SecProve
ProfessionalVendor-specificSplunk· issued from US

Splunk ES Admin

Splunk Enterprise Security Certified Admin

Operates and tunes Splunk Enterprise Security — content, correlation searches, notable events, and risk-based alerting.

Official page at Splunk↔ Compare with another cert
Exam fee
$130
Ongoing
$0/yr AMF
Study time
60–120 hrs
Delivery
Online proctored
Validity
3 yrs (renewal cycle)

› Quality score

22.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
Detailed exam blueprint covering ES architecture, content management, and correlation-search tuning.
7.0/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
MCQ-only; vendor training includes labs but they aren't graded.
1.0/10
Currency & upkeep
How aggressively content is kept current with the field.
Refreshed alongside Splunk ES major releases — risk-based alerting content was added with ES 6.x.
7.0/10
Market recognition
How often this signal actually moves a hiring decision.
Common requirement on senior SOC / detection-engineer roles in Splunk-ES shops. [Holders: vendor doesn't publish]
7.0/10

› Market signals

public, citable inputs to the recognition score
Holders worldwide
8,000
as of 2024-12 · source

Estimate based on community signals; Splunk does not publish per-credential counts.

› Built for these roles

Senior SOC AnalystDetection Engineer (Splunk-track)SIEM Engineer

› Exam format

60 multiple-choice questions, 75 minutes, English. Online proctored via Pearson VUE. Covers ES installation, data models, correlation-search authoring, asset/identity frameworks, and risk-based alerting.

› Recertification

Recertification by passing the current version of the exam every 3 years.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-005PD-WRL-008
Recognition
GlobalUSEUUK
Exam languages
en

› Core domains covered

The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A10Security Operations

SOC operations, SIEM tuning, SOAR playbooks, alert triage, log analysis, runbook development.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

A8Threat Intelligence

CTI lifecycle, MITRE ATT&CK, IOCs/TTPs, threat modeling (STRIDE, PASTA), STIX/TAXII.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A7Incident Response & Forensics

IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.

B1AI-Powered Threat Detection

ML-based anomaly detection, UEBA, network traffic analysis, deep learning for malware.

› Prerequisites

Experience

Hands-on experience administering a Splunk environment plus exposure to Splunk ES.

Knowledge assumed
  • Splunk admin (indexes, props, transforms)
  • ES data models and CIM
  • Correlation searches and notable events

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)
Splunk Core UserSplunk
Splunk ES Admin
Splunk
Required by (0)

No certs require this one.

Recommended next (0)

No follow-on certs reference this one yet.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications