The 'we need something better' moment was triggered when we were trying to roll out custom alerts with Splunk Enterprise Security; it was atrocious to do that. You would have to clone things and then reuse alerts you made. Just making new alerts, the process was not very good, and there was no versioning for all the alerts we create. So we had to trust Splunk for what they created. Rolling out new alerts was a pain since you had to load them up in a new app and things similar to that. With Anvilogic, they made it super simple. I can describe a process where they have something they refer to as the Armory. You just go to the Armory, click all the things you want. It automatically pushes it down to your Splunk Enterprise with their app loaded up on there if you modify it as needed. It tends to just work, and you can customize it easily since it tells you the Splunk language plus the normal human language. So it makes modifying it simple with rollback versioning. They have groups based on known attackers coming for you, and you can group them together that way and deploy a whole set of alerts designed just for those specific use cases of those attackers and their IOCs. Aside from the easy custom alerting with Anvilogic, the next feature I appreciate most is that they also standardized bringing in the logs. They set some macros that help standardize and make more sense than Splunk. They teach you and give you insights every morning or every week, saying, 'Hey, this is not working, so what do you want. You're getting one or two of these alerts per day. Do you want to squash them from error to warning?' They're always giving you tips on how to improve the efficiency of the system itself. Creating scenarios was amazing. In Anvilogic's case, you create scenarios based on MITRE ATT&CK framework. Every rule that fits that MITRE will get used. My usage with Anvilogic has evolved since onboarding. After about two or three years, they started offering their cloud-based SOC where instead of just using Splunk as a data set, you could run your searches against Snowflake databases, Demisto, and others including Azure log storage. Their generative AI work has been fantastic as it's very specific in what you need to do. The route they've gone with the different types of AI agents aligns exactly with what I was hoping the market would do. Seeing them do the Tier Zero for SOC-type stuff with their playbooks has been impressive. Since adopting Anvilogic, our team's quick SOC response has become essential. We have been known to respond within five to seven minutes to an attacker compromising an account.
