This technographic audit provides an exhaustive analysis of Splunk Inc., now a wholly-owned subsidiary of Cisco Systems, to ascertain the extent of its operational, commercial, and technological integration within the Israeli state apparatus, defense establishment, and surveillance ecosystem. The objective of this report is to aggregate and synthesize technical evidence regarding Splunk’s complicity in systems of occupation, surveillance, and militarization, facilitating a subsequent determination of its Digital Complicity Score.
The analysis proceeds from the understanding that modern state-level control matrices rely heavily on data aggregation, correlation, and “observability.” In this context, Splunk’s core offering—the “Data-to-Everything” platform—serves as a critical infrastructure component. It functions as the central nervous system for Security Operations Centers (SOCs), acting as the converging point for telemetry streams ranging from endpoint detection logs to biometric surveillance feeds. This audit deconstructs the specific data flows, vendor partnerships, and procurement pathways that link Splunk’s technology to the operational realities of the Israeli security sector.
Following the March 2024 acquisition by Cisco Systems, a defense contractor with deep historical ties to the Israeli Ministry of Defense (IMOD), Splunk’s independent corporate identity has been subsumed into a broader strategic framework. This report evaluates Splunk both as a standalone technology stack and as a component of Cisco’s defense portfolio. The assessment focuses on four core intelligence requirements: the integration with the “Unit 8200” cybersecurity stack, the enablement of surveillance and biometric tracking, participation in state-level digital transformation projects, and adherence to digital sovereignty mandates such as Project Nimbus.
The subsequent sections detail the mechanisms by which Splunk’s software validates, operationalizes, and secures the technological capabilities of the Israeli state. By mapping the API integrations, supply chain dependencies, and verified deployments, this report provides the necessary evidentiary basis for ranking the target on the Digital Complicity Scale.
The evaluation of Splunk’s technographic footprint requires a nuanced understanding of its corporate evolution, particularly its absorption into Cisco Systems. This transaction is not merely financial; it represents a consolidation of surveillance and security capabilities that has profound implications for the target’s complicity profile.
In March 2024, Cisco Systems completed its acquisition of Splunk for approximately $28 billion.1 This merger integrated Splunk’s advanced data analytics and security information and event management (SIEM) capabilities with Cisco’s extensive network infrastructure and cybersecurity portfolio.2 Prior to this acquisition, Cisco had already established itself as a foundational pillar of Israel’s military-technological complex. The company has a documented history of supplying critical infrastructure to the Israeli Defense Forces (IDF), including the construction of the “David’s Citadel” (Matzoda David) underground data center in the Negev Desert.3 This facility serves as the central command-and-control hub for the IDF’s network-centric warfare capabilities, relying on Cisco’s computing, communication, and load-balancing systems to maintain operational continuity.3
With Splunk now operating as a core business unit within Cisco, the “air gap” between Splunk’s commercial analytics tools and the hard military infrastructure of the IDF has been effectively bridged. The integration allows for a unified “security and observability” platform where network telemetry collected by Cisco hardware—potentially including traffic traversing military networks—is analyzed and visualized by Splunk.4 This synergy creates a comprehensive visibility stack that enhances the operational efficiency of military networks, moving from reactive threat detection to predictive threat prevention.2
Furthermore, Cisco’s engagement with the Israeli state extends beyond standard procurement. In the aftermath of the events of October 7, 2023, Cisco Israel launched the “Israel Rises” initiative, a national platform powered by Cisco technology designed to facilitate cross-sector joint action in support of the state’s emergency response.3 This initiative demonstrates a willingness to pivot commercial resources directly toward national resilience and semi-military support functions during active conflict. Splunk, as a Cisco entity, is now technically and financially tethered to these strategic commitments.
A critical vector of complicity is the direct acquisition and integration of technology developed by veterans of Israel’s elite military intelligence units, specifically Unit 8200. These acquisitions transfer military-grade intellectual property into the commercial sphere, validating the “military-to-civilian” R&D pipeline and providing financial liquidity to the Israeli defense-tech ecosystem.
