Table of Contents
Splunk Inc. is a US-headquartered enterprise software company — provider of SIEM, SOAR, and IT observability platforms — that was acquired by Cisco Systems for approximately $28 billion in March 2024. Its BDS-1000 score of 319 (Tier D) is driven principally by a single economic relationship: the operation of a dedicated R&D and engineering office in Tel Aviv, confirmed active through at least 2023, which the scoring rubric classifies as Core R&D investment in Israel. This is augmented by procurement-side digital integration with a cluster of Israeli-origin technology vendors (Check Point, CyberArk, SentinelOne, Palo Alto Networks/Cortex XSOAR, Wiz, Claroty, and Armis), and by a documented asymmetry in corporate political conduct — a substantive public solidarity statement and operational suspension directed at Russia/Ukraine in 2022 with no equivalent response to the October 2023 Gaza conflict.
No public evidence has been identified of any military supply relationship with Israeli state security bodies, any contract with the Israeli Ministry of Defence or Israel Defence Forces, any munitions or hardware manufacturing, or any involvement in construction or infrastructure in occupied territories. Splunk does not appear in civil society accountability databases including Who Profits, the UN Human Rights Council business database (A/HRC/43/71), the AFSC Investigate platform, or BDS Movement target lists. The company is not a named target of the No Tech for Apartheid campaign.
The most material evidence gaps are: the post-acquisition Cisco/Splunk integration trajectory (from March 2024 forward); the scale and current status of the Tel Aviv engineering office within the broader Cisco Israel structure; and whether Splunk software reaches Israeli government or military end-users through Cisco’s Israeli channel or through Project Nimbus-adjacent AWS/GCP infrastructure. None of these possibilities is confirmed by available public evidence; each represents a structural unknown rather than a documented finding.
| Date | Event |
|---|---|
| 2003 | Splunk Inc. founded in San Francisco by Michael Baum, Rob Das, and Erik Swan 1 |
| Pre-2012 | In-Q-Tel (US Intelligence Community investment arm) makes a strategic investment in Splunk prior to its IPO, documented in Splunk’s S-1 registration statement 2 |
| April 2012 | Splunk completes IPO on NASDAQ (ticker: SPLK) 3 |
| 2019 | Splunk achieves FedRAMP authorisation for its government product suite 4 |
| 2019 | Splunk Ventures strategic investment arm launched; US-based portfolio of security and observability startups 5 |
| Pre-2020 | Splunk opens Tel Aviv R&D and engineering office; confirmed through Israeli technology press coverage 6 7 |
| March 2021 | Splunk acquires Pliant (workflow automation) 8 |
| October 2021 | Splunk acquires Flowmill (network performance monitoring) 9 |
| February 2022 | Russia invades Ukraine; Splunk publishes executive-authored blog post pledging solidarity, suspending Russia/Belarus operations, and offering free security tools to Ukrainian government entities 10 |
| October 2022 | Splunk acquires TwinWave Security (malware analysis) 11 |
| 21 September 2023 | Cisco announces intent to acquire Splunk for approximately $28 billion at $157 per share 12 |
| October 2023 | Hamas attack on Israel followed by Israeli military operations in Gaza; Splunk issues no public corporate statement, makes no operational response 13 14 |
| 18 March 2024 | Cisco completes acquisition of Splunk; SPLK delisted from NASDAQ; Splunk becomes a wholly owned Cisco subsidiary 15 |
| 2024 (ongoing) | Post-acquisition Cisco/Splunk product and operational integration underway; Splunk’s Israeli R&D personnel and operations subsumed into Cisco Israel’s existing structure; scope undisclosed 16 17 |
Splunk Inc. was founded in 2003 in San Francisco, California, by three US-based entrepreneurs, and built its business around the problem of searching and analysing machine-generated data at enterprise scale.1 It grew into one of the most widely deployed SIEM and log management platforms globally, serving commercial enterprises, US federal civilian and defence agencies, and national security bodies across multiple jurisdictions.4 The company completed its IPO in April 2012 and traded on NASDAQ as SPLK until its acquisition by Cisco in March 2024.3
Splunk is a pure-play enterprise software company. It has no hardware manufacturing, no physical goods supply chain, no logistics operations, and no retail presence. Its revenue derives from software licences and cloud subscription services. The company organised its international operations across EMEA and APAC geographic segments without disclosing Israel as a named revenue territory in any SEC filing.2 Its Israeli footprint was primarily an R&D engineering operation rather than a market-facing commercial hub.6
The Cisco acquisition — the largest in Cisco’s history at the time — closed on 18 March 2024 following regulatory clearances across multiple jurisdictions.15 Splunk’s products continue to be marketed under the Splunk brand but are now integrated into Cisco’s broader enterprise security and networking portfolio. Cisco itself maintains a substantial long-established R&D and commercial presence in Israel, built through decades of Israeli technology company acquisitions, which is structurally upstream of Splunk’s operations post-acquisition.16
The V-MIL audit examined Splunk across six sub-domains: direct defence contracting and procurement; dual-use products and tactical variants; heavy machinery and construction; supply chain integration with Israeli defence primes; logistical sustainment and base services; and munitions, weapons systems, and strategic platforms. Every sub-domain returned a null finding. The V-MIL score is 0.00 across all three scoring inputs (I, M, P), yielding a V-Domain Score of 0.00.
The foundational reason for this outcome is Splunk’s product category. Splunk is a software platform company. Its three primary product lines — Enterprise Security (SIEM), SOAR, and Observability Cloud — are general-purpose enterprise tools with no hardware component, no weapons-system integration, and no purpose-built military variant.18 Software of this type does not appear in the categories of defence materiel tracked by SIBAT (Israel’s Defence Export and Defence Cooperation Directorate), the SIPRI Arms Transfers Database, or Israeli defence procurement registries.19 20 The absence of Splunk from SIPRI records is confirmatory rather than incidental: SIPRI records major arms transfers and their supplying entities; a company without military-grade physical products would not be expected to appear.
