Incident Response — P3

Goal templates — Incident Response — P3

Security · Incident Response · P3 — Mid-Level Professional

These are canon-derived frames, not advice: every line is either verbatim JobFrame canon text or a fixed template wrapping it. ⟨target⟩ / ⟨baseline⟩ / ⟨date⟩ are placeholders for the manager to fill in. Nothing here is generated by AI — rows are omitted, never invented, when the canon lacks the underlying field.

SMART goals

One row per canon core output / responsibility this level owns.

JFM responsibility (P3)

Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.

Specific
Deliver: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
Relevant
Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
Time-bound
⟨date⟩

JFM responsibility (P3)

Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.

Specific
Deliver: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
Relevant
Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
Time-bound
⟨date⟩

JFM responsibility (P3)

Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.

Specific
Deliver: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
Relevant
Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
Time-bound
⟨date⟩

JFM responsibility (P3)

Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.

Specific
Deliver: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
Relevant
Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
Time-bound
⟨date⟩

JFM responsibility (P3)

Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.

Specific
Deliver: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
Measurable
Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
Achievable
Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
Relevant
Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
Time-bound
⟨date⟩
Copy / print as textshow ▾
1. Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.  [source: JFM responsibility (P3)]
   Specific:    Deliver: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
   Relevant:    Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
   Time-bound:  ⟨date⟩

2. Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.  [source: JFM responsibility (P3)]
   Specific:    Deliver: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
   Relevant:    Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
   Time-bound:  ⟨date⟩

3. Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.  [source: JFM responsibility (P3)]
   Specific:    Deliver: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
   Relevant:    Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
   Time-bound:  ⟨date⟩

4. Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.  [source: JFM responsibility (P3)]
   Specific:    Deliver: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
   Relevant:    Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
   Time-bound:  ⟨date⟩

5. Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.  [source: JFM responsibility (P3)]
   Specific:    Deliver: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
   Measurable:  Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
   Achievable:  Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
   Relevant:    Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
   Time-bound:  ⟨date⟩

OKRs

Objectives from this level's core outputs; key results only where a real dimension or capability backs them.

JFM responsibility (P3)

Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
  • Evidence at this level's scope bar: "Features or a sub-system end-to-end" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P3)

Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
  • Evidence at this level's autonomy bar: "Works independently on standard work; reviewed on the non-standard" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P3)

Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
  • Evidence at this level's complexity bar: "Diverse problems; adapts existing approaches" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P3)

Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
  • Evidence at this level's impact bar: "Project / team outcomes" — ⟨target⟩ by ⟨date⟩

JFM responsibility (P3)

Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.

  • From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
  • Evidence at this level's decision rights bar: "Owns implementation decisions for own scope" — ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾
Objective 1: Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.  [source: JFM responsibility (P3)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
  KR2. Evidence at this level's scope bar: "Features or a sub-system end-to-end" — ⟨target⟩ by ⟨date⟩

Objective 2: Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.  [source: JFM responsibility (P3)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
  KR2. Evidence at this level's autonomy bar: "Works independently on standard work; reviewed on the non-standard" — ⟨target⟩ by ⟨date⟩

Objective 3: Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.  [source: JFM responsibility (P3)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
  KR2. Evidence at this level's complexity bar: "Diverse problems; adapts existing approaches" — ⟨target⟩ by ⟨date⟩

Objective 4: Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.  [source: JFM responsibility (P3)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
  KR2. Evidence at this level's impact bar: "Project / team outcomes" — ⟨target⟩ by ⟨date⟩

Objective 5: Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.  [source: JFM responsibility (P3)]
  KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
  KR2. Evidence at this level's decision rights bar: "Owns implementation decisions for own scope" — ⟨target⟩ by ⟨date⟩

MBO areas

Key result areas from this level's responsibilities, each with a standard grounded in the canon leveling rubric where one exists.

AreaStandardTargetDue
Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."⟨target⟩⟨date⟩
Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."⟨target⟩⟨date⟩
Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."⟨target⟩⟨date⟩
Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."⟨target⟩⟨date⟩
Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."⟨target⟩⟨date⟩
Copy / print as textshow ▾
1. Area: Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.  [source: JFM responsibility (P3) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."
   Target:   ⟨target⟩   Due: ⟨date⟩

2. Area: Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.  [source: JFM responsibility (P3) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."
   Target:   ⟨target⟩   Due: ⟨date⟩

3. Area: Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.  [source: JFM responsibility (P3) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."
   Target:   ⟨target⟩   Due: ⟨date⟩

4. Area: Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.  [source: JFM responsibility (P3) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."
   Target:   ⟨target⟩   Due: ⟨date⟩

5. Area: Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.  [source: JFM responsibility (P3) — reused, no distinct responsibility content]
   Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling."
   Target:   ⟨target⟩   Due: ⟨date⟩

Scorecard

Only perspectives with real canon backing are shown — no Financial or Customer perspective, since nothing in the canon grounds business-financial or customer measures for a role alone.

Internal process

  • "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."⟨target⟩ by ⟨date⟩
  • "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."⟨target⟩ by ⟨date⟩
  • "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."⟨target⟩ by ⟨date⟩
  • "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."⟨target⟩ by ⟨date⟩
  • "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."⟨target⟩ by ⟨date⟩

Role calibration

  • Meets the scope bar: "Features or a sub-system end-to-end"⟨target⟩ by ⟨date⟩
  • Meets the autonomy bar: "Works independently on standard work; reviewed on the non-standard"⟨target⟩ by ⟨date⟩
  • Meets the complexity bar: "Diverse problems; adapts existing approaches"⟨target⟩ by ⟨date⟩
  • Meets the impact bar: "Project / team outcomes"⟨target⟩ by ⟨date⟩
  • Meets the decision rights bar: "Owns implementation decisions for own scope"⟨target⟩ by ⟨date⟩
  • Meets the leadership bar: "Mentors juniors informally"⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾
Internal process
  - "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P3)]
  - "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P3)]
  - "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P3)]
  - "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P3)]
  - "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."  →  ⟨target⟩ by ⟨date⟩   [source: JFM responsibility (P3)]

Role calibration
  - Meets the scope bar: "Features or a sub-system end-to-end"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Scope)]
  - Meets the autonomy bar: "Works independently on standard work; reviewed on the non-standard"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Autonomy)]
  - Meets the complexity bar: "Diverse problems; adapts existing approaches"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Complexity)]
  - Meets the impact bar: "Project / team outcomes"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Impact)]
  - Meets the decision rights bar: "Owns implementation decisions for own scope"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Decision rights)]
  - Meets the leadership bar: "Mentors juniors informally"  →  ⟨target⟩ by ⟨date⟩   [source: level dimension (Leadership)]