In today's dynamic threat landscape,securingthe digital front lines is paramount. At Cisco,with more than 326 million emails incoming each quarter, we faced the same challenge many organizations do: how to defend against sophisticated emailthreats while maintaining user productivity. Our answer was a bold, layered security approach, powered by AI-driven solutions like Email Threat Defenseand the advanced analytics of Splunk. Here's how we did it, and what we learned. 

 The growing threat landscape

Email: It's the single leading attack vectorforsecurity breaches for businesses across the globe. In 2023, theFBI reported $2.9 billion of business losses attributed to email cyberattacks in the US, an alarming increase of over 805% since 2016. Since 2022, email ransomware incidents are up 18%. These looming threats grow every day and underscore the critical need for a robust, multi-layered email security strategy. 

While native email filters provide a baseline level of protection, they are insufficient in today's complex threat environment. In Cisco IT, we recognized this gap and began building a plan to enhance our defenses. 

However, as we were crafting a plan, a new problem rose in priority. Our executives were frustrated with inboxes full of spam, marketing, and clutter. A quick consultation withCisco Talosconfirmed our plan, and we set out to enhance our front-line email defenses  - and quickly. 

Putting our plan into action

We leverage many solutions across Cisco's  security portfolio to keep us digitally resilient. But we knew that bringing the pieces together with the AI-driven capabilities of Cisco Email Threat Defense and Splunk would give us an unparalleled advantage: deeply integrated, layered defenses that reduce gaps, increase protection of users and devices, and secure access to applications. Over the past decade, we have implemented a layered approach to protect our users on any device, anywhere they connect, leveraging: 

• Cisco XDR, whichacts as a bridge between our security applications. It unifies our security insights and correlates data across multiple domains. 
• Cisco Secure Malware Analytics, which determines if incoming files contain malware by isolating and opening them on a virtual machine, thenanalyzing system impacts. Thispowers more informed threat detection. 
• Cisco Secure Endpoint, which protects our endpoints by identifying and blocking files containing malware, including information about who may have opened and/or shared these files. 
• Cisco Secure Endpoint Analytics, which provides endpoint device visibility, finding endpoint threats before they're a problem including day-zero malware, dangerous user behavior, data exfiltration, etc. It sees what applications or Software as a Service (SaaS) are in use, uses forensics for incident response, and gains visibility to device types and operating systems on the network. 
• Cisco Umbrella, which provides data and insights about specific domains, enabling us to block those with poor reputations.  
• Cisco Endpoint Security Analytics Built on Splunk (CESA) with Cisco AnyConnect Network Visibility Module (NVM), which feeds us rich user behavior data for email threat investigations. The NVM is the only technology for mobile devices that creates IPFIX data (IP Flow Information Export). It plugs into CESA, which delivers all of the required Splunk analytics software necessary to analyze NVM telemetry. 

And in May 2024, facing increasinglycomplex threats, we deployedCisco Secure Email Threat Defense to mitigate threats in real time. Thisplatform enlists 90+ AIlargelanguage models (LLM)detectors to automatically detectemail threats, then itproactivelytakes the necessary next steps to protect the enterprise.This innovationsaves us thousands of hours of manuallysorting, reading, and gauging intent of emails, with lots of room for human error.As bad actorsincreasingly utilize AI, Email Threat Defense levels the playing field for us. 

The Email Threat Defense impact report offers full visibility into AI-tracked threats, showing trends over time as well as further insights and analytics.

For Cisco IT, integrating Email Threat Defense was seamless, taking only a matter of days.In fact, since deployment day, we've received zero complaints from the business and zero negative impact on our employees' experience. WithEmail Threat Defenseon topof our existing layers of email security, employee mailboxes no longer must contend withbusiness email compromise(BEC) where bad actors impersonate trusted sources to steal money from businesses,phishing, or other threats. Frommalwareto marketing spam, we can quickly identify and remediate all kinds of unwanted mail, and do with it as we see fit organizationally, whether it's moving it to the junk folder or blocking it altogether. 