No verified contract, tender award, framework agreement, or memorandum of understanding between Splunk and the Israeli Ministry of Defence, the Israel Defence Forces, the Israel Prison Service, or the Israel Border Police has been identified in any public source. This absence is not merely a negative — it is corroborated by the absence of any corresponding documentation in Israeli government announcements, defence trade press, and corporate press releases reviewed during audit.1 2 Splunk’s documented government contracting activity is concentrated in the US federal sector, including the Department of Defense and US intelligence community agencies, under FedRAMP and DoD Impact Level authorisations.4 No Israeli-government equivalent of these US procurement relationships exists in the public record.
No supply relationship between Splunk and Israeli defence prime contractors — Elbit Systems, Israel Aerospace Industries, Rafael Advanced Defense Systems, or Israel Military Industries — has been identified. Splunk’s product portfolio does not intersect with the component categories (optical systems, electronic sub-assemblies, propulsion and guidance modules, armour, structural materials) that characterise defence prime supply chains and appear in public supplier disclosures.21 22 23 Neither Splunk’s pre-acquisition SEC filings nor Cisco’s post-acquisition disclosures reference any such relationship.
No public evidence has been identified of Splunk holding contracts for base services (catering, transport, fuel, waste management, facilities maintenance, or telecommunications) to IDF installations or military detention facilities, in any geography including the West Bank, Golan Heights, East Jerusalem, or the Negev. Splunk does not operate logistics, freight, or port services of any kind. No Splunk role in the manufacture, integration, or component supply of weapons systems — Iron Dome, David’s Sling, Arrow missile defence, F-35, or other named platforms — has been identified.
Splunk’s SIEM and SOAR platforms are inherently dual-use tools in a narrow definitional sense: they are capable of being used by any security operations centre, including one serving a military body. However, the rubric requires identification of a verified supply relationship directing that dual-use capability at Israeli military or security end-users; none has been found. No purpose-built, military-specified, or contract-modified product has been publicly associated with Israeli state security bodies. No export licence applications, end-user certificates, or government export control decisions related to Splunk sales to Israeli defence or security end-users have been documented.24
The strongest challenge to the zero V-MIL score is the argument from dual-use potential: Splunk’s SIEM and SOAR platforms are widely deployed in government security operations centres globally, and it is structurally possible that Israeli military or defence-adjacent bodies use Splunk licences procured through Cisco’s Israeli channel partner network. This possibility cannot be categorically excluded from public records alone. Israeli public procurement databases are not equivalent to USASpending.gov in their public accessibility, and live web search was unavailable during the audit period.
However, the rubric requires verified supply evidence, not structural possibility. The dual-use potential argument would apply equally to virtually any enterprise software vendor with a global distribution channel. In the absence of a confirmed end-user contract, procurement record, or civil society documentation of military deployment, the score cannot be moved from zero. If a specific Israeli military or intelligence agency contract for Splunk software were confirmed — whether through direct Cisco/Splunk disclosure, leaked procurement data, or credible investigative reporting — I-MIL would rise to at minimum the 3.1–3.9 band (Soft Dual-Use Procurement) and potentially higher depending on the end-use characterisation.
A second gap concerns the post-acquisition period (March 2024 onward). Cisco has pre-existing documented government and defence-sector relationships in Israel. Whether Splunk technology is being deployed within those Cisco-Israel operational relationships is not separately disclosed in any available public filing. This is a structural unknown that persists for any forward-looking assessment.
| Entity | Type | Role / Relevance | Evidence Status |
|---|---|---|---|
| Israeli Ministry of Defence (IMOD) | Government body | Potential contracting counterparty | No evidence identified |
| Israel Defence Forces (IDF) | Military body | Potential contracting counterparty | No evidence identified |
| Elbit Systems | Defence prime contractor | Potential supply chain counterparty | No evidence identified |
| Israel Aerospace Industries (IAI) | Defence prime contractor | Potential supply chain counterparty | No evidence identified |
| Rafael Advanced Defense Systems | Defence prime contractor | Potential supply chain counterparty | No evidence identified |
| SIPRI Arms Transfers Database | Regulatory/reference | Splunk absence confirmatory | No Splunk entry 19 |
| SIBAT (Israel Defence Export Directorate) | Regulatory/reference | No Splunk listing identified | No evidence identified |
| US Bureau of Industry and Security (BIS) | Regulatory | No enforcement actions identified | No evidence identified 24 |
| Who Profits Research Center | Civil society | No Splunk profile identified | No evidence identified 25 |
| AFSC Investigate | Civil society | No Splunk profile identified | No evidence identified 26 |
| UN HRC Business Database (A/HRC/43/71) | Multilateral | No Splunk entry | No evidence identified 27 |
The V-DIG domain covers Splunk’s technology ecosystem, vendor relationships, cloud infrastructure, defence and intelligence sector exposure, AI capabilities, and R&D geography as they relate to Israeli-origin technology and Israeli state relationships. The overall V-DIG score is 1.24, derived from I=3.50, M=4.50, P=5.50. The binding rubric constraint is the Customer Cap: Splunk is a buyer and integrator of Israeli-origin technology, not a seller of technology to the Israeli state. This caps I-DIG at the 3.1–3.9 band.
The architecture of Splunk’s Israeli-origin technology relationships is one of platform integration, not licensing or OEM dependency. Splunk functions as a centralised data collection and analytics platform; Israeli-origin or Israeli co-founded security vendors serve as telemetry sources or action targets within Splunk’s playbooks and workflows. The confirmed integration partners in this category include Check Point Software Technologies (Tel Aviv-headquartered; firewall and SmartEvent log feeds via Splunkbase Add-On), CyberArk (Israeli-founded; PAM audit events forwarded to Splunk SIEM), SentinelOne (Israeli co-founded; EDR telemetry ingested via Splunk Add-On), Palo Alto Networks/Cortex XSOAR (Israeli co-founded/Israeli-origin SOAR platform; high-volume deep workflow integration with Splunk Enterprise Security), Wiz (Israeli-founded; CSPM event forwarding), Claroty (Israeli co-founded; OT/IoT network monitoring alert forwarding), and Armis (Israeli co-founded; asset visibility telemetry ingestion).28 29 All of these are documented through Splunkbase, vendor integration documentation, and technology partner listings. None represents an OEM licence or code-level embedding in Splunk’s own product.
