← Canon taxonomy
P6
SECURI.CYBERSECDA70.P6
Cybersecurity / Information Security — P6
Security

Cybersecurity / Information Security — P6

SECURI.CYBERSECDA70.P6

P6P6 — Principal Professionalhigh0.90approvedglobalv1

Defensive and detection-focused information security operations: monitoring SIEM/EDR telemetry, triaging and investigating alerts, engineering threat-led detection logic, leading incident response and threat hunting, building SOAR automation, managing vulnerabilities, and—at senior levels—shaping security architecture and governance. Distinct from offensive-only (penetration testing/red team), pure compliance/GRC audit, and physical/corporate security focuses; pen testing and AppSec appear here only as adjacent skills supporting detection and defense.

Level
P6 · P6 — Principal Professional · 12–18 yrs
Function · Focus
Security · Cybersecurity / Information Security
Market pay (median)
$175k ($138k$223k)

Defensive and detection-focused information security operations: monitoring SIEM/EDR telemetry, triaging and investigating alerts, engineering threat-led detection logic, leading incident response and threat hunting, building SOAR automation, managing vulnerabilities, and—at senior levels—shaping security architecture and governance. Distinct from offensive-only (penetration testing/red team), pure compliance/GRC audit, and physical/corporate security focuses; pen testing and AppSec appear here only as adjacent skills supporting detection and defense.

Focus — Cybersecurity / Information Security

Defensive and detection-focused information security operations: monitoring SIEM/EDR telemetry, triaging and investigating alerts, engineering threat-led detection logic, leading incident response and threat hunting, building SOAR automation, managing vulnerabilities, and—at senior levels—shaping security architecture and governance. Distinct from offensive-only (penetration testing/red team), pure compliance/GRC audit, and physical/corporate security focuses; pen testing and AppSec appear here only as adjacent skills supporting detection and defense.

Material SKILL differential vs the function baseline.

Responsibilities by level

What this person actually does at each level on the professional track — escalating scope, not one generic blob. Your level is highlighted.

P1
  • Monitors SIEM dashboards (Splunk, Microsoft Sentinel, QRadar) for suspicious activity and works the high-volume Tier 1 alert queue under close supervision of senior analysts
  • Triages and investigates alerts, examining and correlating activity across endpoints, networks, and cloud environments to distinguish false positives from real threats
  • Escalates confirmed threats to senior analysts and documents findings in ServiceNow/Jira tickets following standard templates
  • Executes incident response playbooks under direct guidance, performing prescribed containment steps
  • Builds foundational networking and log-analysis fluency (TCP/IP, DNS, common ports, EDR telemetry) to recognize common attack vectors such as phishing, malware, and brute force
P2
  • Reviews access logs and analyzes phishing emails, conducting genuine investigation beyond initial triage on Tier 2 escalations
  • Designs and implements threat-led detection logic and rules informed by threat intelligence, then maintains and optimizes existing detection rules to reduce false positives
  • Develops analytical techniques and SPL searches/dashboards to identify incidents more efficiently across data sources
  • Audits security controls, supports vulnerability remediation, and assists with compliance checks under general instruction
  • Mentors junior Tier 1 analysts, delegates routine alert-handling, and maps observed adversary behavior to the MITRE ATT&CK framework
P3
  • Monitors and responds to incidents end-to-end with day-to-day independence, performing root-cause analysis and driving containment and remediation
  • Conducts proactive threat hunting and in-depth investigations, including initial malware analysis, across endpoint, network, and cloud telemetry
  • Builds detection and SOAR automation workflows (Cortex XSOAR, Splunk SOAR, Python/PowerShell) to improve SOC efficiency
  • Authors and tunes detection rules and incident response playbooks, optimizing data models, CIM mapping, and search performance
  • Coordinates investigation activities with peers and communicates findings and recommended actions to SOC leadership
P4
  • Leads end-to-end incident response for complex, multi-system intrusions, performing deep malware analysis and reconstructing attacker kill chains across hybrid cloud environments
  • Designs detection and threat-hunting capabilities at the function level, selecting methods and engineering data onboarding, props/transforms, and CIM-mapped data models
  • Leads vulnerability management by defining processes, metrics, and remediation SLAs across teams using Tenable/Rapid7
  • Builds and oversees SOAR automation programs, evaluating in-depth analysis of complex variables to improve mean-time-to-respond
  • Bridges technical teams and business stakeholders, communicating risks and recommendations to management and mentoring senior and junior analysts
P5
  • Acts independently on broad and strategic security assignments, owning detection-engineering and threat-hunting strategy that contributes to company-wide security objectives
  • Resolves intangible, high-ambiguity intrusions with no standard answer, directing root-cause analysis and coordinating containment across the organization
  • Improves incident response processes and SOC operating models, defining the automation and detection roadmap that other engineers build against
  • Serves as a security spokesperson and trusted advisor, communicating complex technical risk to non-technical executives and building influential cross-functional networks
  • Drives evaluation and adoption of emerging capabilities (cloud security platforms, UEBA, AI/LLM-assisted SecOps workflows) and provides expert guidance on special tasks
P6this profile
  • Collaborates with department leadership as a trusted advisor and significantly influences the organization's security strategy with full independence
  • Drives complex, field-defining security initiatives across departments and leads high-impact programs spanning detection, response, architecture, and GRC
  • Analyzes and oversees development of information security governance, policies, standards, baselines, and guidelines organization-wide
  • Designs security systems, methodologies, and secure solution architectures (Secure by Design) to meet current and future industry standards
  • Oversees response to major security incidents, coordinating with third-party responders and law enforcement, and reports incidents and trends to executive management while mentoring senior engineers
P7
  • Sets long-term security direction for the company and anticipates emerging threat and technology challenges, defining multi-year roadmaps that often influence industry practices
  • Solves precedent-free, ambiguous security problems with broad business consequences, developing new detection models, methodologies, or agentic SecOps technologies
  • Operates with complete independence to shape company-wide security capability and—on the CISO track—owns end-to-end security strategy and operations and scales Security, IT, and GRC teams
  • Networks with executives, boards, regulators, and industry leaders, persuading and educating senior stakeholders on strategic security priorities
  • Provides high-level mentorship to principal and senior engineers and represents the organization as a recognized authority through patents, publications, or standards contributions

