SPLK-5003 Exam Format | SPLK-5003 Course Contents | SPLK-5003 Course Outline | SPLK-5003 Exam Syllabus | SPLK-5003 Exam Objectives

Splunk Certified Cybersecurity Defense Architect (SPLK-5003)

Advanced Threat Intelligence and Analysis

- Develop and implement customized threat intelligence strategies, including both open source and commercial intelligence providers.
- Integrate threat intelligence, including all aspects of the lifecycle (evaluation, curation, maintenance, sources, confidence scoring, etc.), into broader security operations.
- Integrate intelligence-informed advanced adversary emulation and threat modeling.

Security Data Management

- Explain how to develop and implement integration strategies for data-driven security operations.
- Identify data sources critical to cybersecurity operations, such as event sources, identity directories, asset management systems, and vulnerability assessments. This can include non-security data sources, eg. observability tools.
- Identify high value / high signal / high noise data sources (e.g. Windows process vs EDR process flow, or network/VPC flow vs packet capture) and how they support security operations use cases.
- Identify strategies to monitor an environment that requires nonstandard or out-of-band instrumentation and sensors, e.g. legacy data sources, OT/IC infrastructure environments.
- Develop a data lifecycle management strategy, including retention, storage tiering, summarization, data residency, and access control.
- Describe the value of data normalization in order to support integration into cybersecurity defense programs, such as security monitoring and threat hunting, e.g. with CIM, CEF.
- Implement security analytics strategies beyond traditional SIEM such as advanced techniques like data science, machine learning, behavioral analysis, and AI.
- Explain how cybersecurity defense data architectures scale using technologies and capabilities such as data mesh, data lakes, message bus, message routing, and federated search.

Advanced Incident Response and Management

- Align cybersecurity incident response with an organization’s incident management, change management, and other ITSM/ITIL processes.
- Develop a process to manage, coordinate, and communicate responses to large-scale security incidents.
- Ensure appropriate technologies and processes are in place to support various forensics investigations.

Advanced Automation and Orchestration

- Understand how an organization’s technical architectures, e.g. network design, enable or constrain security orchestration.
- Develop complex/cross platform automation to orchestrate workflows for cybersecurity operations such as investigation, detection, and incident response.
- Describe the benefits of an autonomous SOC, and strategies, processes, and technologies to develop one.
- Leverage AI/ML for automated threat detection and response.

Scaling Cybersecurity Defenses and DevSecOps

- Develop scalable strategies for agile and DevOps-driven cybersecurity defenses, such as detection as code.
- Describe how to integrate security sensors and controls into DevOps workflows.
- Describe how to create and leverage a SBOM (Software Bill of Materials) in cybersecurity defenses.
- Describe continuous integration & deployment strategies for security data management and engineering solutions.
- Describe how to develop and implement patterns, architecture blueprints, and “paved roads” to enable cybersecurity defenses to scale.
- Understand how application and infrastructure architectures support cybersecurity defenses.

Governance, Risk, and Compliance

- Explain how governmental directives and regulations guidance publications like NIST CSF help influence the design of defense capabilities.
- Explain how regulations like GDPR affect cyber defense architecture in relation to data privacy impact on logging, data sovereignty, and data residency.
- Explain how industry standard security frameworks (PCI, HIPAA, OT/IC, others) affect cyber defense architecture.
- Define how security controls contribute to business operating cost and offsetting risk.
- Explain how security technologies and controls fit into the organization’s Governance, Risk, and Compliance program and overall risk management.

Measuring and Improving Security Program Effectiveness

- Explain how to define, measure, and report on metrics to assess and monitor a security program’s effectiveness.
- Explain how a business’s risk tolerance informs a security program’s metrics.
- Explain how Continuous Process Improvement can enrich and expand a metrics driven security program’s efficacy.
- Explain how security controls are continually tested and gaps are remediated.

Security Capability Selection, Placement, Configuration

- Identify organizational coverage for prevention, detection, response and recovery capabilities.
- Determine how coverage gaps can be mitigated by architecture changes, config changes, or process changes.
- Affect organizational and company priorities and budgets based on key capabilities required for security that are aligned to security and business goals.
- Explain methodologies used to select security technologies aligned to business need, organizational technology landscape, and security controls.
- Define technology implementation strategies to provide desired capabilities.
- Ensure that resilient solutions aligned to the business and operational requirements are selected and deployed.