JULIO MARTINEZ

Principal Engineer | Cybersecurity Architect
15+ Years Cybersecurity Expertise | DoD / Federal / Enterprise / Health / Finance
25+ Years IT Systems
TS/SCI – (DoD)
SIEM | Analytics | Observability | Telemetry | Automation SME
📍 Tampa, FL ✉️ Julio@exzlium.com 🔗 linkedin.com/in/xbitium

Executive Summary

Principal Cybersecurity Engineer and architect with 15+ years securing large-scale enterprise and government environments and deep hands-on expertise across SIEM, UEBA, XDR, and SOAR automation. Designs and operationalizes end-to-end security solutions that measurably reduce attack surface and elevate detection maturity—from strategic gap analysis and roadmap definition through deployment, optimization, and executive reporting.

Leads complex SIEM and cyber tools migrations, builds resilient telemetry platforms, and delivers high-fidelity detections and automations for SOC operations. Strong expertise with Palo Alto Networks XSIAM and XSOAR, including advanced SOAR playbook engineering, Python-based automation, and integrated runbooks across SIEM, SOAR, EDR/XDR, and other security tools to standardize incident handling and reduce MTTR. Experienced in building custom security solutions, APIs, webhooks, and dashboards using Python, Flask, Node.js, JavaScript, React, Grafana, Kibana, and Power BI with cloud-native integrations.

10+ Years SIEM / UEBA Focus
12TB/day Enterprise SIEM Scale
40% MTTR Reduction Delivered
50% False Positive Reduction
150k+ EPS at Peak Ingest
50+ Analysts & Engineers Led
Python Automation, APIs & Tooling

Core Qualifications & Key Capabilities

Enterprise Telemetry Integration
Onboard identity, VPN, firewall, IDS/IPS, EDR/XDR, DLP, proxy, CASB, SaaS, and cloud telemetry into SIEM/XSIAM platforms. Integrate SailPoint IGA, CyberArk/Delinea PAM, Okta/Entra ID SSO, HR systems, and asset inventories into normalized security data models.
Security Analytics, SIEM & UEBA Engineering
Architect and tune SIEM deployments (XSIAM, Splunk, QRadar, ArcSight, Elastic, Datadog, Graylog, Exabeam) with enriched data models, risk scoring, behavioral analytics, and MITRE ATT&CK-aligned detections, UEBA, and automated triage/playbook execution for SOC teams.
SOAR, XSOAR & Automation Engineering
Design and implement automation using Cortex XSOAR and SIEM-native SOAR modules, translating SOC runbooks into codified playbooks that orchestrate enrichment, triage, containment, notifications, and ticketing. Use Python and APIs to integrate tools and continuously tune for reduced MTTR and higher fidelity.
Dashboards, Portals & Web Apps
Develop operational dashboards and portals using Flask, Node.js, JavaScript, and React; integrate SIEM and XDR data into Grafana, Kibana, and Power BI to provide SOC, IR, and executive stakeholders with real-time, drill-down visibility across cloud and on-prem.
Zero Trust, Cloud & Network Security
Deliver Zero Trust network security including NAC, micro-segmentation, NDR, VPN/SD-WAN, secure web gateways, and cloud firewalls; implement CASB controls and cloud posture management; lead IL5 ATO packages and integrate DNS security and cloud gateway policies for DoD SRG compliance.
Identity, Endpoint & Data Protection
Implement SSO/MFA and delegated auth with Azure AD and Ping; deliver SailPoint IGA, CyberArk and Delinea PAM; operationalize Cortex XDR, Carbon Black, Trellix, and Tychon; deploy Trellix DLP and Varonis to secure sensitive data and prevent exfiltration across email, web, and collaboration platforms.
Infrastructure-as-Code & Ansible Automation
Use Ansible playbooks and roles to standardize Linux hardening, SIEM/SOAR node builds, content deployment, and configuration drift control across lab and enterprise environments.
Platform Reliability & Operations
Maintain highly available SIEM, XDR, and SOAR platforms through automated patching, upgrade runbooks, health monitoring, and rollback strategies that minimize downtime and protect mission-critical logging pipelines.
Detection Engineering & Content Lifecycle
Implement detection-as-code workflows with GitHub, CI/CD, and IaC-style patterns to manage rule versions, testing, promotion, rollback, and quality gates for correlation, UEBA, and SOAR playbooks.