Level guidelines

The universal leveling rubric applied to this function — how scope, complexity, collaboration, and experience step up across levels.

LevelKnowledge & ApplicationComplexity & Problem SolvingCollaboration & InteractionTypical Degree & Years
P1Applies foundational networking, log analysis, and attack-vector knowledge to routine alert triage using standard playbooks and SIEM/EDR dashboards.Handles routine problems with standard answers; distinguishes false positives from real threats within defined criteria and escalates anything ambiguous.Works within the SOC team under close supervision, maintaining stable internal relationships and escalating to senior analysts.0–1 years; new graduate, intern, or entry-level SOC Tier 1 analyst, often with foundational security certifications.
P2Applies threat-intelligence-informed detection knowledge and SPL/dashboard skills to investigate escalations and improve detection logic in familiar contexts.Exercises moderate judgment to investigate beyond triage, tune detection rules, and map behavior to MITRE ATT&CK following defined procedures.Builds productive project relationships across SOC tiers; mentors junior analysts and delegates routine work under general instruction.2+ years with a BA, or MS/PhD with no experience; Tier 2 analyst or junior security engineer.
P3Applies diverse incident response, threat hunting, and SOAR automation expertise across endpoint, network, and cloud with day-to-day independence.Evaluates identifiable factors to drive end-to-end response, root-cause analysis, and detection-engineering decisions with milestone review.Networks with senior professionals, coordinates investigation activities, and communicates findings to SOC leadership.5+ years (BA), 3 years (MA), or PhD without experience; senior analyst or senior security engineer.
P4Applies in-depth detection-engineering, malware-analysis, and vulnerability-management expertise to complex, function-impacting issues, selecting methods independently.Performs in-depth analysis of complex variables across hybrid environments, reconstructing kill chains and engineering data pipelines and SOAR workflows.Coordinates across groups, may lead incident-response teams, influences decisions, and bridges technical teams with management.8+ years, often with graduate education; advanced/lead security engineer or analyst.
P5Applies expert, hard-to-replicate mastery of detection strategy, response, and emerging SecOps technologies to strategic, company-level objectives.Resolves intangible, high-ambiguity problems with high independence, defining automation and detection roadmaps and operating models.Builds influential internal and external networks, acts as a security spokesperson, and advises executives on complex risk.12+ years of extensive cybersecurity expertise; expert/staff security engineer.
P6Applies visionary, field-shaping expertise across detection, response, architecture, and governance to organization-wide security strategy.Solves critical, broad-design problems with wide latitude, defining systems, methodologies, and secure architectures for current and future standards.Influences industry and company as a recognized thought leader, advises department leadership, and mentors senior engineers.15+ years as a principal expert; often PhD plus industry leadership; principal security engineer/architect or security leader.
P7Applies field-advancing authority to develop new security theories, models, and technologies that shape company strategy and industry practice.Solves precedent-free, ambiguous problems with broad business and industry consequences; anticipates emerging challenges and defines long-term roadmaps.Networks with executives, boards, regulators, and industry leaders; persuades and educates senior stakeholders and mentors principal engineers.20+ years or equivalent recognition; often PhD with patents, publications, or significant industry contributions; distinguished engineer or CISO-track leader.

