Cisco automates AI-driven security across enterprise networks

Cisco today announced a range of AI-driven security enhancements, including improved threat detection and response capabilities in Cisco XDR and Splunk Security, new AI agents, and integration between Cisco’s AI Defense platform and ServiceNow SecOps.

In addition, Cisco launched a new group called Foundation AI to focus on advancing AI and security technologies within the company and across the industry. The group’s first act is the launch of an open-source AI reasoning model built to enhance security applications.

Cisco announced its news at RSA Conference 2025, which is going on this week in San Francisco.

[ Related: RSA Conference 2025: News and insights ]

Cisco XDR is a cloud-native security package designed to unify and streamline enterprise threat detection, investigation, and response across the IT environment, according to Cisco. The service integrates more than 80 Cisco and third-party security tools, letting organizations customize security coverage to their specific needs, Cisco stated.

With this new release of XDR, Cisco said it is moving on from manual security investigations to automated AI decision-making where signals are not just detected but are also investigated and understood with supporting evidence, according to AJ Shipley, vice president of product management at Cisco. “The idea is to set a new standard for security operations, letting security teams make decisive actions quickly,” Shipley stated.   

[ Related: More Cisco news and insights ]

The first example of this is a new XDR feature called Instant Attack Verification that integrates data from the Splunk platform, endpoints, networks, threat intelligence, behaviors and context and then uses agentic AI to determine if a particular activity poses a real threat.

“The result is automated detection and response for the most common attacks,” Shipley wrote in a blog post about the new XDR capabilities. “Machine learning, machine reasoning, and LLMs combine to trigger multiple AI agents acting on different parts of the investigation lifecycle. Each investigation has a clear verdict. This is then used to trigger pre-built playbooks in Cisco XDR or Splunk SOAR to respond instantly with or without human intervention depending on each organization’s processes.”

Splunk SOAR, which stands for Security Orchestration, Automation, and Response, is a security operations platform that automates and manages cyber threat responses. Cisco also noted that new releases of SOAR (available now) andSplunk Enterprise Security 8.1 (slated for a June) will bolster security operations through greater visibility and integrated workflows as well as improve detection and automated response actions directly within the enterprise security interface, according to Shipley.

XDR also now includesa new automated forensics capability that offers deeper visibility into endpoint activity, increasing the accuracy of investigations.

“The new XDR Forensics capability changes the game for SecOps by triggering digital forensics to collect over 350 artifacts on endpoints, including compromised or partially encrypted ones,” Shipley wrote. “This evidence, including registry files, memory dumps, activity logs, and hundreds of other pieces of information is mandatory for forensic investigations. This forensic evidence gathering can be triggered based on risk scoring, behavioral analytics, and other signals, or simply through a single click on the incident page.”

Additionally, a new XDR Attack Storyboard uses AI-driven investigations to visualize complex attacks and help security teams understand threats in seconds and respond faster, Shipley stated. “Cisco’s AI constructs a dynamic Attack Graph, mapping events to MITRE ATT&CK tactics along an unfolding attack timeline and summarizing each step so anyone—from SOC analysts to non-security, IT professionals —can instantly grasp what happened, what it means, and what to do next,” Shipley wrote.

“AI plans and guides the investigation, highlights root causes, and surfaces recommended containment and remediation steps—so decisions are made faster, with more confidence. For auditors and executives, the storyboard delivers audit-ready narratives in plain language, turning technical complexity into understandable, actionable insight. Delivering a confidence inspiring clear verdict with decisive action.”

Foundation AI group

With the introduction of Foundation AI, Cisco is delivering a team of top AI and security experts along with the release of an open weight reasoning model built specifically for security, stated Jeetu Patel, executive vice president and chief product officer for Cisco.

“The Foundation AI Security model is an 8-billion parameter, open weight LLM that’s designed from the ground up for cybersecurity. The model was pre-trained on carefully curated data sets that capture the language, logic, and real-world knowledge and workflows that security professionals work with every day,” Patel wrote in a blog post. 

Customers can use the model as their own AI security base or integrate it with their own closed-source model depending on their needs, Patel said. “And that reasoning framework basically enables you to take any base model, then make that into an AI reasoning model.”

“This is the first time this has been done in the industry, and we think that that is a huge advantage for the cyber security community,” Patel said.

Cisco described its Foundation AI team as a specialized research and development group focused on advancing AI and security technologies within the company. The group developed from the AI and security technology and expertise Cisco gained when it acquired Robust Intelligence in 2024, Patel said.

ServiceNow integration

On the AI ecosystem front, Cisco has developed deeper integration with ServiceNow to bring its SecOps details into Cisco’s AI Defense package. 

Cisco’s AI Defense package is aimed at protecting enterprise customers that are developing AI applications across models and cloud services. 

Announced earlier this year, AI Defense is made up of four components: AI Access, AI Cloud Visibility, AI Model & Application Validation, and AI Runtime Protection. AI Access offers visibility into and control over who’s using AI applications. AI Cloud Visibility uncovers AI assets across a distributed environment, including unsanctioned AI workloads.

“Customers rely on ServiceNow to streamline IT service management and enhance operational workflows through automation and integrated solutions to control risk and governance,” Cisco stated. “Now with AI Defense, teams will be able to leverage these same capabilities to build programs around AI assets to ensure governance and reduce risk.”

Initial field trials are beginning soon, and mutual Cisco and ServiceNow customers can expect to be able to take advantage of this integration in the second half of 2025. Additional integrations of Cisco and ServiceNow capabilities are planned for later in 2025, the companies stated.