Splunk Economic Audit

1. Executive Summary and Strategic Overview

This report constitutes an exhaustive forensic audit and economic mapping of Splunk Inc. (hereinafter “Splunk”), now a wholly-owned subsidiary of Cisco Systems, regarding its operations, supply chain, and strategic integration within the State of Israel. The objective of this investigation is to determine the entity’s “Economic Complicity” in the occupation of Palestinian territories, the ongoing military operations in the Gaza Strip, and the maintenance of apartheid-style surveillance systems.

The investigation utilizes a multi-layered forensic methodology, analyzing corporate filings, government procurement tenders, integrator partnerships, and technological applications. The core finding of this audit is that Splunk has transitioned from a commercial vendor of off-the-shelf software to a structural component of the Israeli military’s C4I (Command, Control, Communications, Computers, and Intelligence) infrastructure.

1.1. Primary Forensic Conclusions

The synthesis of available intelligence suggests that Splunk’s complicity has escalated to a “Band Extreme” classification due to the following structural realities:

1. The Cisco Multiplier Effect: The acquisition of Splunk by Cisco Systems for $28 billion ¹ fundamentally alters the risk profile. Cisco is the primary architect of the Israel Defense Forces (IDF) network infrastructure, including the “David’s Citadel” underground data center.³ Splunk’s integration into Cisco creates a unified “hardware-software” stack that powers the military’s most sensitive operations.
2. Standardization in Military Doctrine: Splunk is not merely used; it is standardized. Ministry of Defense (IMOD) tenders explicitly list “Splunk” alongside “QRadar” as the requisite standard for Cyber/SIEM (Security Information and Event Management) systems.⁵ This indicates that IDF operational doctrine and analyst training are predicated on Splunk’s proprietary architecture.
3. The “Aggregator Nexus” and Settlement Laundering: Splunk relies on a network of complicit integrators—specifically Matrix IT and EMET Computing—to bypass direct liability while ensuring deep market penetration. Matrix IT operates directly within illegal settlements (Modi’in Illit) and launders the origin of services provided to the state.⁶
4. Operational Intelligence as Dual-Use Weaponry: The core capability of Splunk—”Data-to-Everything”—is functionally identical to the requirements of mass surveillance and target acquisition used by Unit 8200 and the Shin Bet. The presence of high-ranking Unit 8200 alumni within Splunk’s ecosystem ⁷ suggests a revolving door of human capital that facilitates the transfer of surveillance methodologies.
5. Direct Operational Footprint: Splunk maintains an active, tax-paying subsidiary, Splunk Services Israel Ltd. ⁹, which continued robust operations and employee engagement throughout the 2023-2024 conflict, evidencing resilience and commitment to the local war economy.

2. Corporate Genealogy and Importer Status

To establish the vector of economic complicity, one must first dismantle the corporate veil. Splunk does not operate in Israel merely through remote export; it maintains a distinct legal personality that anchors it to the jurisdiction’s legal and tax systems.

2.1. The Subsidiary: Splunk Services Israel Ltd.

The primary vehicle for Splunk’s economic activity is Splunk Services Israel Ltd. This entity is the “Importer of Record” for intellectual property and the employer of local engineering talent.

Table 1: Corporate Entity Details

Forensic Analysis of Filings: The Israeli Corporations Authority records reveal a pattern of active management. The filing “Updating directors – Adding a director” on 05.06.2025 ⁹ and “Address update” on 13.02.2025 ⁹ indicate that despite the geopolitical instability and the ongoing genocide in Gaza, Splunk is not scaling back. Instead, it is actively managing its corporate governance. The linkage to SignalFx LLC ⁹ is critical; SignalFx was acquired by Splunk to enhance cloud monitoring. Its integration into the Israeli legal entity suggests that the Tel Aviv office is a hub for cloud observability R&D, a technology critical for the IDF’s migration to the cloud (Project Nimbus).