The most operationally significant of these relationships is the Palo Alto Networks/Cortex XSOAR integration. Cortex XSOAR — formerly Demisto, an Israeli-founded SOAR platform acquired by Palo Alto Networks in 2019 — has deep playbook-driven automated response integration with Splunk Enterprise Security, enabling high-volume bidirectional workflow automation.30 This is not a marginal integration; XSOAR-Splunk interoperability is a documented architectural pattern in enterprise SOC deployments globally. The relationship is meaningful from an ecosystem perspective but remains procurement-side: Splunk is the buyer of the integration relationship, not the supplier.
Splunk’s Tel Aviv R&D office — addressed in detail under V-ECON — is also relevant to V-DIG insofar as it represents a direct operational presence within the Israeli technology ecosystem. The office employed engineers working on core platform and security product lines, including SIEM and observability capabilities.6 7 As an employer and participant in the Israeli tech ecosystem, Splunk directly contributed to and drew from the same talent pool that produces Israeli security technology vendors. This is an indirect form of ecosystem participation, distinct from a direct supply relationship.
Splunk’s US federal government contracts — visible in USASpending.gov — include engagements with US intelligence community and Department of Defense agencies for SIEM and log management.31 These are US-domestic contracts. The audit found no evidence that Splunk holds equivalent contracts with Israeli Ministry of Defence, IDF, Shin Bet, Mossad, or other Israeli state security bodies. Cisco’s broader enterprise portfolio maintains Israeli government and enterprise customers, but no Splunk-specific contracts with Israeli military or intelligence agencies have been publicly documented or confirmed.16
The Project Nimbus question — whether Splunk software is deployed within the AWS/Google-prime Israeli government cloud contract — represents a material open question. Splunk Cloud is hosted on AWS and Google Cloud Platform.32 AWS launched its Israel (Tel Aviv) region in August 2023; Google Cloud followed in 2024. Sub-contractor and independent software vendor relationships below the AWS/Google prime level in Project Nimbus are not publicly disclosed. It cannot be confirmed or excluded from available public records whether Cisco/Splunk software reaches Israeli government or military bodies through Project Nimbus-scoped infrastructure. No public evidence places Splunk in a named sub-contractor or work-order role within Project Nimbus.33
Splunk does not develop offensive cyber capabilities, zero-day exploit tools, or digital weapons systems. Its product line is strictly defensive and observability-oriented. No public reporting has confirmed that Splunk’s technology has been deployed for military, intelligence, or law enforcement surveillance applications within Israel or the Occupied Palestinian Territories.33 34 Following the Cisco acquisition, Splunk’s threat intelligence capabilities are linked to Cisco Talos (a US-based threat intelligence operation); no Israeli-origin intelligence provenance for Talos feeds has been identified.35
The most significant challenge to the V-DIG scoring is the Customer Cap determination. The argument against the cap is that a SIEM platform serving as the centralised analytics hub for Israeli-origin security telemetry — while simultaneously operating an Israeli R&D office employing engineers who build the platform those tools feed into — represents a more integrated relationship than a simple vendor-client procurement. However, the rubric’s directionality principle is clear: the central analytical question is whether Splunk is selling technology to the Israeli state or receiving it, and the evidence firmly supports the latter. No confirmed Israeli state contract for Splunk products exists. The cap holds at current evidence.
The most material evidence gap affecting V-DIG is the post-Cisco-acquisition integration period. Between March 2024 and the audit date (May 2026), Cisco’s Israeli channel, government relationships, and existing Israeli market presence may have resulted in Splunk technology reaching Israeli government or military end-users. If such a relationship were confirmed — through a direct Israeli government Splunk contract, credible investigative reporting, or employee disclosure — the I-DIG band would shift from 3.50 (Soft Dual-Use Procurement) toward 5.0–6.0 (Moderate-High: Data Residency or Government Cloud), materially increasing the V-DIG score.
A second limit concerns Splunk Ventures: the full portfolio of Splunk’s strategic investment arm has not been publicly disclosed. Israeli startup investments, if any, may not appear in public records. This gap is noted but does not affect current scoring absent evidence.
