Powered by Splunk
Artificial intelligence has changed the economics of cyber deception.
An attacker can now create thousands of convincing phishing lures, fake identities, and tailored excuses before a defender can complete a single change-of-control cycle. This is the new security problem: deception has become faster and cheaper, but verification has not.
Much of the discussion around AI for defense centers on detection models. Detection is important, but it is not the only bottleneck. A deeper limitation is evidence: where the data lives, whether it’s accessible when needed, how quickly it can be linked, how long it’s stored, and whether analysts or agents can trust what they’re getting.
In the age of artificial intelligence, defense is an information problem before a detection problem.
The advantage of the defender is the truth
Attackers can lie on an enterprise scale. They can try endless combinations of messages, identities, domains, and attack paths, and most can fail at almost no cost.
Defenders don’t have that luxury. Their advantage is truth: quickly knowing what happened, where, when, who was involved, what assets were affected, what changed, and what business process might be at risk.
This truth must be documented, managed, verifiable and defensible. Attackers use artificial intelligence for deception, impersonation, social engineering, and speed scaling. Advocates need AI to expand validation.
The goal is not just to move faster than the attacker. It’s about making actions that people and machines can trust.
Fragmented data undermines modern defenses
Review the suspicious login from the contractor account. In itself, this is another authentication anomaly. The security team may need identity history, endpoint activity, cloud access logs, ticket logs, asset ownership, configuration changes, network telemetry, and business context to know if it matters.
If these logs sit on different tools, expire at different times, or require multiple teams to purchase, defenders don’t investigate the incident. They negotiate with their data assets.
When signals arrive in place and correlate quickly, the problem isn’t just that the input looks unusual. It becomes a question of whether the entity has sufficient evidence in sufficient context to take defensible action.
This problem becomes more pressing with AI assistants and agents. Artificial intelligence can only think about what it can acquire over time. If data is partial, outdated, fragmented, unavailable, or lacking context, AI does not create truth. Accelerates uncertainty.
The recording system should become a defense control plane
For years, enterprises treated security platforms, SIEMs, and data lakes as passive repositories: places to store data for later retrieval and analysis. This model is no longer sufficient.
What organizations need now is a defensive control plane: a layer that connects what’s happening, what it means, and what the enterprise is allowed to do about it. Architecturally, it combines raw machine data, business context, and policy. It doesn’t just store evidence. It makes evidence useful for decisions and actions that can be explained and trusted.
In practice, this means doing four things well: preserving evidence, accessing data wherever it lives, adding business context, and managing actions. More on each below.
The old accounting system answered one question: what is an official record?
Defense control aircraft answer operationally important questions: What happened? What does this mean? What evidence supports this conclusion? And what action can we trust?
AI does not reduce the need for authoritative records. It raises the standards of what records should do.
A defensive control aircraft must do four things
-
Protect the evidence. Logs, metrics, traces, events, authentication logs, configuration changes, tickets, and asset status all help identify what’s going on. Their value is often only apparent after the event has begun.
-
Make data accessible wherever it lives. Security-related information is already pervasive in object stores, cloud platforms, operational tools, and business systems. Moving every byte to one place is often too slow, too expensive, and too difficult to manage. A better model is to bring analytics to the data.
-
Add business context. Correlating machine data with business data turns “anomaly on host X” into “the system supporting payment services for top billing is under investigation.” This allows organizations to prioritize properly.
-
Government action. In an age of agency, systems will do more than summarize events. They will enrich alerts, open cases, trigger workflows, isolate assets, update policies and enhance decisions. Businesses need to know what evidence the agent used, what policy governs the action, whether it is in scope, and how the decision can be reviewed later.
The real SOC problem is not too little data
Modern SOCs do not suffer from a lack of information. They suffer from a lack of usable context.
According to the Splunk State of Security 2025 report, SOC analysts continue to struggle with too many alerts (59%), too many false positives (55%), and alerts without context (46%). The issue is not the volume of information. It is a challenge to transform fragmented signals into reliable decisions.
Today, analysts manually piece together context, bounce between disconnected tools, and make high-risk decisions without seeing the full picture in time. While AI is improving, outcomes still depend on whether people are willing to approve changes in fragmented environments.
This creates a crisis of everyday context. Teams are forced to make consistent decisions based on data they cannot easily see, correlate or trust. The result is delay, inconsistency, missed opportunities and unnecessary risk.
Reliable performance is a sustainable advantage
Data structure architecture offers a way forward by creating a single, intelligent layer between data sources spanning SecOps, ITOps, and NetOps. The goal is not centralization for its own sake. It’s about breaking down silos and delivering context-rich insights at the speed that AI-driven operations demand.
It is a pre-product operating model. AI-based defense depends on a foundation that can preserve evidence, access data where it lives, add context, and maintain reviewable connections between data, decision and action. This is the architectural change behind the Cisco Data Fabric, powered by the Splunk Platform, which brings together machine data, federation, business context, governance, and provenance to help teams move from signaling to trusted action.
Attackers will continue to make cheating cheaper, faster, and more personalized. Defenders don’t win that race by making more noise. They win by uncovering the truth faster and by basing every action on evidence that people and machines can trust.
Learn more about Cisco Data Fabric powered by the Splunk Platform.
Seth Brickman is Vice President of Global Product – Splunk Platform, Cisco.
Sponsored articles are content produced by a company that paid for the post or has a business relationship with VentureBeat and is always clearly marked. Contact for more information sales@venturebeat.com.