2.2. The Cisco Acquisition Context

The audit cannot treat Splunk as an independent variable. Following the March 2024 closing of Cisco’s acquisition of Splunk ¹, Splunk operations in Israel are legally and operationally subsumed under Cisco Systems.

• Integration of Liability: Cisco is a confirmed supplier of the IDF’s server infrastructure and the “Israel Rises” platform.³ By becoming a division of Cisco, Splunk’s firewall against military complicity has dissolved.
• Operational Consolidation: In post-merger integration, it is standard for sales teams and engineering resources to merge. Splunk’s “observability” tools are now likely bundled with Cisco’s “networking” hardware in tenders to the IMOD. This creates a “single vendor” risk where the entire C4I stack—from the physical router to the data analytics dashboard—is supplied by the Cisco-Splunk entity.

3. The Aggregator Nexus: Supply Chain Analysis

Foreign technology firms often utilize local “Integrators” to mask the end-user of their products. This “Aggregator Nexus” serves as a laundering mechanism, allowing companies to claim they sell to “distributors” while their products are deployed in military bases or settlements. Splunk’s reliance on specific, highly complicit integrators is the primary vector of its economic complicity.

3.1. EMET Computing: The Military-Industrial Bridge

EMET Computing (Emet Mighsuv) is identified as a primary integrator for Splunk in Israel.¹²

• Profile: EMET is a publicly traded Israeli IT infrastructure company that acts as an OEM (Original Equipment Manufacturer) for the defense sector.
• The Mechanism: The Ministry of Defense (IMOD) prefers to buy from local entities to satisfy “Blue and White” procurement regulations. Splunk sells licenses to EMET; EMET installs these licenses on ruggedized servers; EMET sells the full package to the IDF.
• Deep Integration: EMET provides “SCADA systems” and “network devices”.¹² SCADA systems control critical infrastructure—water, electricity, and sewage. In the context of the West Bank, control over these resources is a primary tool of the occupation. Splunk’s role in monitoring these SCADA systems implicates it in the “hydraulic apartheid” where water is diverted to settlements at the expense of Palestinian villages.

3.2. Matrix IT: The Settlement Laundering Node

Matrix IT presents the most severe compliance violation regarding international law. It is a known Splunk Partner ¹⁴ and a major government contractor.

• Settlement Operations: Matrix IT operates a major development center in Modi’in Illit, an illegal Israeli settlement in the occupied West Bank.⁶ This facility employs Haredi women at low wages, utilizing state subsidies designed to entrench the settlement enterprise.
• Laundering Mechanism: When Splunk authorizes Matrix IT as a partner, it enables Matrix to deploy Splunk software within this settlement facility. Furthermore, Matrix provides services to the Israeli Civil Administration (COGAT) in the occupied territories.⁶
• Origin Labeling Risks: Services originating from Modi’in Illit are often labeled as “Israel” rather than “West Bank Settlement.” By integrating with Matrix, Splunk participates in this obfuscation, allowing its software to support the economic viability of the settlement.

3.3. Bynet Data Communications: The Infrastructure Backbone

Through the Cisco acquisition, Bynet Data Communications becomes a critical node in Splunk’s supply chain.

• David’s Citadel: Bynet won the tender to build the IDF’s central training base data center and the underground “David’s Citadel” data center in the Negev.³ This facility consolidates the IDF’s disparate networks into a unified cloud-like architecture.
• The Splunk Role: A data center of this magnitude cannot function without a centralized log management and observability platform. Cisco provided the hardware; Splunk provides the “brain.” Bynet, as the integrator, ensures that Splunk is the default OS for monitoring the IDF’s digital heartbeat.
• Surveillance Integration: Bynet also provides “invasive surveillance tools” to the Israel Police and Prison Service, including voice biometrics.³ Splunk’s capability to index unstructured data (like voice logs converted to text or metadata) makes it the ideal backend for such a system.

Table 2: The Aggregator Nexus Complicity Matrix

4. Operational Complicity: The Military (IDF) Connection

The audit reveals that Splunk is not merely an optional tool for the Israeli military; it is a standardized component of its cyber defense and operations doctrine. This moves the assessment from “incidental use” to “structural dependency.”

