Splunk Architect Lead

Everforth ECS is seeking a Splunk Architect Lead to work in our Portland, OR office. Please Note:
This position is contingent upon contract award.

The Splunk Architect and Lead is responsible for defining, guiding, and overseeing the architecture, implementation, optimization, and governance of Splunk capabilities that support cybersecurity monitoring, threat detection, incident response, reporting, and enterprise security operations. This role provides technical leadership for Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, and related integrations across complex operational environments.

The ideal candidate combines deep Splunk architecture expertise, hands-on engineering experience, security operations knowledge, and leadership ability to guide engineers, analysts, stakeholders, and vendors. This role establishes scalable designs, enforces technical standards, ensures platform reliability, and translates mission and SOC requirements into secure, maintainable, and operationally effective Splunk solutions.

Key Responsibilities

Splunk Architecture & Strategy

• Define and maintain the target Splunk architecture, including indexer clusters, search head clusters, deployment servers, heavy forwarders, universal forwarders, apps, add-ons, integrations, storage, and high-availability components.

• Develop technical roadmaps, architecture recommendations, implementation plans, and modernization strategies for Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, or hybrid Splunk environments.

• Ensure Splunk architecture supports SOC operations, security monitoring, incident response, compliance reporting, data retention, scalability, resilience, and performance requirements.

• Assess current-state capabilities, identify architectural gaps, and recommend improvements aligned to program priorities, operational needs, and cybersecurity best practices.

Technical Leadership & Governance

• Serve as the technical lead for Splunk engineering activities, providing direction, review, and mentorship to Splunk engineers, security engineers, analysts, and other technical contributors.

• Establish and enforce Splunk standards for index naming, source types, field extractions, Common Information Model alignment, knowledge objects, access controls, app deployment, configuration management, and change control.

• Review major design decisions, configuration changes, content deployments, and integration approaches for technical soundness, maintainability, security, and operational impact.

• Coordinate Splunk engineering priorities, assign technical work as needed, and ensure deliverables are completed accurately, consistently, and on schedule.

Platform Design, Scalability & Reliability

• Lead design efforts for platform performance, capacity, storage, retention, data lifecycle management, search concurrency, licensing, disaster recovery, backup, and high availability.

• Oversee platform health monitoring, performance tuning, system optimization, upgrade planning, patching strategies, and long-term maintenance planning.

• Guide troubleshooting of complex issues involving ingestion delays, parsing problems, skipped or dropped data, search performance, data model acceleration, app conflicts, and infrastructure dependencies.

• Partner with infrastructure, cloud, network, identity, endpoint, and system administration teams to ensure Splunk architecture integrates securely and reliably with the broader environment.

Data Architecture & Integration Oversight

• Define data onboarding architecture and integration patterns for security, infrastructure, cloud, endpoint, network, identity, application, vulnerability, and operational data sources.

• Oversee normalization, parsing, field extraction, data routing, index design, retention settings, source coverage, and Splunk Common Information Model implementation.

• Prioritize data source onboarding based on mission value, SOC use cases, detection requirements, compliance needs, and platform capacity constraints.

• Ensure integrations with EDR, NDR, firewalls, IDS/IPS, proxy, DNS, cloud platforms, identity providers, ticketing systems, SOAR platforms, and case management tools are secure, reliable, and supportable.

Security Analytics & SOC Enablement

• Translate SOC, threat hunting, threat intelligence, incident response, and leadership requirements into Splunk architecture, data, dashboard, reporting, and detection engineering capabilities.

• Provide technical guidance for correlation searches, notable event rules, dashboards, reports, risk-based alerting, data models, content packs, and security monitoring use cases.

• Support detection tuning, alert fidelity improvement, false-positive reduction, source coverage analysis, and monitoring gap remediation in coordination with SOC leadership and analysts.

• Ensure Splunk content and data capabilities support timely triage, investigation, evidence retrieval, event reconstruction, and operational reporting.

Implementation Oversight & Quality Assurance

• Lead or oversee implementation activities for…