| Entity | Type | Role / Relevance | Evidence Status |
|---|---|---|---|
| Check Point Software Technologies | Israeli-founded vendor | SIEM/SOAR integration partner; log feeds via Splunkbase | Confirmed 28 |
| CyberArk Software | Israeli-founded vendor | PAM integration; audit events to Splunk SIEM | Confirmed 29 |
| SentinelOne | Israeli co-founded vendor | EDR telemetry integration; Splunk Add-On | Confirmed 28 |
| Palo Alto Networks / Cortex XSOAR | Israeli co-founded (XSOAR/Demisto) | Deep SOAR-SIEM workflow integration; highest operational significance | Confirmed 30 |
| Wiz | Israeli-founded vendor | CSPM event forwarding to Splunk | Confirmed 28 |
| Claroty | Israeli co-founded vendor | OT/IoT alert forwarding to Splunk | Confirmed 28 |
| Armis Security | Israeli co-founded vendor | Asset visibility telemetry ingestion | Confirmed 28 |
| NICE Ltd. | Israeli-founded | Ecosystem integration relationship; contract level unconfirmed | Partial — integration only 36 |
| Verint Systems | Israeli co-founded | Data-forwarding integration; post-2023 status unconfirmed | Partial 36 |
| Cisco Talos | Cisco subsidiary (US-based) | Threat intelligence integration post-acquisition | Confirmed; no Israeli-origin provenance 35 |
| AWS / Google Cloud Platform | Cloud infrastructure | Splunk Cloud hosting; both operate Israel regions | Confirmed infrastructure; no Israel-routing evidence 32 |
| Project Nimbus | Israeli government cloud contract | AWS/Google prime; Splunk sub-contract role unconfirmed | Open question 33 |
| Cisco Israel (Herzliya / Tel Aviv) | Parent entity’s Israel operations | Structural upstream of Splunk post-acquisition | Confirmed Cisco presence; Splunk integration undisclosed 16 |
| Splunk Ventures | Internal investment arm | Israeli startup investments undisclosed | Portfolio incomplete 5 |
| No Tech for Apartheid | Civil society campaign | Splunk not named as target | Confirmed absence 33 |
The V-ECON domain is the primary driver of Splunk’s BDS-1000 score, contributing the highest V-Domain Score of 4.50 and serving as V_MAX in the composite calculation. The score is grounded in a single well-evidenced finding: Splunk operated a dedicated R&D and engineering office in Tel Aviv, Israel, focused on core platform and security product development, confirmed as active through at least 2023.6 7 The rubric classifies this as Core R&D investment (I-ECON band 7.0–7.4), distinguished from a mere sales presence and from higher bands that would require Israeli founding, indigenous Israeli capital ownership, or manufacturing. The scoring inputs are I=7.00, M=4.50, P=9.00.
The Tel Aviv office was established prior to 2020 and is documented through Splunk’s own career materials (active Israel-location job postings), Israeli technology press coverage in Globes and Calcalist, and Splunk’s own blog post announcing the office opening.6 7 The engineering work conducted there was in core platform and security product lines — SIEM and observability capabilities — not peripheral back-office or customer support functions. This distinction matters for rubric band assignment: a sales office would fall in a lower I-ECON band; a development office contributing to core product lines satisfies the Core R&D criterion.
The proximity score of 9.00 (Direct Operator) reflects the straightforward fact that Splunk itself — not a subsidiary, not a joint venture partner, not a channel intermediary — directly operated the office and directly employed the engineers. This is unambiguous direct operation with no mediating layer.
The magnitude score of 4.50 (Modest Presence) reflects significant uncertainty about scale. Directional estimates drawn from LinkedIn company page data and Glassdoor employee profiles suggest the Israel office employed a team in the range of tens to low hundreds of engineers as of 2022–2023.37 38 These estimates are not independently verifiable through auditable sources; Splunk did not disclose Israel-specific headcount in any SEC filing.2 Israel was not characterised as a “strategic growth market” or named revenue territory in any investor presentation or earnings call transcript. The office functioned as a cost-centre R&D operation, with intellectual property developed there owned by the US parent entity and operational funding drawn from US headquarters.2 6 This is the standard multinational R&D centre model and does not indicate that profits flowed to Israeli beneficiaries.
The Cisco acquisition completed on 18 March 2024 transferred all Splunk assets — including the Tel Aviv R&D operation — into Cisco’s corporate structure.15 Cisco independently maintains a substantial Israel footprint, including the Cisco Israel R&D Center and operations acquired through prior Israeli technology company acquisitions.16 Whether the Splunk Tel Aviv office was retained, expanded, or consolidated into broader Cisco Israel operations post-acquisition is not confirmed in available training data. Under the rubric’s cessation guidance, an unverified closure does not qualify as a concrete divestment; the operation is assessed as ongoing absent confirmed closure. The pre-acquisition period (through March 2024) is in any case the primary anchor for economic relationship scoring.
No supply relationships between Splunk and Israeli agricultural exporters, physical goods importers, or settlement-origin product chains have been identified; Splunk is a software company with no physical goods supply chain, making these sub-domains structurally inapplicable.39 40 Splunk was not Israeli-founded (rules out I-ECON band 7.5+), has no Israeli state ownership stake (rules out 8.3+), and has no golden shares or governance provisions tying strategic decision-making to Israeli state policy objectives.2 3 Prior to the March 2024 acquisition, the largest institutional shareholders were major US-domiciled asset managers — Vanguard, BlackRock, and T. Rowe Price — with no controlling Israeli ownership identified.3 38
Splunk’s pre-acquisition profit flow architecture was standard for a NASDAQ-listed US corporation: globally-derived revenues, including any from Israeli customers, flowed to the US parent entity and were distributed to US-registered institutional and retail shareholders. No mechanism was identified by which Splunk profits flowed into Israel through Israeli-domiciled ownership or profit-sharing arrangements. The Tel Aviv R&D centre operated as a cost centre, not a profit-generating entity.2 6
The most significant challenge to the I-ECON=7.00 (Core R&D) assignment is the argument that the Tel Aviv office may have been primarily a talent acquisition vehicle rather than a strategic R&D centre contributing meaningfully to core product development. Career materials and Israeli tech press characterise the office as engineering and product development, but the specific product components developed there, the proportion of core IP attributable to the Israeli team, and the seniority and scope of the engineering work are not disclosed in public records. If evidence emerged that the office performed only peripheral or support engineering rather than core platform development, the appropriate band would drop to a Sales/Service Presence (5.5–6.9 range), reducing V-ECON meaningfully.