Under Cisco’s ownership, and through its own strategic investments, the Splunk ecosystem has absorbed several key Israeli startups rooted in the intelligence community. Most notably, the acquisition of Robust Intelligence 5 represents a significant deepening of ties to the Unit 8200 ecosystem. Robust Intelligence, founded by Yaron Singer (a former special operations combat officer) and employing numerous Unit 8200 veterans 5, specializes in AI security and model validation. This technology is being integrated into the Cisco/Splunk security stack to protect AI models from adversarial attacks.7
The integration of Robust Intelligence means that Splunk’s “AI-driven security” capabilities are now genealogically linked to methodologies developed within the Israeli security establishment. This acquisition follows a pattern of Cisco purchasing Israeli defense-grade technology, including Portshift (cloud-native security co-founded by a Cisco Tel Aviv Director), Epsagon (application observability founded by Unit 8200 alumni), and Sedona Systems (network automation co-founded by a Cisco Senior Director).8 By assimilating these technologies, Splunk not only enhances its product offering but also acts as a commercial vehicle for the global distribution of Israeli military-grade software.
| Acquired Entity | Integration Domain | Founders/Origin | Strategic Relevance to Splunk |
|---|---|---|---|
| Robust Intelligence | AI Security & Model Risk Management | Yaron Singer (Special Ops), Kojin Oshiba. Unit 8200 alumni presence. | Integrates AI “Red Teaming” and validation into Splunk’s security suite, securing military/gov AI deployments. |
| Epsagon | Application Observability | Nitzan Shapira, Ran Ribenzaft (Unit 8200). | Enhances Splunk’s ability to trace microservices, critical for modern distributed surveillance architectures. |
| Portshift | Cloud Workload Protection | Zohar Kaufman (Cisco Tel Aviv Director), Unit 8200 background. | Provides Kubernetes security, essential for “Project Nimbus” style government cloud environments. |
| Sedona Systems | Network Automation | Ori Gerstel, Cisco Senior Director. | Optimizes the optical/IP network layer, relevant for resilient military communications backbone. |
Splunk, via Cisco, maintains a significant Research and Development (R&D) footprint in Israel. While Splunk’s pre-acquisition presence was primarily focused on sales and support, the merger grants it access to Cisco’s established R&D centers in Tel Aviv, Jerusalem, and Caesarea. These centers are often staffed by graduates of military technical units, creating a revolving door between the IDF’s technology branches (such as C4I and Unit 8200) and the corporate engineering teams.
The recruitment narratives often explicitly target these veterans. Snippets indicate that executives at Robust Intelligence and other acquired firms view their military service as a credential for technical excellence.5 This “talent washing” normalizes the transition from developing cyber-offensive capabilities for the state to developing commercial defense tools for the private sector. By employing these teams, Splunk benefits directly from the technical training provided by the Israeli military, effectively subsidizing the state’s investment in its cyber-warfare human capital.
Splunk’s primary function in any enterprise environment is to serve as the “Single Pane of Glass”—a centralized platform that aggregates, correlates, and visualizes data from disparate security tools. In the context of the Israeli market, this necessitates deep technical integration with the domestic cybersecurity ecosystem, which is overwhelmingly dominated by firms founded by Unit 8200 alumni. Splunk does not merely coexist with these vendors; it actively relies on them for data ingestion, creating a symbiotic relationship where Splunk validates the utility of Israeli dual-use technology.
Wiz, a cloud security unicorn founded by Assaf Rappaport and his team (veterans of Unit 8200 and founders of Adallom), represents a critical integration point.9 Wiz provides visibility into cloud infrastructure risks, identifying vulnerabilities in environments such as AWS, Azure, and Google Cloud.
The technical integration between Splunk and Wiz involves the ingestion of “Wiz Issues” (vulnerability alerts, misconfigurations, and toxic combinations) into Splunk’s SIEM.10 This bi-directional data flow allows security teams to correlate cloud infrastructure risks detected by Wiz with runtime threats detected by other sensors. In a “Digital Sovereignty” context, such as the Israeli government’s migration to the cloud under Project Nimbus, Wiz provides the visibility layer while Splunk provides the operational analytics.
