← Canon taxonomy
P6
SECURI.INCIDENT4B3D.P6
Incident Response — P6
Security

Incident Response — P6

SECURI.INCIDENT4B3D.P6

P6P6 — Principal Professionalhigh0.80approvedglobalv1

Detects, triages, investigates, contains, and recovers from cybersecurity incidents across endpoint, identity, cloud, network, and application signals, owning the live incident lifecycle from first-pass triage through forensics, eradication, post-incident review, and incident command. Distinct from threat-intelligence (adversary tracking and IOC enrichment), detection-engineering (builds and tunes detection content), and security-operations administration (manages tooling uptime and platform configuration): this focus owns the response itself. As responders mature they author runbooks and provide technical input to the monitoring platform's evolution from the responder's perspective, but they do not own detection-content development or platform administration.

Level
P6 · P6 — Principal Professional · 12–18 yrs
Function · Focus
Security · Incident Response
Market pay (median)
$175k ($138k$223k)

Detects, triages, investigates, contains, and recovers from cybersecurity incidents across endpoint, identity, cloud, network, and application signals, owning the live incident lifecycle from first-pass triage through forensics, eradication, post-incident review, and incident command. Distinct from threat-intelligence (adversary tracking and IOC enrichment), detection-engineering (builds and tunes detection content), and security-operations administration (manages tooling uptime and platform configuration): this focus owns the response itself. As responders mature they author runbooks and provide technical input to the monitoring platform's evolution from the responder's perspective, but they do not own detection-content development or platform administration.

Focus — Incident Response

Detects, triages, investigates, contains, and recovers from cybersecurity incidents across endpoint, identity, cloud, network, and application signals, owning the live incident lifecycle from first-pass triage through forensics, eradication, post-incident review, and incident command. Distinct from threat-intelligence (adversary tracking and IOC enrichment), detection-engineering (builds and tunes detection content), and security-operations administration (manages tooling uptime and platform configuration): this focus owns the response itself. As responders mature they author runbooks and provide technical input to the monitoring platform's evolution from the responder's perspective, but they do not own detection-content development or platform administration.

Material PAY and SKILL differential vs the function baseline.

Responsibilities by level

What this person actually does at each level on the professional track — escalating scope, not one generic blob. Your level is highlighted.

P2
  • Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.
  • Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).
  • Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.
  • Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.
  • Produces triage notes and investigation summaries to support escalations to senior responders.
P3
  • Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.
  • Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.
  • Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.
  • Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.
  • Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.
P4
  • Leads technical incident investigations on complex events — directing triage, forensics, containment, and eradication across affected systems.
  • Writes technical investigation reports covering attack path, affected assets, persistence mechanisms, and data-exposure assessment.
  • Provides incident command support and cross-team coordination, directing multiple internal and external subject matter experts during active response.
  • Leads post-incident reviews with root-cause analysis and prioritized corrective action items, and authors new runbooks for repeat incident patterns.
  • Drives measurable improvements to detection and response, and produces executive summaries for leadership consumption.
P5
  • Acts as Incident Commander during high-severity or novel incidents, setting priorities and making final response decisions without doing hands-on troubleshooting.
  • Manages active engagements end-to-end, coordinating with clients, leadership, and legal counsel through forensic and IR investigations where no defined procedure exists.
  • Resolves incidents under ambiguity by assessing intangibles and selecting response strategy on broad and special assignments with high independence.
  • Provides technical leadership on the responder-facing evolution of the security monitoring platform, defining how response telemetry, forensic tooling, and runbooks must improve.
  • Builds influential networks across the security industry, serving as external spokesperson and authoring the organization's reference response approaches for recurring high-severity patterns.
P6this profile
  • Advances incident-response practice across the industry, contributing reference methodologies, conference and community thought-leadership, and field-shaping approaches to forensics and incident command that influence peer professionals beyond the organization.
  • Sets the multi-year strategic direction for the organization's DFIR capability, defining how detection-and-response posture, forensic tooling, and command doctrine must evolve under full independent latitude.
  • Acts as Incident Commander on the most critical, organization-defining incidents, providing authoritative recovery direction and final-decision authority where outcomes carry enterprise and regulatory consequence.
  • Establishes the operating procedures, best practices, and quality standards that govern the entire incident-response function and serve as the benchmark for the discipline.
  • Provides high-level technical mentorship to senior and principal responders and shapes the judgment of the broader responder community as a recognized authority in the field.

Level guidelines

The universal leveling rubric applied to this function — how scope, complexity, collaboration, and experience step up across levels.