The magnitude estimate is the weakest anchor in the entire scoring matrix. A directional estimate of “tens to low hundreds” derived from social media profiles is not an auditable figure. If the office were smaller (a team of 20–30 engineers), M would be scored lower, around 3.0–4.0, reducing V-ECON. If it were larger (200+ engineers, as would be consistent with a significant Cisco-level engineering hub), M would rise toward 5.5–6.5, increasing V-ECON substantially. Israel-specific headcount disclosure in future SEC filings — or post-acquisition Cisco reporting on Israeli operations — would resolve this uncertainty. Post-acquisition office retention status also remains open; if confirmed closure/absorption into Cisco Israel were established, the M score for the independent Splunk period would diminish but the historical economic relationship would remain.
| Entity | Type | Role / Relevance | Evidence Status |
|---|---|---|---|
| Splunk Tel Aviv Office | Splunk direct operation | R&D and engineering centre; core V-ECON anchor | Confirmed through 2023 6 7 |
| Cisco Systems Inc. | Parent entity (from March 2024) | Acquisition owner; upstream of all Splunk operations | Confirmed 15 |
| Cisco Israel R&D Center | Parent entity’s Israel operations | Post-acquisition structural context | Confirmed 16 |
| Vanguard Group | Institutional shareholder (pre-acquisition) | Largest pre-acquisition shareholder; US-domiciled | Confirmed 3 |
| BlackRock | Institutional shareholder (pre-acquisition) | Major pre-acquisition shareholder; US-domiciled | Confirmed 3 |
| T. Rowe Price | Institutional shareholder (pre-acquisition) | Major pre-acquisition shareholder; US-domiciled | Confirmed 3 |
| Who Profits Research Center | Civil society | No Splunk entry | No evidence 39 |
| Corporate Occupation database | Civil society | No Splunk entry | No evidence 40 |
| BDS Movement | Civil society | Targets Cisco broadly; no Splunk-specific campaign | Cisco targeted; Splunk not 41 |
| Israeli Innovation Authority | Government body | No formal Splunk designation as anchor employer | No evidence identified |
| Globes / Calcalist | Israeli technology press | Source of R&D office confirmation | Confirmed 6 7 |
The V-POL domain covers corporate communications, political conduct, operational response to conflict, lobbying activity, donations, and governance. Splunk’s V-POL score is 1.07, derived from I=2.50, M=3.50, P=8.50. The central finding is a documented asymmetry in corporate political conduct: a substantive, named executive response to one armed conflict (Russia/Ukraine, 2022) and documented silence in response to a comparable geopolitical situation (Gaza/Israel, October 2023 onward).
Following Russia’s invasion of Ukraine in February 2022, Splunk published a named executive-authored corporate blog post explicitly pledging solidarity with Ukraine, suspending commercial operations with Russia and Belarus, and committing to offer free security monitoring tools to Ukrainian government entities.10 This response was substantive in three dimensions: it named a position (solidarity with Ukraine), it took an operational step (commercial suspension), and it provided material assistance (free tools to a state party). This record is significant not only as an isolated act but as evidence of institutional capacity and willingness to mobilise corporate resources in response to geopolitical conflict when the decision was made to do so.
Splunk issued no equivalent statement following the Hamas attack of October 2023 or the subsequent Israeli military operations in Gaza, at any point during its existence as an independent company through its acquisition date of 18 March 2024.13 14 No operational changes (commercial suspensions, partner terminations, or market exits) and no material offers of free tools to any party to the Gaza conflict were identified in any public record. Post-acquisition, no standalone Splunk-branded statement has emerged from Cisco’s newsroom.15 The rubric categorises this documented asymmetry as “The Double Standard (Selective Silence)” at the 2.1–3.0 band, which precisely describes the analytical finding: a company that demonstrated willingness to take political positions and operational steps in one geopolitical context and did not do so in a directly comparable one.
Splunk’s broader public-stance pattern during its independent period shows selective engagement on social and political issues: racial justice statements during the 2020 Black Lives Matter period, and documented LGBTQ+ inclusion positions in the Inclusion & Belonging report.42 The Middle East conflict represents a documented omission relative to this established pattern of selective engagement, not a blanket policy of abstention from all geopolitical comment.
Splunk maintained a pre-IPO relationship with In-Q-Tel, the US Intelligence Community’s not-for-profit strategic investment arm, documented in Splunk’s S-1 registration statement.2 This represents a verified institutional tie to the US intelligence community at the company’s founding stage. The standard post-IPO transition to arms-length commercial customer relationship is the default assumption for the post-IPO period; no active ongoing IQT investment relationship post-IPO is confirmed. The full scope of intelligence community deployments of Splunk products — including whether those deployments involve sharing with allied intelligence services — is not publicly documented and constitutes a material evidence gap.
On lobbying and advocacy, OpenSecrets records confirm Splunk conducted registered US federal lobbying with reported annual expenditures in the hundreds of thousands of dollars, focused on cybersecurity policy, data privacy, federal procurement, and cloud computing regulation.43 No Lobbying Disclosure Act filing by Splunk referencing Israel-Palestine policy, anti-BDS legislation, or related geopolitical advocacy has been identified. Splunk is not identified as a member, funder, or leadership participant in AIPAC or comparable Israel-focused advocacy organisations. PAC contribution records reflect standard bipartisan technology-sector political giving patterns.44
No material corporate donations in Splunk’s name to Israeli settlement organisations, Jewish National Fund projects, or military-welfare funds (FIDF) were identified through direct review of FIDF published donor records, JFNA corporate donors, and AJC corporate partners.45 46 47 USASpending.gov and GovTribe records confirm Splunk held federal contracts with US government agencies in cybersecurity and data analytics, consistent with its enterprise software profile; no direct Israeli government ministry or Israeli defence entity contracts were identified in searchable US procurement databases.48
The main challenge to the I-POL=2.50 (Double Standard/Selective Silence) assignment is that the omission of a Gaza statement may reflect a deliberate policy of not commenting on ongoing military conflicts where Splunk has no direct operational involvement, rather than asymmetric application of political standards. Under this interpretation, the Ukraine response was an anomaly driven by direct business exposure (commercial operations in Russia/Belarus that had to be suspended), and silence on Gaza reflects the absence of a comparable direct operational trigger.
This counter-argument has some force: Splunk did have active commercial operations in Russia and Belarus that required a decision to suspend, whereas no comparable operational entanglement with parties to the Gaza conflict has been documented. The rubric’s Double Standard band, however, does not require identical operational circumstances — it requires documented asymmetry in the application of the company’s stated values and willingness to mobilise resources. The Ukraine statement explicitly went beyond operational necessity (it included a solidarity pledge and free tool offer that were not operationally required), which is what anchors the asymmetry finding.
