context (46%). The implication is not simply “more data.” The issue is difficulty turning fragmented signals into trusted decisions, with analysts often stitching context manually across disconnected tools and making high-stakes calls without the full picture in time. Even as AI improves, outcomes still depend on whether humans can approve changes across fragmented environments, producing a daily crisis of context: latency, inconsistency, missed opportunities, and unnecessary risk.

That is why the source ties everything together with a data fabric approach. It describes a unified, intelligent layer across data sources spanning SecOps, ITOps, and NetOps, aiming to break down silos and deliver context-rich insight at the speed AI-driven operations require. The architectural shift is presented as the foundation behind Cisco Data Fabric powered by the Splunk Platform, which brings together machine data, federation, business context, governance, and provenance to help teams move from signal to trusted action. The closing argument is straightforward: attackers will keep making deception cheaper, faster, and more personalized. Defenders do not win by generating more noise. They win by making truth faster and grounding every action in evidence people and machines can trust.

For leaders who oversee security budgets, SOC operations, or platform roadmaps, the stakes are immediate. If your environment cannot preserve evidence, reach it quickly, contextualize it with business meaning, and govern what agents do with it, then AI may increase speed but also increase the risk of acting on incomplete or unverifiable information. The strategic question becomes less “Can we detect?” and more “Can we verify and defend the action we took?”