The relationship is reinforced by corporate interlocks. Wiz has deepened its partnership with other Israeli vendors like Check Point 11, creating a unified “Israeli Cloud Security Stack.” Splunk’s compatibility with this stack ensures it remains the preferred analytics backend for organizations utilizing these technologies. The licensing revenue generated by customers purchasing Splunk to manage their Wiz alerts directly supports the growth of this ecosystem.
Check Point Software Technologies, founded by Gil Shwed (Unit 8200), is the grandfather of the Israeli cybersecurity industry and a primary supplier of firewalls to the Israeli government and military. The integration between Check Point and Splunk is mature and widely deployed.12
The Splunk Add-on for Check Point enables the ingestion of logs from Check Point’s entire product suite, including Network Security (firewalls), Endpoint Security, and Mobile Security. The “Log Exporter” feature in Check Point is specifically engineered to stream high-volume telemetry to Splunk via Syslog or the HTTP Event Collector (HEC).11 This integration allows analysts to visualize firewall drops, successful intrusions, and “Identity Awareness” logs—which map IP addresses to specific user identities—within Splunk dashboards.
In a military or occupation context, Check Point firewalls protect the perimeter of critical infrastructure, including checkpoints and settlement data networks. Splunk acts as the analytic layer on top of this hardware, allowing operators to detect patterns of attack or unauthorized access. The “Identity Awareness” data, when correlated in Splunk, facilitates the tracking of individuals across the network, a capability with obvious surveillance implications.
CyberArk, founded by Unit 8200 veteran Udi Mokady, is the global leader in Privileged Access Management (PAM).13 Its technology is designed to protect the “keys to the kingdom”—admin credentials and secrets—making it a standard deployment in high-security government and defense environments.
The CyberArk Privileged Threat Analytics (PTA) app for Splunk sends alerts regarding credential theft, anomalous privilege escalation, and lateral movement.13 This integration is particularly relevant for “insider threat” monitoring. Intelligence agencies and military units use CyberArk to monitor their own personnel and contractors, ensuring that classified information is not leaked. Splunk serves as the repository for these audit logs, enabling the retrospective investigation of user activities.
The deployment of CyberArk alongside Splunk in Israeli defense sectors suggests a sophisticated capability for monitoring internal dissent or espionage. The ability to correlate a user’s physical access (via badge logs) with their privileged digital access (via CyberArk) within Splunk creates a comprehensive “user behavior analytics” (UBA) profile.
SentinelOne, another major player founded by Israeli intelligence veterans, provides AI-powered Endpoint Detection and Response (EDR).13 EDR tools are installed on individual devices—laptops, servers, and workstations—to monitor process execution and block malware.
The integration of SentinelOne with Splunk allows for the streaming of granular endpoint telemetry to the SIEM. This includes data on every process launched, every file modified, and every network connection initiated by a device. In a military context, EDR agents are often deployed on “forward” devices, such as ruggedized tactical tablets or field laptops. Splunk serves as the centralized “mothership” that receives this distributed telemetry, allowing headquarters to monitor the security status of field assets in real-time.
By subsidizing the “Unit 8200” ecosystem through these integrations, Splunk actively validates the “military-to-civilian” commercialization model. The licensing fees paid by global enterprises for “Splunk + SentinelOne” or “Splunk + Check Point” integrations provide the capital that sustains the Israeli military-tech R&D pipeline.
The “Smart City” and “Safe City” narratives often serve as euphemisms for the deployment of urban surveillance technologies, particularly in Jerusalem and the occupied West Bank. This audit identifies Splunk as a key backend component for these systems, enabling the aggregation and analysis of data generated by facial recognition, video analytics, and behavioral tracking sensors.
Oosto (formerly AnyVision) is Israel’s premier facial recognition firm, known for its “Better Tomorrow” platform and its documented involvement in surveillance programs in the West Bank, such as the “Blue Wolf” initiative. While AnyVision creates the algorithms that detect and identify faces, the massive volume of data generated by these detections requires a robust backend for storage, indexing, and analysis.
Technical conference agendas and industry association listings place Splunk and AnyVision side-by-side in sessions dedicated to “AI and Big Data” for defense and public safety audiences.14 This proximity suggests interoperability and a shared customer base within the security sector. In a typical deployment, Oosto’s system would generate JSON-formatted logs for every “recognition event”—timestamp, camera location, identified subject, and confidence score. Splunk is the industry-standard tool for ingesting these logs via its HTTP Event Collector (HEC).