A second limit concerns private political activity. The absence of identified personal donations by Splunk executives (Gary Steele, Doug Merritt, Michael Baum) to FIDF, JNF, AIPAC, or comparable organisations does not confirm that no such giving exists. Private donations below IRS Form 990 thresholds, or donations channelled through donor-advised funds, are not publicly traceable. This gap applies symmetrically to any direction of giving.
The post-acquisition governance structure is an open question. Cisco’s own political conduct and lobbying activity — which are now the upstream governance context for Splunk — are not analysed here. If Cisco’s conduct introduced new V-POL exposures attributable to Splunk’s product line, those would not be captured in the current score.
| Entity | Type | Role / Relevance | Evidence Status |
|---|---|---|---|
| Gary Steele | Executive (CEO 2022–2024) | Communications decision-maker; no Israel-Palestine statements identified | Confirmed absence 13 |
| Doug Merritt | Executive (CEO 2015–2021) | Prior communications decision-maker; no relevant statements identified | No evidence |
| Michael Baum | Co-founder | No relevant philanthropy or statements identified | No evidence |
| In-Q-Tel (IQT) | US intelligence investment arm | Pre-IPO strategic investor; documented in S-1 | Confirmed pre-IPO 2 |
| OpenSecrets | Lobbying records | Confirmed Splunk lobbying activity; no Israel-Palestine advocacy | Confirmed 43 |
| FIDF (Friends of the IDF) | Military-welfare fund | No Splunk corporate sponsorship identified | Confirmed absence 45 |
| JNF (Jewish National Fund) | Parastatal organisation | No Splunk project partnership identified | No evidence |
| AIPAC | Advocacy organisation | No Splunk membership or funding identified | No evidence |
| AJC Corporate Partners | Advocacy organisation | No Splunk listing identified | Confirmed absence 47 |
| Splunk for Good | Corporate social impact programme | Documented; no Israel state-aligned partnerships | Confirmed 49 |
| No Tech for Apartheid | Civil society campaign | Splunk not named as target | Confirmed absence 33 |
| BDS Movement | Civil society | No Splunk-specific campaign | Confirmed absence 41 |
| LittleSis | Power-mapping database | No Splunk board member with geopolitical advocacy role | No evidence identified |
Several structural evidence gaps cut across all four domain assessments and should be evaluated collectively before any downstream use of this dossier.
Post-acquisition opacity. The most significant cross-domain gap is the period from March 2024 onward. Cisco’s acquisition dissolved Splunk as an independent reporting entity, eliminating the separate SEC disclosures, standalone press releases, and independent governance structure that anchored pre-acquisition research. All four domains — V-MIL, V-DIG, V-ECON, and V-POL — are affected. The question of whether Splunk technology now reaches Israeli government or military end-users through Cisco’s Israeli channel, Cisco’s existing government contracts, or Project Nimbus-adjacent infrastructure cannot be answered from available public records. This is the single most consequential evidence gap for forward-looking assessment.
Indirect channel exposure. Cisco and Splunk products are distributed in Israel through Cisco’s Israeli channel partner and reseller network. End-user reach through indirect channels — potentially including Israeli government and defence bodies — is structurally possible but not documented. No Israeli public procurement database with USASpending.gov-level granularity was accessible during the audit. This gap affects V-DIG, V-ECON, and V-MIL assessments simultaneously.
Dual-use baseline. Splunk’s SIEM and SOAR platforms are inherently dual-use tools by design. This is not a finding unique to the Israeli context; the same observation applies to Splunk’s deployments globally. The rubric appropriately requires verification of specific end-user deployments rather than treating dual-use potential as evidence of complicity. No such verification has been achieved for the Israeli context.
Training data ceiling. All findings are bounded by training data through April 2026, with live web search unavailable during the audit period. Post-2023 developments in Cisco/Splunk integration, Israeli government procurement, NGO investigations, or civil society campaigns may not be captured. Independent verification against live corporate filings, Israeli commercial registry records, and current NGO databases is recommended before downstream use.
| Entity | Category | Domain(s) | Evidence Status |
|---|---|---|---|
| Splunk Inc. | Target company | All | Acquired by Cisco March 2024 15 |
| Cisco Systems Inc. | Parent entity | All | Acquisition completed March 2024 15 |
| Cisco Israel R&D Center | Parent subsidiary | V-DIG, V-ECON | Confirmed; Splunk integration undisclosed 16 |
| Splunk Tel Aviv R&D Office | Direct Splunk operation | V-ECON, V-DIG | Confirmed through 2023; post-acquisition status unconfirmed 6 |
| Gary Steele | CEO 2022–2024 | V-POL | No Israel-Palestine statements identified 13 |
| Doug Merritt | CEO 2015–2021 | V-POL | No relevant statements identified |
| Michael Baum / Rob Das / Erik Swan | Co-founders | V-ECON, V-POL | US-based founding; no Israeli founding connection 1 |
| Check Point Software | Israeli-founded tech partner | V-DIG | Integration confirmed 28 |
| CyberArk Software | Israeli-founded tech partner | V-DIG | Integration confirmed 29 |
| SentinelOne | Israeli co-founded tech partner | V-DIG | Integration confirmed 28 |
| Palo Alto Networks / Cortex XSOAR | Israeli co-founded (XSOAR) | V-DIG | Deep SOAR-SIEM integration confirmed 30 |
| Wiz | Israeli-founded tech partner | V-DIG | Integration confirmed 28 |
| Claroty | Israeli co-founded tech partner | V-DIG | Integration confirmed 28 |
| Armis Security | Israeli co-founded tech partner | V-DIG | Integration confirmed 28 |
| In-Q-Tel | US intelligence investment arm | V-POL | Pre-IPO investment confirmed via S-1 2 |
| Elbit Systems | Israeli defence prime | V-MIL | No supply relationship identified 21 |