Elevating incident response with Splunk's advanced analytics

Even with our front lines being well-protected by our robust layered defenses, our teams needed more to stay ahead of bad actors. In April 2025, our incident response team integrated Splunk into our operations, giving us access to some of the most innovative security developments on the market.  

With Splunk Attack Analyzer, Cisco now enables automated threat analysis and digital forensics for credential phishing and malware. Its proprietary technology extracts and analyzes malicious content hidden in text, images, macro source code, website content, and more. This automation significantly improves our team's operational efficiency, saving analysts' time and enhancing the ability of our team to investigate complex phishing threats with greater speed and accuracy. 

Quantifiable impact: Achieving resilience at scale

For Cisco, our layered approach is built to frustrate the attacker, not the user. When it comes to attackers, we've had plenty. Across a typical quarter, Cisco mailboxes together receive more than 326 million inbound emails. For us, "one in a million" isn't good enough when it comes to security. Our unified portfolio stops threats in their tracks.  

Let's break down the impact of our approach over a typical quarter: 

• 41,000,000 (12.57%)emails blocked for having poor IP reputations 
• 23,000,000 (7.05%)emails blocked for DMARC failures (Domain-based Message Authentication, Reporting, and Conformance) 
• 6,800,000emails blocked for spam 
• 49,000emails blocked for having poor domain reputations 
• 1,940 emails blocked for containing viruses 
• 840emails blocked for containing malware 
• 70,000additional emails confirmed threats blocked by Email Threat Defense's LLM detectors 
• Thousands moreemails blocked for other various reasons 

This level of visibility, integration, and automation is unmatched in the market. When you're dealing with diverse users, workplaces, and a mix of managed and unmanaged devices, there's no alternative to a layered comprehensive, platform-based approach. Our strategy effectively closes gaps in the attack surface to make our systems as well-defended as possible.

For IT and security teams our journey offers critical lessons: 

• A layered defense is non-negotiable: Relying on single-point solutions is insufficient. A comprehensive, integrated portfolio is essential.
• AI is a force multiplier: AI-driven solutions like Cisco Secure Email Threat Defense significantly enhance threat detection and reduce manual overhead, even leveling the playing field against AI-powered attacks.
• Automation and analytics are key to efficiency: Solutions like Splunk Attack Analyzer automate critical processes, freeing up valuable security team resources and improving incident response.
• Integration is paramount: The true power comes from seamlessly connecting security tools, ensuring data correlation and unified insights across your environment.

Looking ahead: Continuing to build a future-proofed workplace

We're not done building yet. Cisco's integration of AI, Splunk, and email security represents a paradigm shift in how organizations can approach security and workplace innovation. By combining cutting-edge technology with a unified vision for how they can work more effectively together, we're not only protecting our front lines but also setting a new standard for resilience and adaptability in the modern workplace. We're bringing technology together to achieve things that have never been possible before. 

Building on this foundation, our incident response team is in the early stages of deploying Splunk Enterprise Security as part of our evolving email security strategy. While this integration is still in progress, it reflects our ongoing commitment to strengthening detection, investigation, and response capabilities across our environment. As we continue to explore and develop practical use cases, we anticipate that Splunk Enterprise Security will become a key component in our overall approach to identifying and mitigating email-based threats - further future-proofing our security posture for what's ahead. 

As the threat landscape evolves, so does Cisco. Taking these learnings, we push forward, continuing to innovate, integrate, and strengthen our defenses to protect what matters most. 

Learn more:  

• Cisco on Cisco -Case Study
• Cisco on Cisco
• Cisco Live 2025 Session-Efficacy 101: How to Detect, Protect, and Remediate against Email-based Threats 
• Federal Bureau of Investigation: 2023 Internet Crime Report 
• How large language models enhance Cisco Secure Email Threat Defense 
• Email Threat Defense free 30-day trial