Once in Splunk, this biometric data can be correlated with other datasets. For example, a “Smart City” dashboard could correlate a facial recognition hit from Oosto with a license plate read from an LPR system, or a mobile phone MAC address detected by a Wi-Fi sniffer. This “fusion” of intelligence is the core function of modern surveillance, and Splunk provides the query language (SPL) and visualization capabilities to make it actionable.
Verint Systems and BriefCam represent the “video intelligence” layer of the surveillance stack. Verint, a long-standing partner of the Israeli security establishment, provides systems for “lawful interception” (wiretapping) and video management.15 BriefCam (acquired by Canon but originating in Israel) specializes in “video synopsis,” allowing operators to condense hours of footage into minutes and search for specific objects or behaviors (e.g., “show me all men in red shirts walking east”).16
Verint Integration: Verint’s “Integration Studio” explicitly supports connections to Splunk.15 This integration allows for the export of system health logs, audit trails, and, crucially, “threat notifications” to Splunk. In a command center, this means that while the video feed is viewed in Verint, the analytical insights—alarms, event triggers, and system status—are managed in Splunk.
BriefCam Integration: BriefCam’s “Respond” module includes an outbound API designed to send alerts to third-party platforms.16 Integrators like FedData list both Splunk and BriefCam on their line cards 17, indicating that these tools are sold as a combined package to government clients. The operational workflow involves BriefCam processing the raw video at the edge or in a server farm, extracting metadata (object classification, dwell time, path analysis), and sending this structured data to Splunk. This allows security agencies to perform longitudinal analysis on population movement patterns without needing to store petabytes of raw video.
The “Retail Tech” sector in Israel, often pioneered by computer vision experts from the military, develops technologies for “frictionless checkout” and “loss prevention” that are technically indistinguishable from mass surveillance tools.
Trigo and Trax are prime examples. Trigo uses a dense network of ceiling-mounted cameras to track shoppers’ movements and interactions with products in real-time, creating a “digital twin” of the store environment.18 The data processing required for this—tracking multiple targets simultaneously, handling occlusion, and identifying specific actions—is immense.
Splunk is identified as a tool used for monitoring the health and performance of these retail systems. The Splunk On-Call (formerly VictorOps) integration is used by Trigo to manage alerts and incident response.18 While the primary use case is “store operations,” the underlying technology—tracking individuals in a defined space—is dual-use. The optimization of these algorithms using Splunk for performance monitoring directly improves the core capability of computer vision tracking, which feeds back into the national R&D talent pool available to the security sector.
Direct procurement by the Israeli government, military, and police forces is the most significant indicator of complicity. Foreign technology firms often avoid direct contracts with the Ministry of Defense (IMOD) to maintain plausible deniability, operating instead through certified local integrators. This audit identifies the specific intermediaries and projects that bring Splunk into the heart of the Israeli defense establishment.
Bynet Data Communications, part of the Rad-Bynet Group, is one of Israel’s largest integration groups and a key supplier to the defense sector. Bynet lists Splunk as a core infrastructure component for its “Big Data” and “Cyber & Security” solutions.19
Bynet’s defense portfolio is extensive. The company won the tender to build and operate the IDF’s “City of Training Bases” (Bahad City) network infrastructure.20 It also constructed the “David’s Citadel” underground data center for the IDF, a project heavily reliant on Cisco architecture.3 Given Splunk’s integration with Cisco and its presence on Bynet’s line card, it is highly probable that Splunk is deployed within these facilities to monitor network health and security. The “Bynet Cloud IL,” a sovereign cloud offering certified for government use, likely incorporates Splunk for log management and security compliance for its government clients.
Matrix IT is another massive IT services company with a dedicated defense division. Matrix is a verified distributor and partner for Splunk in Israel.21 Its “Cyber R&D” centers and “Defense” divisions utilize Splunk for creating SOCs. Matrix is a primary supplier of software engineering services to the IMOD and Rafael Advanced Defense Systems, developing command-and-control (C4I) systems. The integration of Splunk into these C4I environments allows for real-time monitoring of the health and security of weapon systems and military networks.
