← Canon taxonomy
P2
SECURI.SECURITY5AA4.P2
Security Engineering — P2
Security

Security Engineering — P2

SECURI.SECURITY5AA4.P2

P2P2 — Developing Professionalhigh0.90approvedglobalv1

Security Engineering focuses on the hands-on design, implementation, and operation of technical security controls — SIEM-based threat detection, incident response, vulnerability assessment, penetration testing, cloud and network security architecture (IAM, ZTNA, segmentation, encryption), EDR operation, and detection-as-code automation. Distinct from governance/compliance focuses (which own policy, audit, and standards programs) and from security analyst/SOC roles (alert triage only), this focus owns the engineering of detection logic, security architectures, and forensic investigation across infrastructure and cloud.

Level
P2 · P2 — Developing Professional · 1–3 yrs
Function · Focus
Security · Security Engineering
Market pay (median)
$67k ($53k$86k)

Security Engineering focuses on the hands-on design, implementation, and operation of technical security controls — SIEM-based threat detection, incident response, vulnerability assessment, penetration testing, cloud and network security architecture (IAM, ZTNA, segmentation, encryption), EDR operation, and detection-as-code automation. Distinct from governance/compliance focuses (which own policy, audit, and standards programs) and from security analyst/SOC roles (alert triage only), this focus owns the engineering of detection logic, security architectures, and forensic investigation across infrastructure and cloud.

Focus — Security Engineering

Security Engineering focuses on the hands-on design, implementation, and operation of technical security controls — SIEM-based threat detection, incident response, vulnerability assessment, penetration testing, cloud and network security architecture (IAM, ZTNA, segmentation, encryption), EDR operation, and detection-as-code automation. Distinct from governance/compliance focuses (which own policy, audit, and standards programs) and from security analyst/SOC roles (alert triage only), this focus owns the engineering of detection logic, security architectures, and forensic investigation across infrastructure and cloud.

Material PAY and SKILL differential vs the function baseline.

Responsibilities by level

What this person actually does at each level on the professional track — escalating scope, not one generic blob. Your level is highlighted.

