The Agentic SOC: How Splunk Security Transforms Enterprises in the Age of AI with John Morgan
Fresh out of the studio with John Morgan, Senior Vice President and General Manager of Splunk Security at Cisco. The conversation unpacks the AI inflection point reshaping security operations β from the explosion of machine data (set to more than double in three years) to the rise of the agentic SOC, where AI agents handle detection, investigation, and response while humans focus on high-stakes decisions. John breaks down why attackers armed with AI now exploit zero-days in hours instead of weeks, why security must start with observability (including the challenge of "shadow AI"), and how CISOs are evolving from technical gatekeepers into board-level business enablers. His parting message: the entire world is learning AI together β get to it with his perspective on what great looks like for Splunk Security moving forward.
"The volume is increasing quite a bit. We expect in the next three years itβs gonna double. Attackers do not have a governance of regulatory and compliance restrictions on them. They just go at it and see what works. And so the volume, sophistication, speed of attacksβthe only way to defend against it is to automate your responses to it. One thing that folks outside of the industry donβt maybe get is just how large the attack surface is. And how hard it is to stopβattackers need to just find one way in, and youβre trying to defend all ways in." - John Morgan
Profile: John Morgan, General Manager and Senior Vice President, Splunk Security - Cisco (LinkedIn, Cisco)
Here is the edited transcript of our conversation:
Bernard Leong: Welcome to Analyse Podcast, the premier podcast dedicated to dissecting the pulse of business, technology, and media globally. I'm Bernard Leong, and if there is one function inside the enterprise that AI is about to fundamentally change, it is security operations. The volume, velocity, and complexity of threats have long outpaced what human analysts can handle. Over the last two decades, as AI moved from assistance to autonomous agent, security operations itself is going to be reimagined. So with me today is John Morgan, Senior Vice President and General Manager at Splunk Security, to discuss the inflection AI is creating for CISOs and security teams across the world, and what the agentic SOC of the future is going to look like. John, welcome to the show.
John Morgan: Thank you so much. Pleasure to be here.
Bernard Leong: I'm going to start off with your personal story. How did you come into the world of cybersecurity? What kept you here?
John Morgan: Great question. Definitely early on I was a technologist. I love technology and I wanted to learn more. So I got into computer science, engineering, electrical, a number of things β I love how systems work. That's how I got involved early on. What's kept me here is that it gives me a strong sense of purpose. I love the feeling I get when I know that I'm doing something good for the world. Helping companies endure with business continuity is a clear sense of purpose for me.
Bernard Leong: So now you lead Splunk Security as the Senior Vice President and General Manager. What brought you into the role, and what does the mandate look like from where you're sitting?
John Morgan: Let me hit those in reverse order. The mandate is really to help our customers with resilience and ensure that cyber attacks are not disrupting their business. I would say above that, it's not even really about cyber β it's about enabling them to do what they want to do digitally. The thing that actually got me here is AI in general. I feel that Cisco and Splunk have a disproportionate advantage when it comes to providing trust, network capacity, and access to data that's required in this era. That got me here, and that's part of the mandate as well.
Bernard Leong: Looking across your career, what is the one counterintuitive lesson about security leadership that people outside the field might find surprising?
John Morgan: Let me define leadership as providing market-leading solutions. I would say one thing that folks outside of the industry don't maybe get is just how large the attack surface is, and how hard it is to stop. Attackers need to find just one way in, and you're trying to defend all ways in. Part of that attack surface is the people themselves β phishing attacks and social engineering β as well as vulnerabilities. Some people may actually believe that not updating their systems keeps them safer, which is obviously not the case. You need to update. But I'd say the attack surface and how large it is β that's something folks just don't understand.
Bernard Leong: It's not the technology, it's always the human beings. That comes to the main subject of data, the AI inflection point, machine data, and the new digital landscape. Splunk was built on the thesis that machine data holds the answers β log events, metrics, and traces. How has the explosion of AI-generated activity changed the nature and volume of that data?
