Session-memory control plane for Splunk SOCs that lets AI responders take identity actions with replayable provenance and kill-switches.

1. Cisco integrating WideField into Splunk to normalize identity, session, and activity telemetry shows session context has become a core building block for agentic SOC products rather than an optional add-on.
2. Buyers now face a new class of security failure where valid agents can take unsafe actions at machine speed, creating urgency for pre-execution guardrails and replayable action records.
3. Correlating endpoint, identity, network, and cloud telemetry in a format optimized for AI means the market is shifting from dashboard-centric observability to machine-consumable control data.
4. Cisco's third cybersecurity deal of 2026 and its broader trust-layer narrative suggest incumbents are consolidating quickly, which opens room for a focused startup to own the independent control plane before suites fully absorb the workflow.

Catalyst. Cisco's decision to pull WideField into Splunk around identity and session telemetry shows that agentic SOC buyers now urgently need a control layer for safe machine-speed actions, not just better alert correlation.

The product sits between the customer's SIEM, SOAR, identity provider, EDR, and ticketing systems and creates a canonical session object every time a human analyst, scripted playbook, or AI responder touches a sensitive workflow. Before a response action executes, it simulates the identity scope, target assets, likely blast radius, and required approvals, then blocks or routes actions that fall outside policy. After execution, it stores a replayable provenance bundle with the triggering evidence, tool calls, delegated credentials, downstream changes, and rollback steps so analysts can audit or unwind the action in minutes. The first release focuses on identity disable, token revocation, session termination, and endpoint isolation flows where the cost of an unsafe but authorized action is immediate and measurable.

What's different. Existing SIEM and SOAR vendors can log actions or require approvals, but they do not create a portable session-memory object that links delegated identity, evidence, action intent, downstream changes, and rollback state in one AI-readable record. Identity vendors see who had access, while session recorders show what happened in a single system; this company wins by turning cross-tool response actions into structured provenance that both machines and humans can reason about. That data asset compounds into better action-risk models, cleaner post-incident reviews, and a trust ledger that can sit across mixed security stacks rather than inside one incumbent suite.

Jobs to be done

flowchart LR
  Buyer[Security Automation Leader] --> Pain[Unsafe machine-speed response actions]
  Pain --> Product[Session-memory control plane]
  Product --> Outcome[Governed AI remediation with replayable rollback]

Executive takeaways

• Cisco's WideField move validates session-level identity telemetry as strategic SOC infrastructure, but the startup still has to land as a narrow safety layer rather than a new SIEM.
• The urgent use case is human-governed automation of a few risky actions—account disable, token revoke, session kill, and device isolate—not blanket autonomous response.
• Competition is intense across suites and AI SOC startups; differentiation rests on cross-tool provenance, blast-radius simulation, and reliable rollback.
• Budget is real if the product can replace manual approvals and postmortem reconstruction that consume analyst time and increase outage risk.

Market definition

Vendor-neutral session-memory and rollback control plane for high-risk SOC response actions, positioned between SIEM/SOAR and identity/EDR.

Customer and buyer

Primary user is the security-automation or SOC-platform lead inside a Splunk-centered enterprise; the economic buyer is the Head of Security Operations or CISO who must approve autonomous containment.

Buying triggers

• A Splunk or SOAR team is moving from AI-assisted triage to write-path automation and needs approval, blast-radius, and rollback controls. [1][3][4][5][14]
• A near-miss or outage from a valid playbook exposes that current logs cannot reconstruct who or what acted under which authority. [1][2][15][16][19]
• Boards, insurers, or regulated business lines demand auditable response records before expanding machine-speed containment. [22][25][26][27][29][36]

Willingness to pay

Willingness to pay is credible because teams already spend on SIEM/SOAR and still carry analyst labor and breach costs; a platform priced near one analyst FTE or less can rationally win budget if it safely automates a handful of scary workflows. [28][30][31][35][36]