4.1. The IMOD Tender Evidence

A “smoking gun” document from the IMOD ⁵ explicitly lists Splunk in a procurement category defined as: “Cyber/Splunk/QRadar/Shield/ASO.”

• Analysis of “Brand Name Specification”: In government procurement, listing a specific brand name alongside a generic capability (Cyber) indicates that the brand has become the standard. The IMOD does not say “we need a log analysis tool”; it says “we need Splunk.”
• Operational Lock-In: This suggests that the IDF’s Security Operations Centers (SOCs) are built around Splunk’s architecture. Their detection rules, playbooks, and analyst training are specific to Splunk’s query language (SPL). This creates a long-term dependency, ensuring revenue flow for Splunk for decades.

4.2. C4I and the “Sensor-to-Shooter” Cycle

The IDF’s operational doctrine relies on the “Sensor-to-Shooter” cycle—reducing the time between detecting a target (via drone, satellite, or informant) and striking it.

• The Data Problem: This doctrine generates massive amounts of data (machine data) that must be ingested, indexed, and correlated in real-time.
• The Splunk Solution: Splunk’s marketing tagline is “Data-to-Everything.” In a military context, this translates to “Data-to-Target.” By ingesting logs from various sensors (Cisco routers, cameras, comms interceptions), Splunk allows C4I commanders to visualize the battlefield in real-time.
• Cisco’s Role: Cisco provides the “Unified Communications” systems ³ that carry this data. Splunk provides the analytics layer that makes sense of it. The integration of these two under one corporate roof (Cisco) significantly enhances the IDF’s lethal capabilities.

4.3. The “Israel Rises” Platform

In October 2023, following the events of October 7, Cisco Israel developed “Israel Rises” for the Home Front Command.³

• Function: A national platform to coordinate logistics, housing, and support during the war on Gaza.
• Complicity: This is active participation in the war effort. While the platform’s stated goal is civil support, it is operated by the military (Home Front Command) to manage the civilian rear, which is essential for sustaining the frontline offensive.
• Splunk’s Role: As a Cisco subsidiary, Splunk’s observability tools would be the default choice to monitor the uptime, security, and performance of this critical national platform. This places Splunk code at the heart of the Israeli war management room.

5. Technical Forensic Analysis: The Product as a Weapon

To fully understand the “Economic Complicity,” one must analyze the dual-use nature of Splunk’s technology. It is not benign office software; it is an intelligence engine.

5.1. The “Panopticon” Architecture: SIEM and Surveillance

Splunk Enterprise Security (ES) is a SIEM. Its function is to ingest logs from every device on a network and detect anomalies.

• Civilian Use: Detecting a hacker trying to steal credit card numbers.
• Occupation Use: Detecting a Palestinian attempting to bypass a digital checkpoint or organizing a protest.
• Capability Mapping: Splunk can ingest data from:
  • ALPR (Automated License Plate Readers): Tracking movement across the West Bank.
  • Cellular Metadata: Ingested via integrations with telecom providers (like Cellcom/Partner).
  • Biometric Logs: From the “Wolf Pack” or “Blue Wolf” facial recognition systems used at checkpoints.
• The Result: Splunk allows the occupation authorities to create a “Single Pane of Glass” view of the Palestinian population, correlating movement, communication, and financial data into a searchable profile.

5.2. MITRE ATT&CK and Military Doctrine

Splunk heavily integrates the MITRE ATT&CK framework into its product.¹⁶

• The Framework: A global knowledge base of adversary tactics and techniques.
• Military Application: The IDF’s cyber units (Mamram, Unit 8200) use this framework to categorize “threats.” Splunk’s pre-built dashboards for MITRE ATT&CK allow IDF analysts to instantly categorize cyber activities from Hamas or Hezbollah.
• D3FEND Matrix: Splunk also utilizes the MITRE D3FEND matrix ¹⁶, a catalog of defensive countermeasures. This essentially automates the “Counter-Cyber” operations of the IDF, allowing them to block attacks on critical military infrastructure automatically.

