Executive Summary
Principal Cybersecurity Engineer and architect with 15+ years securing large-scale enterprise and government environments and deep hands-on expertise across SIEM, UEBA, XDR, and SOAR automation. Designs and operationalizes end-to-end security solutions that measurably reduce attack surface and elevate detection maturity—from strategic gap analysis and roadmap definition through deployment, optimization, and executive reporting.
Leads complex SIEM and cyber tools migrations, builds resilient telemetry platforms, and delivers high-fidelity detections and automations for SOC operations. Strong expertise with Palo Alto Networks XSIAM and XSOAR, including advanced SOAR playbook engineering, Python-based automation, and integrated runbooks across SIEM, SOAR, EDR/XDR, and other security tools to standardize incident handling and reduce MTTR. Experienced in building custom security solutions, APIs, webhooks, and dashboards using Python, Flask, Node.js, JavaScript, React, Grafana, Kibana, and Power BI with cloud-native integrations.
Core Qualifications & Key Capabilities
Professional Experience
- Architect and deploy Cortex XSIAM and XDR platforms end-to-end — onboarding telemetry sources, building XQL detections, configuring BIOC rules, and operationalizing threat intel for enterprise and DoD clients.
- Engineer advanced Cortex XSOAR playbooks in Python — automating alert triage, enrichment, containment, ticketing, and cross-tool orchestration across XDR, SIEM, identity, and ticketing systems.
- Develop Python microservices and REST APIs (FastAPI/Flask) for telemetry ingestion pipelines, real-time KPI dashboards, webhook integrations, and automated reporting workflows.
- Build Python-based XSOAR automation scripts, custom integrations, and API connectors bridging XSIAM, XDR, and third-party security tools with zero manual handoff.
- Implement Detection-as-Code using GitHub Actions — automated testing, versioning, promotion, and rollback of XQL/XSIAM correlation rules and XSOAR playbooks across environments.
- Design and operationalize XSOAR incident lifecycle workflows — from ingestion and deduplication through escalation, remediation, and post-incident reporting with full audit trail.
- Deliver Splunk ES integration touchpoints where needed — feeding normalized XDR and XSIAM telemetry into Splunk for cross-platform correlation and executive dashboards.
- Build Flask/JavaScript operational portals and Grafana dashboards surfacing live XSIAM, XDR, and automation metrics for SOC and leadership stakeholders.
- Architected and deployed Splunk Enterprise Security (ES) for FHFA — building data models, correlation searches, adaptive response actions, and risk-based alerting (RBA) aligned to MITRE ATT&CK.
- Engineered Splunk ES notable event workflows end-to-end: use case authoring, triage automation, analyst queue management, and executive-ready reporting via custom dashboards.
- Built and tuned Cortex XSOAR playbooks (Python) to automate Splunk ES notable event response — enrichment via threat intel, VirusTotal, and identity APIs, with auto-ticketing and containment actions.
- Optimized Splunk ES performance at scale — SPL refactoring, summary index strategies, search head clustering tuning, and data model acceleration to reduce search runtime and licensing pressure.
- Delivered SPL authoring training and runbook documentation enabling SOC analysts to independently build searches, dashboards, and investigation workflows in Splunk ES.
- Designed XSOAR incident types, layouts, and playbook trees mapping existing SOC runbooks into fully automated Splunk ES → XSOAR response pipelines.
- Integrated STIX/TAXII/MISP threat intel feeds into Splunk ES and XSOAR for automated IoC enrichment, threat scoring, and hunting across ingested telemetry.
- Provided Tier 3 Splunk engineering support — parser/TA development, CIM normalization, ingestion pipeline hardening, and coordinated global content release windows.
- Architected and operated enterprise Splunk ES deployment processing 12TB/day at 150k EPS across multi-domain DoD environments — managing indexer clusters, search head clusters, and heavy forwarders.
- Built Splunk ES correlation searches, risk-based alerting (RBA), data model accelerations, and CIM-normalized TAs for firewall, EDR, identity, NDR, and cloud telemetry sources.
- Achieved 40% MTTR reduction and 25% false-positive drop through Splunk UEBA tuning, risk scoring models, and behavioral baseline correlation aligned to MITRE ATT&CK.
- Engineered Splunk ingestion pipelines with Kafka, Cribl, and NiFi — DLQs, backpressure handling, replay, and schema governance ensuring zero data loss at DoD scale.
- Developed Splunk dashboards and SOC operational portals for real-time incident visibility, executive KPI reporting, and cross-enclave threat hunting across coalition networks.
- Implemented Zero Trust with ForeScout NAC providing 98% device visibility; integrated NAC posture data into Splunk ES for continuous compliance correlation and alerting.
- Used Ansible to automate Splunk node builds, TA deployments, and index configuration across classified and unclassified enclaves, eliminating manual drift.
- Led ATO processes and Forcepoint CDS deployments across 12 classified domains, aligning Splunk logging controls with DoD SRG and RMF requirements.
- Led enterprise Splunk ES deployment for HHS CSIRC (CDC, FDA, NIH, IHS) — high-availability indexer/search head architecture with multi-source CIM-normalized telemetry and HIPAA-aligned correlation.
- Built greenfield Splunk ES programs for Fortune 500 clients at Protiviti — data onboarding, TA development, correlation content, and SOC analyst training from zero to operational.
- Architected and migrated DISA-Europe ArcSight SIEM to Splunk ES at Deloitte — designing theater-wide deployment spanning USCENTCOM AORs (Kuwait, Afghanistan, Iraq, Bahrain, Qatar).
- Delivered Splunk ES advanced use cases for insider threat, privilege abuse, and lateral movement with risk-based scoring, adaptive response, and RMF-aligned audit reporting.
- Led 24×7 NOSC/SOC operations for DTRA — managing 12 network engineers and 12 cyber analysts with Splunk as the primary detection and triage platform alongside SolarWinds and IPS tools.
- Served in U.S. Air Force communications and network roles, supporting secure voice and data networks across multiple security domains.
- Installed, configured, and hardened routers, switches, firewalls, and Windows/Linux servers supporting base and mission operations.
- Implemented patching, antivirus, backup, and monitoring baselines, reducing incidents and aligning with STIG requirements.
- Provided consulting and implementation services for businesses, designing LAN/WAN, Wi-Fi, and perimeter security and modernizing legacy infrastructure.
Detection & UEBA Use Cases
sudo command execution, sessions without a real TTY, and repeated
sudo use patterns as indicators of privilege escalation, misuse, or hands-on-keyboard activity.
/etc/passwd, /etc/shadow,
/etc/sudoers and other critical system files, treating changes as high/critical
risk for identity and privilege integrity.