Incident Response — P2

Goal templates — Incident Response — P2

Security · Incident Response · P2 — Developing Professional

These are canon-derived frames, not advice: every line is either verbatim JobFrame canon text or a fixed template wrapping it. ⟨target⟩ / ⟨baseline⟩ / ⟨date⟩ are placeholders for the manager to fill in. Nothing here is generated by AI — rows are omitted, never invented, when the canon lacks the underlying field.

SMART goals

One row per canon core output / responsibility this level owns.

JFM responsibility (P2)

Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.

Specific
Deliver: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
Relevant
Advances the Security · Incident Response mandate for a P2 — Developing Professional.
Time-bound
⟨date⟩

JFM responsibility (P2)

Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).

Specific
Deliver: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
Relevant
Advances the Security · Incident Response mandate for a P2 — Developing Professional.
Time-bound
⟨date⟩

JFM responsibility (P2)

Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.

Specific
Deliver: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
Relevant
Advances the Security · Incident Response mandate for a P2 — Developing Professional.
Time-bound
⟨date⟩

JFM responsibility (P2)

Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.

Specific
Deliver: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
Relevant
Advances the Security · Incident Response mandate for a P2 — Developing Professional.
Time-bound
⟨date⟩

JFM responsibility (P2)

Produces triage notes and investigation summaries to support escalations to senior responders.

Specific
Deliver: "Produces triage notes and investigation summaries to support escalations to senior responders."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
Relevant
Advances the Security · Incident Response mandate for a P2 — Developing Professional.
Time-bound
⟨date⟩
Copy / print as textshow ▾
1. Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.  [source: JFM responsibility (P2)]
   Specific:    Deliver: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
   Relevant:    Advances the Security · Incident Response mandate for a P2 — Developing Professional.
   Time-bound:  ⟨date⟩

2. Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).  [source: JFM responsibility (P2)]
   Specific:    Deliver: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
   Relevant:    Advances the Security · Incident Response mandate for a P2 — Developing Professional.
   Time-bound:  ⟨date⟩

3. Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.  [source: JFM responsibility (P2)]
   Specific:    Deliver: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
   Relevant:    Advances the Security · Incident Response mandate for a P2 — Developing Professional.
   Time-bound:  ⟨date⟩

4. Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.  [source: JFM responsibility (P2)]
   Specific:    Deliver: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
   Relevant:    Advances the Security · Incident Response mandate for a P2 — Developing Professional.
   Time-bound:  ⟨date⟩

5. Produces triage notes and investigation summaries to support escalations to senior responders.  [source: JFM responsibility (P2)]
   Specific:    Deliver: "Produces triage notes and investigation summaries to support escalations to senior responders."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Handles moderate-scope, conventional incidents where defined procedures exist; exercises judgment in familiar triage and evidence-handling contexts."
   Relevant:    Advances the Security · Incident Response mandate for a P2 — Developing Professional.
   Time-bound:  ⟨date⟩

OKRs

Objectives from this level's core outputs; key results only where a real dimension or capability backs them.

JFM responsibility (P2)

Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
  • Evidence at this level's scope bar: "Defined deliverables / small features" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P2)

Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
  • Evidence at this level's autonomy bar: "General supervision; reviewed at milestones" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P2)

Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
  • Evidence at this level's complexity bar: "Some non-routine problems; applies established patterns" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P2)

Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
  • Evidence at this level's impact bar: "Own and immediate-team deliverables" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P2)

Produces triage notes and investigation summaries to support escalations to senior responders.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Produces triage notes and investigation summaries to support escalations to senior responders."
  • Evidence at this level's decision rights bar: "Routine technical choices within guidance" — ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾
Objective 1: Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.  [source: JFM responsibility (P2)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."
  KR2. Evidence at this level's scope bar: "Defined deliverables / small features" — ⟨target⟩ by ⟨date⟩

Objective 2: Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).  [source: JFM responsibility (P2)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."
  KR2. Evidence at this level's autonomy bar: "General supervision; reviewed at milestones" — ⟨target⟩ by ⟨date⟩

Objective 3: Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.  [source: JFM responsibility (P2)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."
  KR2. Evidence at this level's complexity bar: "Some non-routine problems; applies established patterns" — ⟨target⟩ by ⟨date⟩