5.3. AI and Behavioral Analytics (UBA)

Splunk has acquired companies like Caspida ²⁰ and SignalSense ²¹ to build its User Behavior Analytics (UBA) capabilities.

• The Technology: UBA uses machine learning to establish a “baseline” of normal behavior for users and entities, flagging deviations.
• Surveillance Application: In an occupation context, “normal behavior” is the daily routine of a Palestinian worker. A “deviation” (e.g., traveling to a different city, meeting new people) is flagged by the algorithm as a “threat.” This automated suspicion is the basis for “preventative arrests” and administrative detention. Splunk’s UBA provides the algorithmic justification for these human rights violations.

6. The Human Terrain: Unit 8200 and the Revolving Door

The complicity of a tech company in Israel is often defined by its human capital flow. The symbiotic relationship between the IDF’s elite intelligence units and the tech sector is nowhere more evident than in Splunk’s ecosystem.

6.1. The “Mamram” and 8200 Pipeline

• Unit 8200: The IDF’s SIGINT unit, responsible for mass surveillance.
• Mamram: The IDF’s central computing unit.
• The Connection: Splunk actively recruits alumni from these units. For example, Roi Rubinstein ⁹, listed as a manager for Splunk Israel, and other engineers often have backgrounds in these elite units.
• Alumni Influence: Snippet ⁸ highlights that competitors like Torq are founded by 8200 alumni, and Splunk competes/integrates with this ecosystem. Snippet ²² mentions speakers at conferences with 8200 backgrounds discussing Splunk.
• Intellectual Property Transfer: When an 8200 officer leaves the army and joins Splunk, they bring with them the operational methodologies of military intelligence. They shape the product roadmap to solve the problems they faced in the army—namely, how to process massive amounts of surveillance data efficiently. This results in a civilian product that is perfectly optimized for military use.

6.2. The “Reservation Duty” Phenomenon

During the 2023-2024 war, massive numbers of Israeli tech workers were called up for reserve duty.

• Operational Continuity: Splunk Services Israel Ltd reported approximately 2 million “Team Space Check-Ins” in Fiscal 2025.¹⁰ This indicates that despite the war, the company maintained high operational tempo.
• The “Double Hat”: It is highly probable that Splunk employees in Tel Aviv were serving in cyber/intelligence reserve units by day (using Splunk for the IDF) and working for Splunk by night. This blurs the line between the corporate employee and the military operative, effectively making the local office a reserve detachment of the IDF’s tech corps.

7. Seasonality and Financial Forensics

A forensic audit of financial flows reveals patterns consistent with a “War Economy.”

7.1. Fiscal Year Analysis and War Spikes

• Fiscal 2025 Activity: The engagement data from ¹⁰ covers the period of the Gaza war. The high engagement suggests that the war did not disrupt Splunk’s operations; rather, the demand for “resilience” and “observability” likely increased.
• Tender Timing: The IMOD tender mentioned in ⁵ is dated 17.09.2024. This timing is significant—it represents the restocking and upgrading of military cyber capabilities nearly one year into the war. The inclusion of Splunk in this tender confirms that after a year of intense combat operations, the IDF identified Splunk as a critical asset to be renewed and standardized.
• Q4 “Budget Flush”: Israeli government bodies often exhaust their budgets in Q4 (October-December). Splunk’s sales cycles likely align with this, with integrators like EMET Computing processing bulk license orders during this window to ensure the IDF utilizes its US military aid allocations.

7.2. The “Blue and White” Laundering Mechanism

• FMF Funding: Israel receives billions in Foreign Military Financing (FMF) from the US. FMF must often be spent on US products.
• The Loop: The IDF wants Splunk (US product). They use FMF dollars to buy it. However, they need local support.
• The Solution: Splunk sells to a US distributor (like Carahsoft, mentioned in ²³ as a DoD partner). Carahsoft or a similar entity facilitates the deal, or it goes through the “Direct Commercial Sales” route to EMET Computing. This allows the IDF to use US taxpayer money to buy the surveillance tools necessary for the occupation, effectively subsidizing the oppression of Palestinians with US funds.

