AGENTIC SOC · LEARNING LOOP ONLINE

Splunk that learns from every incident.

Engram is an agentic security-operations platform built on Splunk. Four AI agents forecast breaches before they trip, investigate with hard evidence, remember what they learn, and ship backtested detections back into Splunk — closing the loop a SOC normally never closes.

PredictInvestigateRememberHarden

The problem

The SOC forgets faster than it learns.

🔁

The same incident, again

Teams re-investigate near-identical incidents from scratch every time. The fix from last quarter lives in someone's memory, not in the platform.

🚪

Knowledge walks out the door

When an analyst leaves, their hard-won investigation playbooks and tribal context leave with them. Institutional memory resets.

🔔

Alert fatigue

A flood of low-context alerts buries the signal. Detections are static, noisy, and rarely improved after the incident that should have taught them.

What Engram is

A four-agent learning loop on top of Splunk.

Each agent owns one stage of the loop. Together they turn every incident into durable, reusable defense — Predict → Investigate → Remember → Harden.

Sentinel

Predict

Forecasts service & security metrics toward their SLOs and opens a pre-incident before the breach lands — buying lead time instead of reacting after the page.

Investigator

Investigate

Runs grounded searches through the Splunk MCP Server, gathers real evidence, and reasons to a root cause — producing an auditable CaseFile, not a guess.

Librarian

Remember

Distills each resolved case into a fingerprint with embeddings in Splunk's KV Store, so the next look-alike incident is recognized instantly instead of re-solved.

Hardener

Harden

Drafts a detection from the case, backtests it for a report-card grade, and — after human approval — deploys it live as a Splunk saved search.

Architecture

Splunk stays the system of record. Engram closes the loop.

Telemetry flows into Splunk; a LangGraph orchestrator drives the agents against Splunk only through the MCP Server; approved detections are written back into Splunk. Every agent action is itself audited as Splunk events.

Monitored systems apps · auth · payments · infra
Splunk Enterprise indexes · metrics · KV Store · HEC
Splunk MCP Server tool-gated search & actions
Engram · LangGraph orchestrator
SentinelInvestigatorLibrarianHardener
Honest engineering note · model layer

Engram is architected for Splunk's hosted AI models — the Foundation-sec security model and the Cisco Deep Time Series forecasting model — behind a pluggable model interface. For this hackathon we ran on OpenAI and a statistical forecaster because access to Splunk's hosted models was still pending. The interface swaps to the hosted models with no code changes — the abstraction was the point, not a workaround.

Capabilities

Built for the way a SOC actually works.

Autonomous threat investigation

Agents pull real evidence through the MCP Server and reason to root cause — no canned runbook, no human kicking off every query.

MITRE ATT&CK mapping

Findings and generated detections are tagged to ATT&CK techniques, so coverage is legible to anyone who speaks the framework.

Evidence-based detection engineering

Every candidate detection is backtested against history for a report card — hits caught, false-positive rate, lead time — before it ever fires.

Human-in-the-loop approval gate

Nothing deploys itself. An analyst approves or rejects each detection; Engram proposes, a human disposes.

Agent observability

Every agent decision and action is written back as audited Splunk events — full, replayable provenance for what the AI did and why.

Institutional memory

Resolved incidents become fingerprints with embeddings. Recognition replaces re-investigation; the platform compounds what the team learns.

Tech stack

What it's made of.

Python FastAPI LangGraph Splunk MCP Server Splunk Enterprise KV Store memory HEC ingest Holt forecasting OpenAI (pluggable) React Vite TypeScript Tailwind CSS

Validation

Proven on a live, unscripted attack.

We didn't just demo happy paths. We fired a real, unscripted intrusion at the running stack and watched the whole loop execute end-to-end.

  1. 01
    Detected. A brute-force → lateral-movement attack landed in Splunk; the Investigator picked it up from live telemetry.
  2. 02
    Isolated. Evidence was grounded strictly to the attacker's activity — clean scoping, no bleed from unrelated data.
  3. 03
    Reasoned to root cause. The agent assembled an evidence-backed CaseFile with a timeline and hypothesis — not a guess.
  4. 04
    Hardened. Engram auto-generated a Grade A backtested detection, ready for one-click, human-approved deployment back into Splunk.

What's next

Roadmap.

Swap to Splunk's hosted models

Move the model layer onto Foundation-sec and the Cisco Deep Time Series forecaster — no code changes, just configuration.

Cross-domain signal fusion

Correlate identity, network, endpoint and application signals into a single, prioritized picture of unfolding risk.

Autonomous code-patching

Extend the loop past detection into proposing and validating remediations at the source of the incident.

Design partners

We're pursuing client acquisition and design partners after the hackathon to harden Engram against real production SOC workloads.