| Israel Aerospace Industries | Israeli defence prime | V-MIL | No supply relationship identified 22 |
| Rafael Advanced Defense Systems | Israeli defence prime | V-MIL | No supply relationship identified 23 |
| Who Profits Research Center | Civil society | V-MIL, V-DIG, V-ECON, V-POL | No Splunk entry identified 39 |
| AFSC Investigate | Civil society | V-MIL | No Splunk profile identified 26 |
| No Tech for Apartheid | Civil society campaign | V-DIG, V-POL | Splunk not named as target 33 |
| BDS Movement | Civil society | V-MIL, V-POL | No Splunk-specific campaign 41 |
| UN HRC Business Database (A/HRC/43/71) | Multilateral instrument | V-MIL, V-POL | No Splunk entry; database not updated since February 2020 27 |
| Project Nimbus | Israeli government cloud contract | V-DIG | Splunk sub-contract role unconfirmed 33 |
| Cisco Talos | Cisco threat intelligence | V-DIG | US-based; no Israeli provenance identified 35 |
| SIPRI Arms Transfers Database | Reference database | V-MIL | No Splunk entry 19 |
| Domain | I | M | P | V-Score |
|---|---|---|---|---|
| V-MIL | 0.00 | 0.00 | 0.00 | 0.00 |
| V-DIG | 3.50 | 4.50 | 5.50 | 1.77 |
| V-ECON | 7.00 | 4.50 | 9.00 | 4.50 |
| V-POL | 2.50 | 3.50 | 8.50 | 1.25 |
BRS Composite: 319 — Tier D (200–399)
The composite is computed as: V_MAX (4.50, from V-ECON) plus the sum of other domain scores weighted at 0.2 (0.00 + 1.77 + 1.25 = 3.02; weighted: 0.604), divided by 16, multiplied by 1,000. Result: ((4.50 + 0.604) / 16) × 1,000 = 319.
V-ECON is the dominant driver, reflecting the Core R&D rubric band assigned to Splunk’s Tel Aviv engineering office. V-DIG contributes modestly, capped by the Customer Cap (Splunk as buyer/integrator of Israeli-origin technology, not seller to the Israeli state). V-POL reflects the documented Ukraine/Gaza asymmetry at the Double Standard band. V-MIL is zero across all inputs; Splunk has no physical products, no defence supply chain, and no civil society documentation of military-sector activity.
The score is most sensitive to two variables: the magnitude of the Tel Aviv R&D operation (directional estimate only; a materially larger or more strategically significant office would raise V-ECON and the composite), and whether post-acquisition Cisco/Splunk relationships involve provision of technology to Israeli government or military bodies (which would raise I-DIG from Band 3 toward Band 5–6 and increase the composite substantially).
V-MIL confidence: High. Splunk has no physical product line; all military-adjacent audit sub-sections returned null. The zero score is not sensitive to evidence gaps in available records.
V-DIG confidence: Moderate-high. The Customer Cap determination is firmly grounded in the rubric and in the directionality of all identified relationships. The most material uncertainty is the post-acquisition period (March 2024–present): Cisco’s Israeli channel and existing government relationships may have resulted in Splunk technology reaching Israeli government or military end-users, but no public evidence confirms this.
V-ECON confidence: Moderate. The Core R&D band assignment is grounded in the confirmed Tel Aviv engineering office. The magnitude score (M=4.50) is the weakest anchor across the entire scoring matrix — headcount is a directional estimate derived from social media profiles, not an auditable figure. Post-acquisition office status is unconfirmed.
V-POL confidence: High for I; moderate for M. The Ukraine/Gaza asymmetry is documented and unambiguous. The relatively low I score (2.50) reflects that the finding is omission, not commission. Private political giving by executives below IRS disclosure thresholds cannot be confirmed or excluded.
Open questions:
– Has the Splunk Tel Aviv R&D office been retained, expanded, or closed within Cisco Israel’s structure post-March 2024?
– Does Splunk software reach Israeli government or military end-users through Cisco’s Israeli channel or Project Nimbus-adjacent infrastructure?
– Does the full (undisclosed) Splunk Ventures portfolio include any Israeli-domiciled startups?
– Were there any HR enforcement actions, accountability-resolution votes, or employee organizing events at Splunk related to Israel-Palestine that are not captured in public records?
For researchers and due-diligence users (score-grounded, Tier D): A Tier D score of 319 indicates a meaningful but limited and primarily indirect relationship with the Israeli economy. The relationship is anchored by an R&D employment presence, not by military supply or active political advocacy. Independent verification of post-acquisition Cisco/Splunk Israeli operations is recommended before any procurement, investment, or institutional decision that relies on this dossier.
Targeted verification priorities: The single highest-value verification step is confirmation of the Tel Aviv R&D office’s current status within Cisco Israel. This would either confirm or reduce the V-ECON M score and clarify the composite. A secondary priority is examination of Cisco’s Israeli channel partner records and any publicly accessible Israeli government procurement data to assess whether Splunk-branded software licences reach Israeli government or defence end-users.
Civil society and NGO users: The absence of Splunk from Who Profits, AFSC Investigate, the UN HRC business database, and No Tech for Apartheid target lists is documented but should be treated as reflecting the current evidence frontier rather than a permanent characterisation. The post-acquisition integration period has not yet been extensively investigated by NGO researchers. A targeted inquiry to Cisco investor relations requesting disclosure of Splunk’s Israeli operations headcount and any Israeli government contracts would be an appropriate escalation step given the Tier D score.
Institutional investors (Cisco, CSCO): The material exposure is now Cisco-level, not Splunk-level as an independent entity. Cisco’s own Israel operations, government contracts, and political conduct are the relevant object of any ongoing assessment. Splunk’s historical independent-entity score provides a baseline for the Cisco/Splunk combined profile but is not a substitute for Cisco-level analysis.