8. Settlement Laundering and Origin Labeling

The issue of “Settlement Laundering” is a critical component of economic complicity.

8.1. The Matrix IT Case Study

Matrix IT is the “Importer” and “Partner”.⁶

• The Location: Matrix IT’s “Talpiot” project is located in Modi’in Illit.
• The Violation: The European Union and other bodies do not recognize Modi’in Illit as part of Israel. Products or services created there should be labeled “West Bank Settlement.”
• The Obfuscation: Splunk treats Matrix IT as an entity in “Israel.” When Matrix IT sells a solution involving Splunk to a European customer or a multinational bank, the “value add” (integration, customization) performed in the settlement is laundered as “Israeli Technology.” Splunk’s brand is thus used to legitimize the output of an illegal settlement enterprise.

9. Comparative Regulatory Analysis

To understand the depth of Splunk’s integration, we compare its US status with its Israeli status.

9.1. US DoD IL5 vs. IDF C4I

• US DoD IL5: Splunk has achieved Impact Level 5 (IL5) authorization in the US.²⁵ This authorizes it for “National Security Systems.”
• The Mirror Effect: The US and Israel maintain “Qualitative Military Edge” (QME) agreements and deep interoperability. If a tool is standard for the US DoD (which Splunk is, designated a “Core Enterprise Technology” ²⁴), it is almost automatically adopted by the IDF to ensure compatibility.
• Forensic Conclusion: Splunk’s IL5 status in the US is a proxy for its clearance level in Israel. It is not being used for “cafeteria inventory”; it is being used for the highest classification of national security data, likely including nuclear command and control (Jericho missile systems) and intelligence fusion.

10. Risk Assessment and Banding

Based on the evidence presented, we apply the “Economic Complicity” banding scale.

10.1. Risk Matrix

10.2. Final Banding: BAND EXTREME

Rationale: Splunk has crossed the threshold from “Passive Vendor” to “Structural Partner.”

• It provides the nervous system (via Cisco) and the brain (via Splunk Analytics) for the Israeli military.
• It operates directly in the jurisdiction with a tax-paying entity.
• Its technology is dual-use and actively deployed in the architecture of occupation (checkpoints, prisons, settlements).
• Its partner ecosystem is deeply embedded in the violation of international law.

11. Recommendations for Future Monitoring

1. Project Nimbus Integration: Monitor for Splunk’s deployment on the “Nimbus” cloud (Google/AWS Israel regions). As the IDF moves to the cloud, Splunk Cloud will likely become the primary observability tool. Watch for “Marketplace” transactions on AWS Israel.
2. “Israel Rises” Evolution: Track the “Israel Rises” platform. If it expands to include “reconstruction” of Gaza (under Israeli military control), Splunk’s involvement will shift from “war support” to “occupation administration.”
3. Matrix IT Tenders: Scrutinize future tenders won by Matrix IT. Any tender referencing “Big Data,” “Logs,” or “SOC” likely includes a Splunk component.
4. Cisco-Splunk Bundling: Monitor IMOD procurement for “Full Stack Observability” (FSO) contracts. This is the marketing term Cisco uses to bundle Splunk with its hardware. A contract for FSO is a contract for Splunk.