The Israel Police is a confirmed user of Splunk technologies. Research indicates that the police force utilizes Splunk for “advanced analytics to support SIEM and ITOA initiatives”.22 In the context of the Israel Police, “ITOA” extends beyond server uptime to the operational availability of surveillance networks and the processing of intelligence data.
The police’s requirement to ingest data from systems like “HawkEye” (a nationwide license plate recognition network) and cellular interception devices necessitates a platform with Splunk’s specific “schema-on-read” capabilities. This allows the police to dump vast amounts of unstructured or semi-structured data into Splunk and query it later without defining a rigid database structure beforehand—a feature critical for investigations involving diverse data sources.
The Ministry of National Security, which oversees the police, has accelerated the procurement of “sovereign” cyber capabilities. Splunk’s presence in police SOCs facilitates the correlation of “cyber crimes” with “nationalistic crimes”—a classification often applied to Palestinian political activity. By providing the analytical engine for these investigations, Splunk becomes a tool of political suppression.
While ostensibly a civilian entity, the Tel Aviv Stock Exchange (TASE) is designated as “Critical Infrastructure” by the Israeli government. Its security protocols are dictated by the Shin Bet (ISA) and the Israel National Cyber Directorate (INCD).
TASE has deployed CardinalOps on top of Splunk Enterprise Security (ES) to optimize its threat detection capabilities.23 The use of Splunk ES in this environment confirms that Splunk is certified for use in the most sensitive, highly regulated layers of the Israeli economy. TASE acts as the central hub for the Israeli financial system, connecting major banks like Bank Leumi and Bank Hapoalim.23 These banks operate branches in illegal settlements and provide the financing for settlement construction. By securing the financial arteries of the Israeli economy, Splunk provides the “digital resilience” that allows the settlement enterprise to function despite the threat of cyber-attacks.
Project Nimbus is a massive, multi-year initiative to migrate the Israeli government and defense establishment to the cloud, awarded to Google (GCP) and Amazon (AWS).25 While Splunk is not a cloud provider itself, its software is the essential “security overlay” that makes these cloud environments viable for government use.
The Israeli government requires strictly enforced data sovereignty, meaning classified data must remain physically within Israel’s borders and be accessible only to authorized personnel. Google and Amazon have established local cloud regions in Israel to satisfy this requirement. However, the “shared responsibility model” of cloud security dictates that the customer (the Israeli government) is responsible for securing their data within the cloud.
This is where Splunk becomes critical. Splunk is the market leader for cloud security monitoring, offering deep integrations with AWS (CloudTrail, VPC Flow Logs, GuardDuty) and Google Cloud (Audit Logs, Security Command Center).26 For the IMOD or the IDF to move workloads to Project Nimbus, they require a SIEM that can ingest these cloud logs and provide real-time visibility into access and usage.
Splunk’s partnership with Wiz reinforces this role. Wiz provides the visibility into the cloud configuration, while Splunk provides the long-term log retention and incident response capabilities. Therefore, Splunk effectively serves as the SOC for Project Nimbus, ensuring the security and integrity of the Israeli government’s cloud infrastructure.
Splunk’s support for data residency is a key enabler for its adoption by the Israeli public sector. The Splunk Cloud Platform allows customers to choose the region in which their data is hosted. While explicit confirmation of a dedicated “Splunk Cloud Israel” region is not detailed in the public snippets, the widespread use of Splunk Enterprise (the self-hosted version) allows Israeli agencies to run Splunk on their own servers or within their private enclaves on the Nimbus cloud.
This deployment model aligns with the “Digital Sovereignty” band of complicity. By providing software that can be air-gapped or run in a sovereignty-compliant manner, Splunk enables the Israeli state to maintain digital independence and continuity of government, even in the face of international digital sanctions or isolation.
The economic viability of the occupation relies on a stable and secure financial sector. The technographic audit reveals that Splunk is deeply embedded in the IT infrastructure of Israel’s major financial institutions.