LevelKnowledge & ApplicationComplexity & Problem SolvingCollaboration & InteractionTypical Degree & Years
P2Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals.Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts.Builds productive working relationships within the response team; escalates with clear triage notes and investigation summaries to senior analysts.2+ years with a BA/BS, or MS/PhD with no prior experience; foundational SOC or analyst exposure.
P3Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling.Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence.Networks with senior responders and partners with Engineering/IT owners to implement response actions; coordinates activities as incident lead on lower-severity events.5+ years with a BA/BS, 3 years with an MA/MS, or a PhD; demonstrated independent incident handling.
P4Applies in-depth forensics, malware analysis, and EDR telemetry expertise to complex, multi-signal investigations; selects investigation methods and forensic approaches.Performs in-depth analysis of complex variables — reconstructing attack paths, persistence, and data exposure across affected assets where outcomes are uncertain.Coordinates across groups and directs internal and external SMEs during active response; influences decisions and communicates findings to leadership via executive summaries.8+ years, often with graduate education; recognized technical lead on incident investigations.
P5Brings extensive expertise across IR methodologies, forensics, malware analysis, and the responder-facing evolution of monitoring and forensic tooling; applies decision-making under ambiguity where no procedures exist.Addresses strategic and novel incidents with high independence on broad and special assignments, assessing intangibles to set response strategy and direct command without hands-on troubleshooting.Builds influential networks internally and externally and acts as external spokesperson; coordinates with clients, leadership, and legal counsel on active engagements and authors reference response approaches.12+ years with extensive DFIR and incident command expertise.
P6Recognized principal authority whose reference methodologies, forensic techniques, and command doctrine advance incident-response practice across the industry, not solely within the organization.Provides visionary, field-shaping problem-solving on the most critical organization-defining incidents and on multi-year capability strategy under full independent latitude.Influences peer professionals and the broader responder community through thought-leadership and external contribution; provides high-level mentorship and authoritative incident command on the most critical events.15+ years as a principal DFIR expert; often PhD plus demonstrated industry leadership and external recognition.

Skills

Focus-specific skills the role applies — the relevance layer beyond the occupational base.

Incident response and handling methodologies
Knowledge of structured methods for detecting, triaging, containing, eradicating, recovering from, and learning from security incidents.
Network security architecture
Understanding of topology, protocols, defense-in-depth, the OSI model, and TCP/IP.
Operating system breadth
Familiarity with Windows, Linux, and macOS, including their unique vulnerabilities and security features.
Cloud security
Grasp of cloud platforms (AWS, Azure, Google Cloud), their architecture and security features, and how cloud service models can limit incident response.
System and OS hardening
Knowledge of system administration, network, and operating-system hardening techniques.
Endpoint telemetry analysis
Deep understanding of EDR tools and endpoint telemetry to identify and respond to sophisticated threats.
Malware analysis
Analyzing malicious code, including reversing compiled code, to understand threats.
Digital forensics
Network storage forensics, file-system analysis, file carving, and evidence collection for complex breaches and APTs.
Log analysis
Investigating logs and security signals to detect and reconstruct incidents.
Scripting and automation
Using scripting languages to automate repetitive tasks and improve efficiency, especially during large-scale breaches.
Playbook and runbook authoring
Writing new and updated response procedures for repeat incident patterns.
Stakeholder communication
Producing executive summaries and clear recovery direction for leadership and clients.
Incident command
Setting priorities, making final decisions, and coordinating overall response without doing hands-on troubleshooting.
Decision-making under ambiguity
Quickly assessing situations and taking action when defined procedures do not exist.
Nagios
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Wireshark
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Palo Alto Networks Next-Generation Security Platform
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Trend Micro TippingPoint
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Splunk
Uses this tool/technology effectively during the delivery of day-to-day tasks.
ServiceNow
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Google Chronicle
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Google SecOps
Uses this tool/technology effectively during the delivery of day-to-day tasks.
IDA Pro
Uses this tool/technology effectively during the delivery of day-to-day tasks.
OllyDbg
Uses this tool/technology effectively during the delivery of day-to-day tasks.
WinDbg
Uses this tool/technology effectively during the delivery of day-to-day tasks.
SIEM tools
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Intrusion detection/prevention systems
Uses this tool/technology effectively during the delivery of day-to-day tasks.
Data-loss-prevention tools
Uses this tool/technology effectively during the delivery of day-to-day tasks.
EDR tools
Uses this tool/technology effectively during the delivery of day-to-day tasks.

Provenance

The evidence base behind this profile — every layer is sourced; quality is scored by an adversarial review panel (1–5; passes at ≥4 on the minimum dimension).

Level differentiation4.5Focus specificity5.0Concreteness4.5Factual accuracy4.0Real-world coverage4.5
4 sources

Level — P6 — Principal Professional

Top individual contributor; recognized authority with strategic impact, equivalent to a low executive level

Scope
Organization-wide architecture and the hardest problems
Autonomy
Defines direction; minimal oversight
Complexity
Strategic, open-ended problems shaping the technical future
Impact
Organization-wide
Decision rights
Sets technical strategy for a major area
Leadership
Recognized authority; multiplies many teams
Typical experience
12–18 yrs

Adjacent roles

Nearest roles by structural coordinates (level + taxonomy). Distance 0 → 1; each carries its 3-state match band. How coordinates work → · Compare side-by-side →

Title aliasesshow ▾

No title aliases recorded for this profile yet.

Classification mappingsshow ▾

O*NET / SOC

  • code=15-1212source=jfm-factory.resolve