Professional Experience

Principal Cybersecurity Engineer / Co-Founder
Xbitium Technologies
Feb 2025 – Present | Tampa, FL
  • Architect and deploy Cortex XSIAM and XDR platforms end-to-end — onboarding telemetry sources, building XQL detections, configuring BIOC rules, and operationalizing threat intel for enterprise and DoD clients.
  • Engineer advanced Cortex XSOAR playbooks in Python — automating alert triage, enrichment, containment, ticketing, and cross-tool orchestration across XDR, SIEM, identity, and ticketing systems.
  • Develop Python microservices and REST APIs (FastAPI/Flask) for telemetry ingestion pipelines, real-time KPI dashboards, webhook integrations, and automated reporting workflows.
  • Build Python-based XSOAR automation scripts, custom integrations, and API connectors bridging XSIAM, XDR, and third-party security tools with zero manual handoff.
  • Implement Detection-as-Code using GitHub Actions — automated testing, versioning, promotion, and rollback of XQL/XSIAM correlation rules and XSOAR playbooks across environments.
  • Design and operationalize XSOAR incident lifecycle workflows — from ingestion and deduplication through escalation, remediation, and post-incident reporting with full audit trail.
  • Deliver Splunk ES integration touchpoints where needed — feeding normalized XDR and XSIAM telemetry into Splunk for cross-platform correlation and executive dashboards.
  • Build Flask/JavaScript operational portals and Grafana dashboards surfacing live XSIAM, XDR, and automation metrics for SOC and leadership stakeholders.
Sr. Cybersecurity Consultant & Solutions Architect
Palo Alto Networks | RedMatter Solutions
Oct 2023 – Feb 2025 | Tampa, FL / Arlington, VA (Remote)
  • Architected and deployed Splunk Enterprise Security (ES) for FHFA — building data models, correlation searches, adaptive response actions, and risk-based alerting (RBA) aligned to MITRE ATT&CK.
  • Engineered Splunk ES notable event workflows end-to-end: use case authoring, triage automation, analyst queue management, and executive-ready reporting via custom dashboards.
  • Built and tuned Cortex XSOAR playbooks (Python) to automate Splunk ES notable event response — enrichment via threat intel, VirusTotal, and identity APIs, with auto-ticketing and containment actions.
  • Optimized Splunk ES performance at scale — SPL refactoring, summary index strategies, search head clustering tuning, and data model acceleration to reduce search runtime and licensing pressure.
  • Delivered SPL authoring training and runbook documentation enabling SOC analysts to independently build searches, dashboards, and investigation workflows in Splunk ES.
  • Designed XSOAR incident types, layouts, and playbook trees mapping existing SOC runbooks into fully automated Splunk ES → XSOAR response pipelines.
  • Integrated STIX/TAXII/MISP threat intel feeds into Splunk ES and XSOAR for automated IoC enrichment, threat scoring, and hunting across ingested telemetry.
  • Provided Tier 3 Splunk engineering support — parser/TA development, CIM normalization, ingestion pipeline hardening, and coordinated global content release windows.
Lead Cybersecurity Engineer & Architect
GDIT / Crystal Clear Technologies – U.S. CENTCOM HQ
May 2017 – Sep 2023 | MacDill AFB, Tampa, FL
  • Architected and operated enterprise Splunk ES deployment processing 12TB/day at 150k EPS across multi-domain DoD environments — managing indexer clusters, search head clusters, and heavy forwarders.
  • Built Splunk ES correlation searches, risk-based alerting (RBA), data model accelerations, and CIM-normalized TAs for firewall, EDR, identity, NDR, and cloud telemetry sources.
  • Achieved 40% MTTR reduction and 25% false-positive drop through Splunk UEBA tuning, risk scoring models, and behavioral baseline correlation aligned to MITRE ATT&CK.
  • Engineered Splunk ingestion pipelines with Kafka, Cribl, and NiFi — DLQs, backpressure handling, replay, and schema governance ensuring zero data loss at DoD scale.
  • Developed Splunk dashboards and SOC operational portals for real-time incident visibility, executive KPI reporting, and cross-enclave threat hunting across coalition networks.
  • Implemented Zero Trust with ForeScout NAC providing 98% device visibility; integrated NAC posture data into Splunk ES for continuous compliance correlation and alerting.
  • Used Ansible to automate Splunk node builds, TA deployments, and index configuration across classified and unclassified enclaves, eliminating manual drift.
  • Led ATO processes and Forcepoint CDS deployments across 12 classified domains, aligning Splunk logging controls with DoD SRG and RMF requirements.
Lead SIEM Engineer & Architect
(HHS, Protiviti & Deloitte consulting, AT&T, DTRA, DISA)
2009 – 2017 | Multiple Locations
  • Led enterprise Splunk ES deployment for HHS CSIRC (CDC, FDA, NIH, IHS) — high-availability indexer/search head architecture with multi-source CIM-normalized telemetry and HIPAA-aligned correlation.
  • Built greenfield Splunk ES programs for Fortune 500 clients at Protiviti — data onboarding, TA development, correlation content, and SOC analyst training from zero to operational.
  • Architected and migrated DISA-Europe ArcSight SIEM to Splunk ES at Deloitte — designing theater-wide deployment spanning USCENTCOM AORs (Kuwait, Afghanistan, Iraq, Bahrain, Qatar).
  • Delivered Splunk ES advanced use cases for insider threat, privilege abuse, and lateral movement with risk-based scoring, adaptive response, and RMF-aligned audit reporting.
  • Led 24×7 NOSC/SOC operations for DTRA — managing 12 network engineers and 12 cyber analysts with Splunk as the primary detection and triage platform alongside SolarWinds and IPS tools.
Network & Systems Engineer (Early Career)
U.S. Air Force & Consulting
2002 – 2009 | Multiple Locations
  • Served in U.S. Air Force communications and network roles, supporting secure voice and data networks across multiple security domains.
  • Installed, configured, and hardened routers, switches, firewalls, and Windows/Linux servers supporting base and mission operations.
  • Implemented patching, antivirus, backup, and monitoring baselines, reducing incidents and aligning with STIG requirements.
  • Provided consulting and implementation services for businesses, designing LAN/WAN, Wi-Fi, and perimeter security and modernizing legacy infrastructure.

