• Design, deploy, and maintain Splunk Enterprise, indexers, search heads (including SHC), cluster master/CM, deployment server/Deployer, forwarders, and KV stores across on‑prem and AWS. • Engineer scalable data onboarding pipelines, parsing, and indexing with props/transforms, HEC, UF/HF, and S3/SQS/SNS-based ingestion. • Enforce RBAC, data retention, index strategy, knowledge object governance, and change control aligned to federal compliance. • Optimize search performance, data model accelerations, KV store usage, and ES notable event throughput and latency. • Develop and tune ES correlation searches, risk-based alerting (RBA), and adaptive response actions mapped to MITRE ATT&CK. • Build dashboards, investigations, and notable event workflows that reduce false positives and drive analyst efficiency. • Maintain CIM-compliant data models; lead normalization and data quality initiatives across cloud, endpoint, identity, and network sources. • Measure and report detection and response efficacy (MTTR, precision/recall, RBA risk scores, SLA adherence). • Engineer Splunk SOAR (Phantom) playbooks and apps with secure, scalable configurations to triage, enrich, and contain threats. • Integrate ES notables with automated triage and ServiceNow IR for incident creation, enrichment, SLA tracking, approvals, and evidence attachments. • Build AWS-focused detection and response: GuardDuty, CloudTrail, Security Hub, VPC Flow Logs, IAM, EC2, S3; implement safe actions (e.g., EC2 isolation, S3 access updates, EBS snapshots, IAM key rotation/MFA enforcement, Security Hub updates) with human-in-the-loop approvals and rollback. • Integrate EDR and identity platforms for host containment, IOC blocking, and remote response via APIs. • Lead Splunk deployments in AWS including scalability, multi-account/multi-region ingestion, and cross-account automation via Boto3 and native services. • Standardize reusable Python modules, SDK usage, and CI/CD practices for app/deployment packaging and version control. • Map controls to FISMA/NIST RMF, FedRAMP, and CMMC; maintain audit-ready evidence through logging, approval trails, and configuration baselines. • Drive POA&M updates, control validations, and continuous monitoring dashboards. • Champion secrets management, least privilege, and safe-response guardrails in all platform and automation changes. • Translate SOC/IR runbooks (phishing, malware, IAM abuse, EC2 compromise) into reliable detections and automations. • Mentor junior engineers and analysts on SPL, ES content development, CIM, and SOAR playbooks. • Partner with stakeholders to prioritize use cases and deliver quantifiable outcomes.