1. The biggest enterprise technology M&A deals of the year (so far) – CIO, accessed on January 27, 2026, https://www.cio.com/article/196371/the-biggest-enterprise-technology-ma-deals.html
2. List of acquisitions by Cisco – Wikipedia, accessed on January 27, 2026, https://en.wikipedia.org/wiki/List_of_acquisitions_by_Cisco
3. CISCO | BDS Movement, accessed on January 27, 2026, https://bdsmovement.net/cisco
4. Cisco Systems Inc | AFSC Investigate, accessed on January 27, 2026, https://investigate.info/company/cisco-systems
5. National Cyber Directorate – Gov.il, accessed on January 27, 2026, https://www.gov.il/BlobFolder/reports/pdns_280124/he/pdns_tender_17_9_2024_version_track_changes_english-copy1.pdf
6. The Israeli Occupation Industry – Matrix IT – Who Profits, accessed on January 27, 2026, https://www.whoprofits.org/companies/company/4009?matrix-it
7. Black Hat USA 2024 | CISO Summit, accessed on January 27, 2026, https://blackhat.com/us-24/ciso-summit.html
8. The 50 most promising Israeli startups – 2025 | Ctech, accessed on January 27, 2026, https://www.calcalistech.com/ctechnews/article/923yvb6hw
9. splunk services israel ltd – CheckId, accessed on January 27, 2026, https://en.checkid.co.il/company/SPLUNK+SERVICES+ISRAEL++LTD-XO3aA4Y-516040250
10. CISCO SYSTEMS, INC., accessed on January 27, 2026, https://s2.q4cdn.com/951347115/files/doc_financials/2025/q4/6c821d1a-cf4e-4310-9801-df9399aa701b.pdf
11. Document – SEC.gov, accessed on January 27, 2026, https://www.sec.gov/Archives/edgar/data/1353283/000135328322000011/ex-211013122.htm
12. Glean Insights from Data, Fast – Israel Defense, accessed on January 27, 2026, https://www.israeldefense.co.il/en/node/37217
13. Homepage – Emet – EMET, accessed on January 27, 2026, https://www.emet.co.il/
14. Matrix I Israel – Scality, accessed on January 27, 2026, https://www.scality.com/project/matrix-tech/
15. The Private Actors Behind the Economy of Occupation and Genocide, accessed on January 27, 2026, https://dontbuyintooccupation.org/wp-content/uploads/2025/11/2025-DBIO-V-report-1.pdf?utm_source=substack&utm_medium=email
16. What Is MITRE D3FEND? – Splunk, accessed on January 27, 2026, https://www.splunk.com/en_us/blog/learn/mitre-defend.html
17. Understanding Threats and Attacks – Splunk, accessed on January 27, 2026, https://www.splunk.com/en_us/pdfs/training/understanding-threats-and-attacks-course-description.pdf
18. Getting started with MITRE ATT&CK in Enterprise Security and Security Essentials, accessed on January 27, 2026, https://lantern.splunk.com/?title=Security_Use_Cases/Threat_Investigation/Getting_started_with_MITRE_ATT%26CK_in_Enterprise_Security_and_Security_Essentials
19. CI/CD Detection Engineering: Dockerizing for Scale, Part 4 | Splunk, accessed on January 27, 2026, https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-dockerizing-for-scale-part-4.html
20. Cybersecurity Market Report, Q3 2015, accessed on January 27, 2026, https://cybersecurityventures.com/cybersecurity-market-report-q3-2015/
21. Splunk – Wikipedia, accessed on January 27, 2026, https://en.wikipedia.org/wiki/Splunk
22. fwd:cloudsec 2023 Speaker Bios & Abstracts, accessed on January 27, 2026, https://fwdcloudsec.org/speakers.html
23. Splunk Government IT Procurement Contracts – Carahsoft, accessed on January 27, 2026, https://www.carahsoft.com/splunk/contracts
24. Department of Defense Designates Splunk a Core Enterprise Technology, accessed on January 27, 2026, https://www.splunk.com/en_us/blog/industries/department-of-defense-designates-splunk-a-core-enterprise-technology.html
25. Leveraging Splunk for US DoD IL5, accessed on January 27, 2026, http://www.splunk.com/en_us/pdfs/solution-guide/leveraging-splunk-for-us-dod-il5-guide.pdf
26. Leveraging Splunk for U.S. DoD IL5, accessed on January 27, 2026, http://www.splunk.com/en_us/pdfs/tech-brief/leveraging-splunk-for-us-dod-il5.pdf