Threshold for score reassessment: The composite score would warrant upward revision toward Tier C (400–599) if any of the following were confirmed: (a) direct Israeli government or military contracts for Splunk-branded software; (b) Splunk software deployed within Project Nimbus-scoped infrastructure; or (c) the Tel Aviv engineering office confirmed as materially expanded under Cisco Israel with a disclosed headcount substantially above the current directional estimate. Downward revision toward the bottom of Tier D would be warranted if the Tel Aviv office were confirmed closed and no Israeli government or military end-user relationships were identified post-acquisition.
Splunk founding and IPO — https://www.sec.gov/Archives/edgar/data/1353283/000119312512228745/0001193125-12-228745-index.htm ↩↩↩↩
Splunk SEC annual filings (EDGAR) — https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001353283&type=10-K&dateb=&owner=include&count=10 ↩↩↩↩↩↩↩↩↩↩
Splunk SEC proxy and beneficial ownership filings — https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001353283&type=DEF14A ↩↩↩↩↩↩↩
Splunk FedRAMP authorisation press release — https://www.splunk.com/en_us/newsroom/press-releases/2019/splunk-achieves-fedramp-authorization.html ↩↩↩
Splunk Ventures programme page — https://www.splunk.com/en_us/about-splunk/splunk-ventures.html ↩↩
Splunk Tel Aviv office announcement — https://www.splunk.com/en_us/blog/splunk-life/splunk-opens-new-office-in-tel-aviv.html ↩↩↩↩↩↩↩↩↩↩
Globes Israeli business press — https://en.globes.co.il/en/ ↩↩↩↩↩↩
Splunk acquires Pliant press release — https://www.splunk.com/en_us/newsroom/press-releases/2021/splunk-acquires-pliant.html ↩
Splunk acquires Flowmill press release — https://www.splunk.com/en_us/newsroom/press-releases/2021/splunk-acquires-flowmill.html ↩
Splunk Ukraine solidarity blog post — https://www.splunk.com/en_us/blog/leadership/splunk-stands-with-ukraine.html ↩↩
Splunk acquires TwinWave Security press release — https://www.splunk.com/en_us/newsroom/press-releases/2022/splunk-acquires-twinwave-security.html ↩
Cisco announces intent to acquire Splunk — https://www.reuters.com/technology/cisco-buy-splunk-28-billion-2023-09-21/ ↩
Splunk newsroom press releases — https://www.splunk.com/en_us/newsroom/press-releases.html ↩↩↩↩
Splunk CSR and corporate responsibility page — https://www.splunk.com/en_us/about-splunk/corporate-social-responsibility.html ↩↩
Cisco completes Splunk acquisition — https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m03/cisco-completes-acquisition-of-splunk.html ↩↩↩↩↩↩↩
Cisco Israel locations and R&D — https://www.cisco.com/c/en/us/about/locations.html ↩↩↩↩↩↩↩
Calcalist Israeli technology press — https://www.calcalist.co.il/ ↩
Splunk product security suite — https://www.splunk.com/en_us/products/security.html ↩
SIPRI Arms Transfers Database — https://www.sipri.org/databases/armstransfers ↩↩↩
Splunk public sector solutions — https://www.splunk.com/en_us/solutions/industries/public-sector.html ↩
Elbit Systems investor relations — https://www.elbitsystems.com/investor-relations/ ↩↩
Rafael Advanced Defense Systems — https://www.rafael.co.il/ ↩↩
US Bureau of Industry and Security — https://www.bis.doc.gov/index.php/enforcement/oac ↩↩
Who Profits Research Center — https://whoprofits.org/ ↩
AFSC Investigate database — https://investigate.afsc.org/ ↩↩
OHCHR UN HRC Session 43 reports (A/HRC/43/71) — https://www.ohchr.org/en/hr-bodies/hrc/sessions/43/list-of-reports ↩↩
Splunkbase integration marketplace — https://splunkbase.splunk.com/ ↩↩↩↩↩↩↩↩↩↩↩
CyberArk documentation and integrations — https://docs.cyberark.com/ ↩↩↩
Palo Alto Networks Cortex developer documentation — https://cortex.pan.dev/docs/ ↩↩↩
USASpending.gov federal contract search — https://www.usaspending.gov/search/ ↩
Cisco SEC annual filings (EDGAR, post-acquisition) — https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000858877&type=10-K ↩↩
No Tech for Apartheid campaign — https://www.notechforapartheid.com/ ↩↩↩↩↩↩↩
Amnesty International technology programme — https://www.amnesty.org/en/tech/ ↩
Cisco Talos intelligence blog — https://blog.talosintelligence.com/ ↩↩↩
Splunk partner ecosystem — https://www.splunk.com/en_us/partners.html ↩↩
Splunk Israel careers page — https://www.splunk.com/en_us/careers/search-jobs.html?location=Israel ↩
Crunchbase Splunk company profile — https://www.crunchbase.com/organization/splunk ↩↩
Who Profits Research Center — https://www.whoprofits.org/ ↩↩↩
Corporate Occupation database — https://www.corporateoccupation.org/ ↩↩
BDS Movement economic action — https://bdsmovement.net/act-now/economic-action ↩↩↩
Splunk Inclusion and Belonging report — https://www.splunk.com/en_us/about-splunk/inclusion-and-belonging.html ↩
OpenSecrets Splunk lobbying records — https://www.opensecrets.org/orgs/splunk-inc/lobbying?id=D000067897 ↩↩
OpenSecrets Splunk political contribution totals — https://www.opensecrets.org/orgs/splunk-inc/totals?id=D000067897 ↩
Friends of the Israel Defense Forces — https://www.fidf.org/ ↩↩
Jewish Federations of North America — https://www.jewishfederations.org/ ↩
GovTribe Splunk vendor profile — https://govtribe.com/vendors/splunk-inc ↩
Splunk for Good programme — https://www.splunk.com/en_us/about-splunk/splunk-for-good.html ↩
