← Back to Work
Enterprise · Security LeadershipStrategyCraft

Splunk — Security Content Platform

Unifying detection content discovery, adoption, and automation for enterprise security teams

12%
Increase in security content adoption
70%
Faster onboarding (10 weeks → 3)
ES 8.0
Shipped automated version tracking at scale
Deliverables: Centralized Discovery PlatformAutomated Version TrackingOnboarding RedesignES 8.0 Features

The Challenge

Security teams depended on up-to-date detection content to protect their environments, but finding and adopting that content was unreasonably hard. Updates lived across three disconnected systems, versioning was inconsistent, and onboarding a new customer took upward of ten weeks. The friction wasn’t just operational — it eroded trust. Customers questioned whether they were running the latest protections, and internal teams spent cycles fielding the same support questions over and over.

Key Decisions

Simplify the topology first — Before adding features, I needed to reduce the surface area. Three content sources meant three mental models for customers and three integration points for engineering. I aligned stakeholders around collapsing these into a single centralized discovery platform, which meant hard conversations about deprecating existing workflows that teams had grown attached to.

Instrument adoption, not just delivery — Shipping content is not the same as customers actually using it. I introduced adoption success metrics and content health tracking so we could see, for the first time, the gap between what we published and what customers activated. This reframed internal conversations from “we shipped it” to “they adopted it.”

Prioritize automation on the roadmap — Manual version tracking was the bottleneck nobody wanted to own. I drove automated version control into the ES 8.0 roadmap, making the case that without it, every other improvement would be undermined by the same consistency problems customers had been reporting for years.

Redesign onboarding as a product surface — Onboarding had been treated as a services problem. I re-engineered the workflows as a first-class product experience, compressing ramp-up by eliminating redundant steps and surfacing the right content at the right moment in the customer journey.

What I Delivered

Centralized discovery platform — A single interface where security teams could find, evaluate, and activate detection content with clear versioning and health indicators. This replaced the fragmented experience that had been a top source of customer frustration.

Automated version tracking at scale — Built into Enterprise Security 8.0, this removed the manual overhead that had slowed content updates and introduced inconsistencies across deployments. Engineering could now ship content with confidence that customers would receive the correct version automatically.

Onboarding redesign — A streamlined workflow that cut ramp-up from ten weeks to three by removing unnecessary gates, front-loading critical configuration steps, and giving new customers immediate visibility into their content coverage.

Adoption and health metrics — A measurement framework that gave both product and customer success teams a shared view of content activation rates, enabling targeted outreach and faster identification of adoption blockers.

Outcomes

The centralized platform drove a 12% increase in security content adoption within six months — meaningful movement in an enterprise environment where behavior change is slow. Onboarding time dropped by 70%, freeing customer success capacity and improving time-to-value. The adoption metrics I introduced became a standing artifact in quarterly business reviews, shifting the organization’s definition of success from content shipped to content activated. Automated version tracking, delivered as part of ES 8.0, eliminated an entire class of support escalations related to version mismatches.

← Back to All Work