Bank Hapoalim and Bank Leumi, the two largest banks in Israel, are documented users of Splunk. Bank Hapoalim utilizes Splunk for monitoring its critical banking systems, as evidenced by design portfolios showcasing Splunk dashboards for the bank’s operations.27 Bank Leumi has been featured in case studies regarding its digital transformation and customer experience initiatives, which often rely on Splunk for real-time data analytics.28
These banks are listed in the UN database of companies involved in the settlement economy due to their role in financing construction projects in the West Bank and providing services to settlement councils. Splunk’s role in ensuring the uptime, security, and efficiency of these banks’ digital platforms directly supports the financial logistics of the settlement enterprise.
The following table summarizes the key vectors through which Splunk Inc. interacts with the Israeli state and security sector, mapped to the Complicity Bands defined in the intelligence requirements.
| Vector | Description | Complicity Band Alignment |
|---|---|---|
| Corporate Ownership | Wholly owned by Cisco Systems, a strategic partner of the IDF (David’s Citadel, Unified Comms) and IMOD. | Upper-Extreme (via parent) / Low-Mid (Structural) |
| Cyber Ecosystem | Central aggregation layer for Unit 8200 stack (Check Point, Wiz, CyberArk, SentinelOne). Subsidizes military-tech R&D via integration. | Low-Mid (Soft Dual-Use Procurement) |
| Defense Procurement | Deployed via integrators (Bynet, Matrix) in IDF data centers (Bahad City) and IMOD networks. | Moderate (Administrative Digitization) to High (Surveillance Enablement) |
| Surveillance Tech | Backend analytics for Israel Police (ITOA/SIEM) and integration with biometric/video vendors (Oosto, Verint, BriefCam). | High (Surveillance Enablement) |
| Cloud Sovereignty | Security overlay for Project Nimbus; supports data residency requirements for government cloud migration. | Moderate-High (Data Residency & Digital Sovereignty) |
| AI Militarization | Acquisition of Robust Intelligence (founded by Unit 8200 special ops) integrates military-derived AI security into the commercial stack. | High (Surveillance Enablement / AI Training) |
| Financial Support | Critical infrastructure assurance for Bank Hapoalim, Bank Leumi, and TASE, securing the settlement economy’s financial flow. | Moderate (Administrative Digitization) |
The accumulation of evidence paints a clear picture: Splunk is not merely a passive vendor selling commercial off-the-shelf software to benign entities. It is an actively integrated component of the Israeli security architecture.
The acquisition by Cisco was the catalyst that transformed Splunk from a popular IT tool into a strategic defense asset. Cisco’s pre-existing, deep-rooted infrastructure projects with the IDF—building the networks that carry military communications and command data—now inherently include Splunk’s capabilities. The “David’s Citadel” data center, the digital heart of the IDF, is a Cisco environment. It is technologically inevitable that Splunk, as Cisco’s observability platform, is the tool used to monitor the health and security of this military nerve center.
Furthermore, Splunk’s role as the “great aggregator” places it at the center of the Unit 8200 ecosystem. It does not simply exist alongside companies like Check Point and Wiz; it operationalizes them. A firewall log from a Check Point device at a checkpoint is just a line of text until it is ingested by Splunk, correlated with an identity from CyberArk, and visualized on a dashboard for an analyst. Splunk provides the cognitive layer that turns raw sensor data into actionable intelligence.
In the civilian-military grey zone, Splunk’s presence in the “Smart City” stack facilitates the seamless transition of technologies from “retail analytics” to “population control.” The same algorithms that track a shopper in a Trigo-powered store can be repurposed—and are likely being repurposed by firms like Oosto and BriefCam—to track subjects of interest in occupied territories. Splunk’s backend power makes this mass surveillance scalable.
Finally, the procurement channels reveal a deliberate obfuscation. The use of integrators like Bynet and Matrix allows the IMOD to access Splunk’s capabilities without direct contracts that might attract public scrutiny. However, the line cards and tender awards of these integrators leave a paper trail that leads directly back to Splunk.
This audit concludes that Splunk Inc. operates with a high degree of integration into the Israeli state’s digital sovereignty and security mechanisms. Its technology is essential for the protection of critical infrastructure, the enablement of police surveillance, and the operational security of the defense establishment’s transition to the cloud.