John Morgan: First, the volume is increasing quite a bit. We expect in the next three years it's going to more than double. We've seen that even at a large percentage of our customers. I'm in Singapore right now, obviously with you. We just had our Singapore Splunk Go event, and we have tremendous customers here in APAC in general β like LG Electronics, for example, who started off just managing the telemetry from a few million smart televisions, and now that's hundreds of millions of devices, plus their manufacturing processes and others. So the data volume is increasing. AI is creating a situation where it's actually producing data, and customers are gathering more data than they ever thought, just in hopes that it's going to be useful for certain things. The nature of change is that now with more data, you've got to curate it β give it context, put it in the right schema and form factor. You need to do more work to find and correlate incidents across that large amount of data. That's where a lot of the AI can help.
Bernard Leong: So what you're alluding to is that AI is now both generating more signal and creating new attack surfaces. Specifically, if we look at enterprises in the Asia-Pacific β financial services in Singapore or Hong Kong, infrastructure across governments β how are the security challenges different from what you see in the U.S. and Europe? Are they similar?
John Morgan: I would say they're similar themes, but they differ in what's driving those themes. We're seeing a lot of compliance β there are different levels of compliance in this region. We're also seeing different needs for sovereignty because there are geopolitical influences happening across the world. It's not just here β every region has these geopolitical drivers saying: How do I keep my data safe? How do I ensure that I only have access to it, that I'm in complete control, and that there are no unauthorized ways anyone can get access to my systems, governmental or otherwise. Those are some key things happening in this region and others across the world.
Bernard Leong: When you think about the machine data that goes in, it's pretty abundant, but it's also very difficult to act on quickly. From your perspective, where does the bottleneck sit? Is it in the ingestion, the analysis, or the response?
John Morgan: There are bottlenecks across all three, but one of the most predominant has been on the investigation side β the analysis side β because it's required a lot of humans to do it. They've missed some of that analysis β they don't actually see the detections or the correlations that would be needed. The investigation side is traditionally where humans have taken more time, and where AI can help quite a bit across the entire spectrum: ingestion, correlation, investigation. The response side has been pretty slow. Depending on the response, some humans are going to want to look at the criticality before they let it be completely autonomous. But there are a number of responses that can happen autonomously, and AI can help do that a lot faster.
Bernard Leong: As a former CIO myself, I know Splunk sits at the intersection of observability and security. How does that dual capability give organizations a different point of view on their risk posture compared to other point security solutions?
John Morgan: That's a great question. Security starts with observability. It's hard to secure what you can't see or you don't know about. When we look at what's happening today β agents and AI are coming into the organization, whether they're sanctioned or not. We might call that shadow AI. The level of observability you need now, given things are new β AI agents are new, vector databases, MCP servers, all the infrastructure. AI is even creating new types of data.
Bernard Leong: Synthetic data.
John Morgan: Yes β and prompts and system context, and synthetic data to train them. All of these things require observability to ensure they're working together. To your question, it's required for security. Being able to observe and apply the right level of security is actually paramount to the efficacy of security itself.
Bernard Leong: I was recently at a conference giving a talk to CISOs on agentic AI and governance. The CISO role has been evolving from technical gatekeeper to board-level risk officer. How has the arrival of generative AI, and now agentic AI systems, changed what a CISO should be thinking about in 2025 and 2026?
John Morgan: A couple of things. I talk to a lot of CISOs and I value those discussions and their inputs β I learn from them just as much as they learn from us. Security has always been about business enablement β it's not about security. But right now there's a high sense of urgency to get AI into an organization to really increase productivity, and not only increase the productivity of things they know, but to actually do things they don't know. There's such a high urgency that one of the CISO's paramount instructions today is how to enable AI in the workforce. We call that enabling trusted AI or the agentic workforce. They now have a high amount of pressure to enable that β board-level, the board on down β and of course how to secure it and provide the trust around it. There's a lot that means for their role, but I'd say they are going to be big heroes because we're going to help them provide the trust and the capacity and the things they need. Hopefully they'll be seen as business heroes at that point. That's our goal.