Skills

Focus-specific skills the role applies — the relevance layer beyond the occupational base.

Networking fundamentals
Applies understanding of TCP/IP, DNS, HTTP, the TCP handshake, and common ports (80, 443, 22, 3389) to analyze traffic and identify threats.
Log analysis
Reviews and correlates logs across endpoints, networks, and cloud to identify suspicious activity and distinguish false positives from real threats.
Attack vector knowledge
Applies understanding of common attacks such as phishing, malware, and brute force to recognize and investigate threats.
Scripting and automation
Uses Python, Bash, PowerShell, or JavaScript to automate security workflows and build SOAR integrations.
MITRE ATT&CK framework
Applies framework fluency for detection engineering, threat hunting, and mapping adversary tactics and techniques.
Detection engineering
Designs and creates detection logic and rules informed by threat intelligence rather than only consuming alerts.
Threat hunting
Proactively searches environments for threats and indicators of compromise.
Incident response
Triages, contains, remediates, and performs root-cause analysis on security incidents.
Malware analysis
Performs in-depth investigation of malicious software across environments.
Vulnerability management
Defines processes, metrics, and remediation for identifying and addressing vulnerabilities.
SPL and data engineering
Applies strong SPL skills with dashboards, data models, search optimization, data onboarding, CIM mapping, and props/transforms.
Cloud security
Secures AWS, Azure, and GCP environments and cloud security platforms.
Penetration testing
Performs offensive security testing using OWASP Top 10 knowledge and tools like Kali Linux.
Application security
Implements SAST, DAST, and IAST testing, automates security testing in CI/CD, and advises on secure coding.
AI for security
Applies familiarity with AI frameworks (MCP, ADK), LLMs, and prompt engineering for agentic SecOps workflows.
Stakeholder communication
Communicates complex technical strategies and risks to non-technical executives and stakeholders.
Security governance
Develops organizational policies, procedures, standards, baselines, and guidelines.
Security architecture
Defines security requirements and designs secure solution architectures and Secure by Design initiatives.

Provenance

The evidence base behind this profile — every layer is sourced; quality is scored by an adversarial review panel (1–5; passes at ≥4 on the minimum dimension).

Level differentiation5.0Focus specificity5.0Concreteness5.0Factual accuracy5.0Real-world coverage4.5
8 sources

Level — P6 — Principal Professional

Top individual contributor; recognized authority with strategic impact, equivalent to a low executive level

Scope
Organization-wide architecture and the hardest problems
Autonomy
Defines direction; minimal oversight
Complexity
Strategic, open-ended problems shaping the technical future
Impact
Organization-wide
Decision rights
Sets technical strategy for a major area
Leadership
Recognized authority; multiplies many teams
Typical experience
12–18 yrs

Adjacent roles

Nearest roles by structural coordinates (level + taxonomy). Distance 0 → 1; each carries its 3-state match band. How coordinates work → · Compare side-by-side →

Title aliasesshow ▾

No title aliases recorded for this profile yet.

Classification mappingsshow ▾

O*NET / SOC

  • code=15-1212source=jfm-factory.resolve