Detection & UEBA Use Cases

Privileged Account & Admin Misuse
Detect after-hours admin activity, high-volume command execution, privilege escalation, and access to sensitive systems outside normal behavior profiles.
Authentication & MFA Anomalies
Identify unusual login patterns including first-time access to sensitive apps, risky geolocations, impossible travel, and MFA fatigue/push bombing behavior.
Data Exfiltration & Insider Threat
Monitor abnormal download volumes, unusual file/database access, DLP violations, and pre-termination mass access patterns to surface potential insider risk and exfiltration.
SSH & Remote Access Security
Correlate SSH failed logins, repeated failures (brute force), and successful logins by account, source IP, and time-of-day to flag suspicious or high-risk remote access.
sudo & Privilege Escalation Monitoring
Track sudo command execution, sessions without a real TTY, and repeated sudo use patterns as indicators of privilege escalation, misuse, or hands-on-keyboard activity.
Account & Group Management Changes
Alert on local user and group creation or modification events and correlate with asset sensitivity, time-of-day, and associated admin accounts to detect risky changes.
Critical File Integrity Monitoring
Monitor modifications to /etc/passwd, /etc/shadow, /etc/sudoers and other critical system files, treating changes as high/critical risk for identity and privilege integrity.
Service, Kernel & Hardware Health
Detect repeated systemd unit failures, unexpected restarts of security services and agents, disk I/O and filesystem errors, out-of-memory events, and interface resets as early indicators of availability or attack impact.
IDS & YARA-Based Threat Detection
Design and tune IDS signatures and YARA rules for malware, tooling, and TTP-specific patterns, enabling custom alerting and higher-fidelity detections across Suricata/Snort and endpoint telemetry.

