I was working for a startup that was acquired by Splunk in 2018. At the next Cisco Live that was all the talk/rumor: Cisco acquiring Splunk. At one point it sounded like Cisco attempted a somewhat hostile takeover of Splunk. My sources and I rehashed this last week and the initial bid for Splunk was $23B sometime between 2018-2020. At the current price it's hard to tell if the current offer is higher, or actually lower, given inflation and market movement/sentiment.

Either way, it's a bad deal for both Splunk employees and their customers. SIEM is a space that is hard to be a leader in when you're not vendor agnostic. This is basically what XDR has become: vendors who have EDR/NDR/whatever are claiming to have some unique (it's not) data lake that can ingest any source, when in reality all of these solutions suck at everything outside of their own product set. I've worked with countless clients over the last year who, as an example, made the mistake of thinking Microsoft Sentinel was a cost effective tool, only to realize that once you're outside of the Microsoft ecosystem analytics/detections quality becomes very close to zero in terms of quality and the price is not cost effective. But SIEM has always had a flair of vendor lock in to it anyway. It's a hard platform to move from once time has been invested in wrangling all the data sources for ingest, transforming them to some bespoke schema and then all of the detection engineering on top of that. It's almost as bad as large scale firewall migrations.

What a lot of folks don't know is that when Splunk decided to move to a Cloud/SaaS model they literally just lifted and shifted the unoptimized bits of on-prem Splunk to a managed VPC under the direction of then-CTO Tim Tully. Splunk was losing money on every deal due to the infra outcosting the insanely high quotes Splunk was churning out. This is a great case study on Innovators Dilemma as Splunk drug their feet for years internally saying that cloud would never impact them. And then they realized they were far behind the 8-ball and decided to hemorrhage cash so as to not churn customers. They eventually optimized it, but the underpinnings still aren't what a fresh take on the bits would have looked like had Splunk done the "right" thing.

Cisco will continue to play ELA games with customers just like VMware. For those who don't know both companies like to get customers into ELAs. Why? Because those contracts basically state that said customer will buy X number of new products annually or risk losing some, or all, of their currently negotiated discount. For smaller orgs this works less well, but you'd be amazed at how those smaller are easily manipulated by snake oil sales folks. For large orgs this puts them in a bind. I've even seen shady contracts written (from Splunk) that had language wherein if the customer does not renegotiate or cancel a, let's say, 3 year contract in writing 90 days before it's going to expire that the contract will autorenew at a ridiculous percentage increase in cost.

Move away from these enterprise product sets where and when you can. These companies are focused on the bottom line - and that is profit, not the customer. The industry has it all backwards, and it's working for them... Still.