Bernard Leong: Before we go deeper, because you are the expert in security, can you help define what we now call the agentic SOC? Where is the direction that security operations are heading?
John Morgan: This is a great question. There are a couple of forces driving agentic SOCs. An agentic SOC is effectively using AI and agents within a security operations center to automate. Security operations centers have been automating for many years. However, there's an imperative now to automate even faster and more. One reason is not only to save costs and be more efficient β it's because attackers are armed with AI now. We've seen that on average, it used to take 23 or 24 days to go from a zero-day or vulnerability disclosure to actually seeing exploits in the wild. Now it takes hours. They're finding more vulnerabilities with AI. Attackers do not have governance or regulatory and compliance restrictions on them. They just go at it and see what works. The volume, sophistication, and speed of attacks β the only way to defend against it is to automate your responses. An agentic SOC is AI agents doing everything in the workflow: creating detections, detection execution, investigation, response, reporting, and then giving humans the right amount of control in that process. It's here today. We already see the pace and rate of attacks increasing, and it's going to get worse. That's what the agentic SOC is designed to do for our customers.
Bernard Leong: One of the concerns from CISOs is alert fatigue β there are a lot of signals. How does an agentic approach change that dynamic? What would good human-agent collaboration look like inside a SOC?
John Morgan: Alert fatigue has been a problem for many years, and it's getting exacerbated because attackers are armed with AI. It's going to continue to get worse. AI and the agentic SOC can help quite a bit there because you can auto-triage, auto-investigate, lower your false positives, decide where risk actually is β before a human even knows there's an incident. Literally the recommended set of actions, or the actions themselves, could have already been taken by AI. That's very important. To your point about where the right collaboration happens: AI and automation will be used wherever there's repetitive, time-consuming correlation across high volumes of data. The human interaction is going to be where there's high-risk, high-stakes decisions that need to be made. Put the proper guardrails on AI so that you can determine when a human should get involved. We call that human in the loop or human above the loop, depending on how autonomous you want to go. Humans have the ability to decide when they want to step in.
Bernard Leong: I want to get into the future of intelligence in cybersecurity. There's a lot of "AI-powered security" everywhere. From your perspective, what separates genuine capability from marketing noise?
John Morgan: I could answer this a couple of different ways. I could start talking about the tech and what it means to truly be AI-native, but I'm going to take a different approach. How you tell is on business outcomes. If you look at one of our key customers β Singapore Airlines, here in the region β they've had dramatic results when it comes to reducing the amount of issues they see or faults they actually need to address. The answer is in customer outcomes. If you see less noise, if humans for every hundred alerts that used to take many hours now take minutes, if the amount of coverage you're getting improves, if false positives are reduced β look at it in outcomes. If you're getting lower cost, higher efficacy, and fewer attacks, then you've got the results you want. Otherwise, it's just technology.
Bernard Leong: When threat actors are using AI to craft convincing phishing mechanisms, accelerate vulnerability discovery, and automate attacks at scale β how is this arms race going to play out? Who has the structural advantage?
John Morgan: I wish I had a better answer here. Attackers don't have regulatory and compliance bodies overseeing them. They use the technology, and their test beds are customers themselves until they get it right. They can keep trying again. There's another factor: an attacker only needs to find one way in, and you've got to stop all of them, with a large attack surface. So there's a structural advantage, unfortunately, for attackers. That's why the approach β the positive side for customers β is yes, use preventative measures. Get your security controls out there. Make sure you're patching, updating, and you've got access controls in place. But always assume there's a zero-day out there and have a resilience platform like Splunk where you can detect the attack before it becomes a real compromise and stop it. That's the resilience approach on top of all the preventative and proactive work you need to do.
Bernard Leong: Splunk has been investing in AI-driven threat intelligence and automated investigation. What does a mature AI-native security platform look like, and how far are we from that being the norm in the enterprise?