Technical Expertise

SIEM Platforms (Splunk, QRadar, ArcSight, Elastic, Datadog, Graylog, Exabeam, XSIAM) UEBA Platforms (Exabeam, Securonix) Palo Alto XSIAM / Cortex XDR Cortex XSOAR & SOAR Playbooks Kafka / Pulsar Cribl / Apache NiFi Python (Automation & APIs) Ansible / Infrastructure-as-Code PowerShell / Bash / Linux Hardening Custom Security Tooling Node.js / JavaScript / React Flask / REST APIs / Webhooks Grafana / Kibana / Power BI GitHub / CI/CD (GitHub Actions) EDR / XDR (Cortex, Carbon Black, Trellix) SailPoint IGA CyberArk / Delinea PAM Okta / Azure AD ForeScout NAC Cisco Stealthwatch NDR NetFlow & Flow Sensors Network Security Monitoring (NSM) Web Application Firewall (WAF) CASB & SASE Architectures Trellix DLP Varonis DSP AWS / Azure Cloud Integrations MITRE ATT&CK NIST CSF / RMF Zero Trust (ZTNA)

Certifications

✓ EC-Council Certified Ethical Hacker (CEH)
✓ GIAC Certified Incident Handler (GCIH)
✓ CompTIA Security+
✓ CompTIA Network+
✓ CompTIA A+
✓ Red Hat Certified System Administrator (RHCSA)
✓ ArcSight Certified Administrator (ACIA)
✓ ArcSight Certified Security Analyst (ACSA)
✓ Cribl Certified User
✓ Cribl Certified Services Consultant
✓ Forcepoint Certified HS Guard Admin
✓ Forescout Certified Associate (FSCA)

Education & Additional Information

Education
CCAF – Data/Voice Network Systems (Top Honors) | Electronics & Communications (Honors)
Clearance
U.S. Top Secret/SCI (DoD) – Active 23 years
Languages
Bilingual English / Spanish
Work Mode
Remote / Hybrid / On-site | Open to relocation

Professional Timeline

Feb 2025 – Present Present
Principal Cybersecurity Engineer / Co-Founder Xbitium Technologies Tampa, FL
Oct 2023 – Feb 2025 1.4 yrs
Sr. Cybersecurity Consultant & Solutions Architect Palo Alto Networks | RedMatter Solutions Tampa, FL / Arlington, VA (Remote)
May 2017 – Sep 2023 6.3 yrs
Lead Cybersecurity Engineer & Architect GDIT / Crystal Clear Technologies – U.S. CENTCOM HQ MacDill AFB, Tampa, FL
Nov 2015 – Apr 2017 1.5 yrs
Lead Cybersecurity Engineer Merlin International (HHS CSIRC) Atlanta, GA (Hybrid)
Aug 2014 – Nov 2015 1.3 yrs
Sr. Manager / SIEM SME Protiviti Inc. (Fortune 500 Clients) Atlanta, GA (100% Travel)
Apr 2012 – Aug 2014 2.3 yrs
Sr. Manager / SIEM SME Deloitte & Touche LLP (DISA Europe) Stuttgart, Germany (On-site)
Feb 2011 – Apr 2012 1.2 yrs
Sr. Information Assurance Engineer AT&T GSI (USCENTCOM) Arifjan, Kuwait (On-site)
Jan 2009 – Feb 2011 2 yrs
NOSC Manager / Network Engineer Defense Engineering Inc. (DTRA) Arlington, VA (On-site)
Aug 2006 – Jan 2009 2.5 yrs
Network Engineer Mutual Telecom Services Multiple Locations
Aug 2002 – Aug 2006 4 yrs
Network Specialist U.S. Air Force (Active Duty) Ramstein, Germany
Oct 2001 – Aug 2002 <1 yr
Network Administrator WinVista Corporation Fort Lauderdale, FL
Aug 1998 – Oct 2001 3.2 yrs
IT Support Specialist Miami-Dade County Miami, FL