P1
  • Monitors security systems and triages alerts from SIEM platforms (Splunk, QRadar, Elastic Security) under close supervision, escalating confirmed threats
  • Assists senior engineers in implementing basic security controls such as firewall rules (Palo Alto, Fortinet), antivirus deployment, and IDS/IPS configurations
  • Participates in scheduled vulnerability scans and security audits using vulnerability scanning tools, documenting identified weaknesses
  • Performs first-line response to security alerts following defined runbooks and SOC procedures, using EDR consoles (CrowdStrike, SentinelOne) to review endpoint detections
  • Builds foundational skills in threat detection, incident response workflows, and core tooling (Linux, basic SQL queries against log data) under detailed instruction
P2this profile
  • Independently manages defined security protocols and analyzes risks within familiar systems, implementing security measures per established procedures
  • Writes and maintains basic detection logic and automation scripts in Python or Bash to reduce repetitive triage and monitoring tasks, querying log data with SQL
  • Conducts vulnerability assessments and contributes findings to remediation plans, partnering with system owners
  • Participates in incident response and recovery efforts, owning containment steps for assigned incidents and using Wireshark to inspect suspicious network traffic
  • Contributes to drafting and updating security policies and supports delivery of security awareness training programs
P3
  • Independently owns defined areas of the security program — detection coverage, vulnerability management, or a network/cloud domain — planning day-to-day work with milestone review
  • Designs and maintains version-controlled detection-as-code, evaluating identifiable factors to tune rules and reduce false positives in the SIEM
  • Leads investigations for moderate-severity incidents, performing forensic analysis of logs, endpoints, and packet captures (Wireshark) to determine root cause
  • Conducts penetration tests and purple-team exercises to identify exploitable weaknesses, then drives remediation with engineering teams
  • Configures network security controls — firewalls, VPNs, ZTNA, segmentation, and encryption — and integrates security best practices into deployment pipelines with cross-functional teams
P4
  • Designs security architectures and controls for complex infrastructure and cloud environments (AWS Security Hub, Azure Sentinel, Google SCC), selecting methods and tooling with functional impact
  • Leads incident investigations end-to-end, performing in-depth forensic analysis across complex variables and directing containment and recovery
  • Performs deep cloud security architecture work — IAM at scale, cloud-native detection, and Terraform / Open Policy Agent guardrails — and may lead project teams
  • Shifts the team from reactive monitoring toward proactive threat hunting, building reusable detection content and hunt methodologies
  • Mentors junior and mid-level engineers, acting as technical decision-maker with tooling autonomy and a defined on-call profile
P5
  • Sets strategic direction for the organization's security posture, addressing strategic and ambiguous issues that contribute to company security objectives
  • Assesses emerging threats and technologies and architects advanced solutions across cloud, network, and detection domains
  • Acts independently on broad security assignments, ensuring technical controls satisfy regulatory and framework requirements (NIST, ISO 27001, CIS Critical Security Controls)
  • Serves as trusted advisor to team leadership, shaping team direction and building influential cross-functional security networks
  • Leads complex security initiatives spanning multiple systems and teams, mentoring senior engineers on architecture and threat response
P6
  • Creates scope where none existed — defines new cross-team technical initiatives and detection/architecture programs that did not previously exist, categorically beyond owning a defined area
  • Drives cross-team technical decisions on platform-wide security architecture (cloud-native detection, ZTNA rollout, detection-as-code platform), resolving conflicting requirements across engineering groups
  • Designs the technical security architecture and standards that other engineers build against, establishing reusable patterns for IAM, segmentation, and detection coverage
  • Analyzes trends in the threat environment and translates them into engineering roadmaps and organizational risk reduction across multiple teams
  • Mentors senior and staff-level engineers and acts as the technical authority resolving the hardest architecture and incident escalations
P7
  • Sets direction for the security engineering function across the organization, anticipating emerging threats and defining multi-year technical roadmaps with organizational and external scope
  • Solves precedent-free, ambiguous security problems with broad business consequences, developing new detection models, cloud-native defense approaches, or architectural frameworks
  • Significantly influences company security strategy as a trusted advisor to department leadership, driving complex initiatives across departments with multiple cross-org dependencies
  • Serves as an ambassador for security inside and outside the organization, advancing detection-as-code and threat-hunting practice through external technical visibility
  • Provides high-level mentorship to principal and senior engineers, shaping organizational security capability and influencing peer professionals without requiring direct reports

Level guidelines

The universal leveling rubric applied to this function — how scope, complexity, collaboration, and experience step up across levels.