John Morgan: The technology we're providing is going to make that a reality. For some of our customers, it's already a reality. But when you say "a norm in the enterprise" β meaning deployed widely β I think it's going to happen pretty quickly because if you look at some of the announcements that have been made and the way attackers are creating a high sense of urgency in our customer situations, they're going to want to deploy these widely, fairly fast. It's going to look like automated investigation and response flows where humans decide how much they want to get involved and where high-stakes critical decisions are needed. I would position this in outcomes: Are you having less noise? Are you closing off more of your alerts? Are you stopping breaches before they occur? What percentage reduction of attacks do you see? That's how I would measure it, and that's what success looks like.
Bernard Leong: Detection has been rules-based and signature-driven. How are machine learning and large language models changing the detection logic itself in security?
John Morgan: Security has always been a defense-in-depth strategy. These things will always be a phase-one filter when it comes to signatures. However, the difference is: one, AI can create better signatures for you and still deploy those. Two, AI can be used itself to scan mass volumes of data that's been curated. We made some announcements around Cisco Data Fabric and others β that's all designed to bring context to your data so that AI and agents can scan it, correlate, and find issues and detections. That proverbial needle in the haystack. We will continue to utilize signatures for first-pass filters, but it's going to get much better with AI doing the correlation across your data.
Bernard Leong: Since you're here meeting different CISOs, what would be your advice to them when it comes to thinking about security at scale?
John Morgan: I think it comes down to how to trust and observe the AI infrastructure that you're enabling the business with. We talked about observability already. Your first step is to make sure you're observing all of the new technologies β the MCP agents, what's happening at the network and the endpoint. You have to have the right security controls out there to get that observability, feed it into a resilience platform like Splunk, and ensure you have the proper controls around your investigation and response. My ultimate advice would be: automate as much as possible with an agentic SOC, and then ensure you're getting the right outcomes.
Bernard Leong: What is the one question you wish more CISOs would ask you about the future of AI in security?
John Morgan: I'd say maybe two questions. One β I want them to ask me more to speak with them and learn from them as well. But beyond that, if I'm a CISO, I'd ask: "John, how can I actually procure my data and get better use and investigation out of it?" Because that's the platform and foundation for an agentic SOC to actually work. How do I meet my data where it's at? If they ask me about that, I would love to have that discussion.
Bernard Leong: Looking ahead the next five years, what does great look like for Splunk Security, and what does the enterprise security landscape look like around it?
John Morgan: We better move faster than five years because this space is moving faster than that β every week we see changes. But it's a great question. In the future, success for us is our customers being successful. That's the ultimate measure. They're stopping attacks. They're able to move their business forward. They're deploying an agentic workforce in their organization. As long as our customers are doing that, that's what success is for us. I want to get there well before five years.
Bernard Leong: Well done. Looking forward to that β and meaningful controls for human beings as well.
John Morgan: Yes, that's correct. Thank you so much.
Bernard Leong: John, many thanks for coming on the show. In closing, I always have two quick questions. First, any recommendations which have inspired you recently?
John Morgan: I'm inspired by both fear and optimism. I think right now we're in an age where a healthy motivation by fear is good when it comes to AI β make sure you're relevant yourself. The optimism is, I truly believe that AI is going to help us move forward as a race. I'm very optimistic about it. The one piece of advice I would give folks: as humans, sometimes we feel a little overwhelmed learning new things. But the entire world is learning right now about AI. So if there's anyone out there who feels it might be a little too sophisticated β get to it. Get learning. The entire world is learning with you. Utilize those learnings to improve your own lives or just understand what's happening in the world.
Bernard Leong: How can my audience find you and learn more about what Splunk Security is doing?
John Morgan: You can find me at Cisco and Splunk, and on LinkedIn. That's probably the best way if they want to reach out directly to me.
Bernard Leong: Many thanks, John, for coming on the show. Of course, we [Analyse Podcast] can be found everywhere. Thank you so much for coming on.
John Morgan: All right. Thank you.
Podcast Information: Bernard Leong (@bernardleong, Linkedin) hosts and produces the show. Proper credits for the intro and end music: "Energetic Sports Drive" and the episode is mixed & edited in both video and audio format by G. Thomas Craig (@gthomascraig, LinkedIn). Here are the links to watch or listen to our podcast.