Category dynamics

Growth signal 15.8% CAGR (SOAR proxy)

Validation signals

• Cisco is paying to bring session and identity telemetry into Splunk’s Agentic SOC, which is strong external validation for the control point itself.
• Splunk, Palo Alto, CrowdStrike, Torq, Dropzone, and Hunters are all already teaching the market to expect AI-mediated SecOps workflows.
• Analyst-burnout and manual-task surveys show a credible economic reason to automate approvals and evidence assembly, not just alert summarization.
• Government secure-adoption guidance now explicitly calls out privilege creep and obscure event records, which aligns closely with the startup thesis.

Regulatory & technical constraints

• High-impact response actions need per-request context, least privilege, and policy enforcement rather than blanket service credentials.
• The product has to normalize fragmented logs across SIEM, identity, cloud, and SOAR systems before a human can trust the provenance trail.
• Rollback coverage is constrained by which downstream systems expose deterministic APIs and enough state to unwind actions safely.
• Human approval and auditable records are still expected for sensitive automated response in most enterprise environments.

The market is crowded with suites and AI SOC startups optimizing for faster triage and autonomous response, leaving a narrower gap around cross-tool action provenance, blast-radius simulation, and one-click rollback.

Why incumbents do not win by default

• SIEM and SOAR suites. Splunk and Palo Alto can bundle triage and response, but they optimize for in-suite workflows rather than a portable provenance and rollback object across mixed stacks.
• Endpoint and identity platforms. CrowdStrike, Okta, and cloud IAM vendors own rich signals, yet they do not by default create one cross-tool record tying delegated identity, approvals, downstream changes, and reversal steps together.
• Cloud-native AI assistants. Microsoft and Google can put copilots inside security operations, but those experiences are still stack-centric and may not satisfy mixed-vendor buyers who want an independent control layer.
• AI SOC startups. Torq, Dropzone, and Hunters emphasize autonomous investigation and response; the remaining gap is action governance and replayable rollback, not more alert summarization.

Soc Session Memory Plane is a vendor-neutral control layer for Splunk-centered security teams that want to automate a few dangerous response actions without trusting a black box. The first user is the security automation lead or SOC platform manager at a U.S. fintech or B2B SaaS company with 2,000-10,000 employees, a 5-15 person automation team, and active pilots around AI-assisted or autonomous response. The immediate pain is not alert triage; it is proving what an AI responder saw, which delegated identity it used, whether the action was inside policy, and how to unwind it if the action causes damage. The initial wedge is a read-mostly session-memory and blast-radius layer for account disable, token revoke, session kill, and endpoint isolate workflows, with human approval left in place. This beachhead is narrow because it matches a live buying trigger, fits inside existing Splunk and SOAR stacks, and produces measurable proof in approval time, evidence assembly time, and rollback time. Research supports demand, adjacent budget, and a plausible $120k initial ACV band, but public evidence on real buyer conversion rates, willingness to place a startup on the write path, and cross-vendor rollback coverage is still incomplete. The company should therefore sequence from provenance capture and policy simulation into deterministic rollback only after pilots show customers will trust the system on one workflow family. The biggest disconfirming risk is that suite-native tooling becomes good enough before the startup proves that an independent cross-tool provenance object is materially better.

Problem

• Security teams can draft or trigger identity-containment actions faster than humans can review them, but they still cannot prove which evidence, delegated identity, and downstream effects produced each machine-speed action.
• SIEM, SOAR, identity, and EDR tools log fragments of the workflow, so post-incident reconstruction and rollback are slow exactly when an authorized action has already caused business damage.

Solution

• Create a canonical session-memory object for every high-risk response workflow that links evidence, delegated identity, action intent, approvals, downstream changes, and rollback steps in one AI-readable record.
• Simulate blast radius before execution, enforce policy and approval gates on the write path, and store replayable provenance bundles so responders can explain or reverse actions in minutes instead of reconstructing logs by hand.