LevelKnowledge & ApplicationComplexity & Problem SolvingCollaboration & InteractionTypical Degree & Years
P1Applies foundational knowledge of security tools, SIEM monitoring, and incident response basics to routine, well-defined tasks under detailed instruction.Handles routine security problems with standard, documented answers; escalates anything outside defined runbooks.Works within stable internal relationships on the SOC/security team; communicates findings to immediate supervisors.0–1 years; new graduate, intern, or entry-level SOC Analyst / Security Administrator.
P2Applies working knowledge of detection logic, scripting, and vulnerability assessment to conventional tasks, exercising judgment in familiar contexts.Solves moderately complex security problems by applying defined procedures and some routine independent analysis.Builds productive project relationships with system owners and senior engineers; may mentor entry-level staff.2+ years with a BA, or MS/PhD with no prior experience; 2–5 years typical.
P3Applies broad security engineering knowledge across detection-as-code, pen testing, network security, and forensics to diverse problems with moderate independence.Evaluates identifiable factors to investigate incidents, tune detections, and drive remediation; plans own work to milestones.Networks with senior professionals across engineering; coordinates project activities and integrates security into cross-functional work.5+ years (BA), 3 years (MA), or PhD without experience; 3–9 years in security.
P4Applies in-depth expertise in security architecture, cloud security, and forensic investigation to complex issues with functional impact.Performs in-depth analysis of complex variables to design architectures, lead investigations, and select methods and tooling.Coordinates across engineering groups; may lead project teams and influence tooling and architecture decisions.8+ years, often with graduate education; senior security engineer.
P5Applies expert security knowledge and intangibles to strategic, often unique problems that contribute to company security objectives.Solves strategic and ambiguous security problems with high independence, assessing emerging threats and architecting advanced solutions.Builds influential cross-functional networks; acts as trusted advisor and external spokesperson on security topics.12+ years; extensive security expertise across multiple domains.
P6Applies principal-level engineering expertise to create scope and define cross-team technical security programs with organizational reach.Drives cross-team technical decisions and resolves precedent-setting architecture problems; categorically broader scope than senior, creating initiatives rather than owning defined areas.Influences engineering leadership and peer professionals across the organization; recognized internal technical authority on security.15+ years; staff/principal-level security engineer who drives cross-team scope creation.
P7Applies field-shaping expertise to set technical direction for the security engineering function and develop novel detection and defense approaches.Solves ambiguous, precedent-free security problems with broad business consequences; defines multi-year technical roadmaps.Influences company-wide strategy and external technical community; mentors principal engineers and educates senior stakeholders.20+ years or equivalent recognition; principal security engineer with organizational and external technical influence.

Skills

Focus-specific skills the role applies — the relevance layer beyond the occupational base.

SIEM operation
Hands-on use of Security Information and Event Management platforms such as Splunk, IBM QRadar, or Elastic Security to aggregate and analyze security events.
Threat detection and incident response
Monitoring, identifying, investigating, and responding to security breaches, intrusions, and incidents.
Vulnerability assessment
Identifying weaknesses and potential risks in systems through scanning and security audits.
Penetration testing / ethical hacking
Simulating attacks via red teaming, purple teaming, or pen tests to find exploitable weaknesses.
Scripting and automation
Using languages like Python, Perl, or Bash to automate security tasks and write detection logic.
Detection-as-code
Writing version-controlled detection logic as code rather than configurations inside a SIEM's proprietary interface.
Cloud security architecture
Designing IAM at scale, cloud-native detection, and guardrails in AWS, Azure, or GCP.
Network security
Configuring firewalls, VPNs, ZTNA, network segmentation, and encryption technologies.
Security frameworks and compliance
Applying standards such as NIST, ISO 27001, and CIS Critical Security Controls.
Security architecture design
Designing appropriate security controls and architectures to protect infrastructure and data.
Forensic investigation
Performing forensic analysis following computer security breaches, viruses, and intrusions.
Mentorship and technical leadership
Guiding junior engineers and driving cross-team technical decisions.

Provenance

The evidence base behind this profile — every layer is sourced; quality is scored by an adversarial review panel (1–5; passes at ≥4 on the minimum dimension).

Level differentiation4.5Focus specificity5.0Concreteness5.0Factual accuracy4.5Real-world coverage4.5
9 sources

Level — P2 — Developing Professional

Early-career professional; developing skills, handles routine tasks with some independence

Scope
Defined deliverables / small features
Autonomy
General supervision; reviewed at milestones
Complexity
Some non-routine problems; applies established patterns
Impact
Own and immediate-team deliverables
Decision rights
Routine technical choices within guidance
Leadership
May guide interns
Typical experience
1–3 yrs

Adjacent roles

Nearest roles by structural coordinates (level + taxonomy). Distance 0 → 1; each carries its 3-state match band. How coordinates work → · Compare side-by-side →

Title aliasesshow ▾

No title aliases recorded for this profile yet.

Classification mappingsshow ▾

O*NET / SOC

  • code=15-1212source=jfm-factory.resolve