Objective 4: Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.  [source: JFM responsibility (P2)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."
  KR2. Evidence at this level's impact bar: "Own and immediate-team deliverables" — ⟨target⟩ by ⟨date⟩

Objective 5: Produces triage notes and investigation summaries to support escalations to senior responders.  [source: JFM responsibility (P2)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Produces triage notes and investigation summaries to support escalations to senior responders."
  KR2. Evidence at this level's decision rights bar: "Routine technical choices within guidance" — ⟨target⟩ by ⟨date⟩

MBO areas

Key result areas from this level's responsibilities, each with a standard grounded in the canon leveling rubric where one exists.

AreaStandardTargetDue
Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."⟨target⟩⟨date⟩
Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."⟨target⟩⟨date⟩
Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."⟨target⟩⟨date⟩
Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."⟨target⟩⟨date⟩
Produces triage notes and investigation summaries to support escalations to senior responders.Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."⟨target⟩⟨date⟩
Copy / print as textshow ▾
1. Area: Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types.  [source: JFM responsibility (P2) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."
   Target:   ⟨target⟩   Due: ⟨date⟩

2. Area: Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events).  [source: JFM responsibility (P2) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."
   Target:   ⟨target⟩   Due: ⟨date⟩

3. Area: Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes.  [source: JFM responsibility (P2) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."
   Target:   ⟨target⟩   Due: ⟨date⟩

4. Area: Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context.  [source: JFM responsibility (P2) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."
   Target:   ⟨target⟩   Due: ⟨date⟩

5. Area: Produces triage notes and investigation summaries to support escalations to senior responders.  [source: JFM responsibility (P2) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Applies incident response handling methodologies and basic log/endpoint telemetry analysis to familiar incident types using established playbooks; developing breadth across Windows, Linux, macOS, and cloud audit signals."
   Target:   ⟨target⟩   Due: ⟨date⟩

Scorecard

Only perspectives with real canon backing are shown — no Financial or Customer perspective, since nothing in the canon grounds business-financial or customer measures for a role alone.

Internal process

  • "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."⟨target⟩ by ⟨date⟩
  • "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."⟨target⟩ by ⟨date⟩
  • "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."⟨target⟩ by ⟨date⟩
  • "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."⟨target⟩ by ⟨date⟩
  • "Produces triage notes and investigation summaries to support escalations to senior responders."⟨target⟩ by ⟨date⟩

Role calibration

  • Meets the scope bar: "Defined deliverables / small features"⟨target⟩ by ⟨date⟩
  • Meets the autonomy bar: "General supervision; reviewed at milestones"⟨target⟩ by ⟨date⟩
  • Meets the complexity bar: "Some non-routine problems; applies established patterns"⟨target⟩ by ⟨date⟩
  • Meets the impact bar: "Own and immediate-team deliverables"⟨target⟩ by ⟨date⟩
  • Meets the decision rights bar: "Routine technical choices within guidance"⟨target⟩ by ⟨date⟩
  • Meets the leadership bar: "May guide interns"⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾
Internal process
  - "Detects, triages, contains, and documents cybersecurity incidents under supervision, executing established response playbooks for standard event types."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P2)]
  - "Performs first-pass investigation and evidence handling, organizing and time-bounding evidence packages (log exports, EDR snapshots, cloud audit events)."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P2)]
  - "Creates incident tickets with complete documentation covering scope, severity, evidence links, actions taken, and outcomes."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P2)]
  - "Builds incident timelines, performs phishing analysis, and compiles indicator (IOC) lists with supporting context."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P2)]
  - "Produces triage notes and investigation summaries to support escalations to senior responders."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P2)]

Role calibration
  - Meets the scope bar: "Defined deliverables / small features"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Scope)]
  - Meets the autonomy bar: "General supervision; reviewed at milestones"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Autonomy)]
  - Meets the complexity bar: "Some non-routine problems; applies established patterns"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Complexity)]
  - Meets the impact bar: "Own and immediate-team deliverables"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Impact)]
  - Meets the decision rights bar: "Routine technical choices within guidance"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Decision rights)]
  - Meets the leadership bar: "May guide interns"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Leadership)]