Why we win

• The product lands on the few workflows buyers are afraid to automate, which is easier to fund than a broader new SIEM, copilot, or identity graph pitch.
• Defensibility compounds from cross-tool provenance bundles, approval outcomes, and rollback history that mixed-stack buyers cannot get from any single incumbent suite.

Milestones

flowchart LR
  Wedge[Identity-containment wedge] --> MVP[Session-memory MVP]
  MVP --> Proof[Trust and rollback proof points]
  Proof --> Expansion[Broader SecOps control plane]

Founding team

Experiment roadmap

Risk assessment

What must be true

• Buyers confirm that identity-containment safety is urgent enough to fund before broader autonomous SOC tooling is fully mature.
• The first production deployment can go live in 6-8 weeks without unacceptable integration or security-review drag.
• Human-approved provenance bundles materially reduce approval time and post-incident reconstruction time on real workflows.
• Customers will allow the product onto the write path for at least one high-risk action family after a read-mostly pilot.
• Cross-tool neutrality and rollback depth remain materially better than suite-native alternatives in customer evaluations.

Open diligence questions

• Which exact incidents or near-misses made the buyer worry about authorized but unsafe automated actions?
• In the first budget cycle, does spend come from SecOps automation, identity security, or compliance and audit budgets?
• Which first workflow family has cleaner rollback semantics and clearer ROI in practice: identity containment or endpoint isolation?
• What must the startup prove for a CISO to let it sit on the write path rather than remain advisory only?
• How often do target accounts already get "good enough" provenance and approval controls from Splunk, Palo Alto, CrowdStrike, or Microsoft?

Model sanity

• Revenue engine. Base-case revenue is driven by growing from 4 paying logos at Y1 exit to 25 at Q4Y3, not by aggressive ARPU expansion beyond the stated $120k production ACV.
• Must go right. The model needs paid pilots to convert into annual production in about four months so blended CAC stays near $70k and the 11-FTE plan remains supportable.
• Model breaks if. If sales cycles slip to six months or Splunk-centered buyers keep the product advisory-only, cash goes negative before the next financing window.
• Next-round proof. A credible seed narrative is 10 paying logos, 6 production conversions, and one rollback-enabled workflow family by month 18 with partner-sourced pipeline evidence behind it.

Scenarios

Sensitivity

flowchart LR
  Leads --> PaidPilots
  PaidPilots --> ProductionCustomers
  ProductionCustomers --> SubscriptionRevenue
  SubscriptionRevenue --> GrossProfit
  GrossProfit --> Cash

Flags: Base case exits Y3 with only about $55K of cash, so a one-quarter conversion delay would likely force an earlier seed raise. · Revenue per end-of-year FTE reaches about $200K in Y3, which is acceptable but still at the low end of strong enterprise-SaaS efficiency. · The model assumes human-approved pilots are enough to win budget before broader write-path trust is proven. · Incumbent bundle pressure from Splunk/Cisco, Palo Alto, and CrowdStrike could compress the $120K ACV before rollback depth is differentiated.

• Suite bundling risk. Cisco, Splunk, or other large security vendors could bundle basic provenance and approval features into their own agentic SOC stacks. Mitigation: Win on cross-tool portability, deeper rollback orchestration, and independent trust evidence that mixed-stack buyers cannot get from a single suite.
• Design-partner immaturity. Many SOC teams are still early in autonomous-response adoption, which can slow initial pipeline and make ROI harder to quantify. Mitigation: Start with customers already piloting limited identity-containment automation and sell the product as the safety layer that unlocks production rollout.
• Integration and liability complexity. Touching response actions across identity, endpoint, and ticketing systems creates technical integration drag and perceived liability if rollback fails. Mitigation: Launch read-mostly with policy simulation and provenance capture first, then add narrowly scoped rollback for a few high-value actions with human approval defaults.