The same incident, again
Teams re-investigate near-identical incidents from scratch every time. The fix from last quarter lives in someone's memory, not in the platform.
Engram is an agentic security-operations platform built on Splunk. Four AI agents forecast breaches before they trip, investigate with hard evidence, remember what they learn, and ship backtested detections back into Splunk — closing the loop a SOC normally never closes.
The problem
Teams re-investigate near-identical incidents from scratch every time. The fix from last quarter lives in someone's memory, not in the platform.
When an analyst leaves, their hard-won investigation playbooks and tribal context leave with them. Institutional memory resets.
A flood of low-context alerts buries the signal. Detections are static, noisy, and rarely improved after the incident that should have taught them.
What Engram is
Each agent owns one stage of the loop. Together they turn every incident into durable, reusable defense — Predict → Investigate → Remember → Harden.
Forecasts service & security metrics toward their SLOs and opens a pre-incident before the breach lands — buying lead time instead of reacting after the page.
Runs grounded searches through the Splunk MCP Server, gathers real evidence, and reasons to a root cause — producing an auditable CaseFile, not a guess.
Distills each resolved case into a fingerprint with embeddings in Splunk's KV Store, so the next look-alike incident is recognized instantly instead of re-solved.
Drafts a detection from the case, backtests it for a report-card grade, and — after human approval — deploys it live as a Splunk saved search.
Architecture
Telemetry flows into Splunk; a LangGraph orchestrator drives the agents against Splunk only through the MCP Server; approved detections are written back into Splunk. Every agent action is itself audited as Splunk events.
Engram is architected for Splunk's hosted AI models — the Foundation-sec security model and the Cisco Deep Time Series forecasting model — behind a pluggable model interface. For this hackathon we ran on OpenAI and a statistical forecaster because access to Splunk's hosted models was still pending. The interface swaps to the hosted models with no code changes — the abstraction was the point, not a workaround.
Capabilities
Agents pull real evidence through the MCP Server and reason to root cause — no canned runbook, no human kicking off every query.
Findings and generated detections are tagged to ATT&CK techniques, so coverage is legible to anyone who speaks the framework.
Every candidate detection is backtested against history for a report card — hits caught, false-positive rate, lead time — before it ever fires.
Nothing deploys itself. An analyst approves or rejects each detection; Engram proposes, a human disposes.
Every agent decision and action is written back as audited Splunk events — full, replayable provenance for what the AI did and why.
Resolved incidents become fingerprints with embeddings. Recognition replaces re-investigation; the platform compounds what the team learns.
Tech stack
Validation
We didn't just demo happy paths. We fired a real, unscripted intrusion at the running stack and watched the whole loop execute end-to-end.
What's next
Move the model layer onto Foundation-sec and the Cisco Deep Time Series forecaster — no code changes, just configuration.
Correlate identity, network, endpoint and application signals into a single, prioritized picture of unfolding risk.
Extend the loop past detection into proposing and validating remediations at the source of the incident.
We're pursuing client acquisition and design partners after the hackathon to harden Engram against real production SOC workloads.