Job Description
Job Description :
Preferred Qualifications :
- Splunk Certified Architect (SCA) or Splunk Enterprise Security Certified Admin.
- AWS Security Specialty certification or equivalent demonstrated AWS security expertise.
- One or more of : GCIA, GCIH, GCFA, GREM, GCFE, or OSCP.
- Experience with Kubernetes-native logging architectures: Splunk Connect for Kubernetes (SCK), Fluentd, or Fluent Bit in production container environments.
- Familiarity with OCSF (Open Cybersecurity Schema Framework) and cross-platform security data normalization.
- Knowledge of OT/ICS security monitoring and log collection within NIST CSF 2.0-governed environments.
- Prior experience in PCI DSS-regulated environments (payment card), DoD/CMMC-regulated environments, or other critical infrastructure sectors.
- Experience with threat intelligence platforms (e.g., MISP, ThreatConnect, Recorded Future) and integrating TI feeds into SIEM detection pipelines.
- Contributions to the security community (conference presentations, open-source tooling, published research).
Core Competencies :
- Security telemetry architecture & platform engineering Incident response and digital forensics (DFIR)
- Splunk design, deployment, and at-scale operations Cloud security operations (AWS and Azure)
- AWS Security Lake integration & OCSF normalization Cross-functional communication and stakeholder management
- Detection engineering and SIEM content lifecycle Technical mentorship and SOC capability development
- Threat hunting and adversary tradecraft Analytical thinking and structured problem-solving under pressure
Work Conditions :
This position may require on-call availability and participation in a 24/7 rotating escalation schedule during high-severity incidents. Some travel may be required for on-site incident response engagements or architecture workshops. Security clearance eligibility may be required depending on project requirements.
While serving as the senior escalation tier for complex and high-severity security incidents, the primary focus of this role is architectural: defining standards, governing data pipelines, leading detection engineering, and integrating telemetry across a hybrid AWS/Azure environment. The Architect works closely with the SOC, Threat Intelligence, Cloud Engineering, and Incident Response teams, and produces work products for both technical engineers and executive audiences.
Key Responsibilities :
Telemetry Platform Architecture :
- Design and own the Splunk architecture : distributed/clustered indexer and search head topology, SmartStore data tiering, forwarder management, and capacity planning for CTS-scale ingest.
- Define and govern log source onboarding standards, parsing/transforms, and Common Information Model (CIM) compliance across all data inputs.
- Architect and implement integration with Amazon Security Lake (AWS Security Lake): Open Cybersecurity Schema Framework (OCSF) normalization, AWS Lake Formation permissions, and Athena/Glue query connectivity to Splunk.
- Evaluate and maintain knowledge of complementary telemetry platforms including Microsoft Sentinel, CrowdStrike Falcon LogScale, Google Chronicle/SecOps, and IBM QRadar; provide platform comparison analysis and integration recommendations as the security stack evolves.
- Lead Kubernetes-native log collection design using Splunk Connect for Kubernetes (SCK), Fluentd, or Fluent Bit for CTS container environments.
- Produce architecture decision records (ADRs), telemetry platform roadmaps, and capacity/licensing forecast models.
Detection Engineering :
- Lead the full detection engineering lifecycle: content strategy, SIEM rule development and tuning, correlation logic, and content retirement within Splunk ES.
- Develop advanced SPL queries, dashboards, reports, and alerts supporting real-time threat monitoring and threat hunting.
- Build and tune Splunk ES notable event logic and risk-based alerting (RBA) to reduce false positives and improve detection fidelity.
- Analyze threat intelligence feeds and translate IOCs and MITRE ATT&CK-mapped TTPs into actionable detection content.
- Collaborate with Tier 1 and Tier 2 analysts to develop investigation playbooks and automated response workflows integrated with Splunk SOAR.
Incident Response & SOC Escalation :
- Serve as the senior technical escalation point for high-severity and complex security incidents escalated from Tier 1 and Tier 2 SOC analysts.
- Conduct proactive threat hunting across endpoints, networks, and cloud environments using hypothesis-driven methodologies.
- Perform digital forensics and memory analysis on compromised systems to determine scope, root cause, and attacker TTPs.
- Participate in red/purple team exercises to validate detection and response effectiveness; drive continuous improvement through post-incident reviews.
- Produce incident briefings and post-incident reports for technical and executive audiences.
Collaboration & Mentorship :
- Mentor Tier 1 and Tier 2 SOC analysts on advanced Splunk usage, detection engineering techniques, and threat hunting methodologies.
- Partner with CTS Cloud Engineering, DevSecOps, and Infrastructure teams to integrate security telemetry into CI/CD pipelines and cloud-native architectures.
- Brief senior leadership and the CISO on telemetry platform health, detection coverage gaps, and strategic roadmap decisions.
No Referrers Available
There are currently no referrers available for this job. You can still apply, will let you know once there is any referrer available.
