Goal templates — Incident Response — P3
Security · Incident Response · P3 — Mid-Level Professional
These are canon-derived frames, not advice: every line is either verbatim JobFrame canon text or a fixed template wrapping it. ⟨target⟩ / ⟨baseline⟩ / ⟨date⟩ are placeholders for the manager to fill in. Nothing here is generated by AI — rows are omitted, never invented, when the canon lacks the underlying field.
SMART goals
One row per canon core output / responsibility this level owns.
JFM responsibility (P3)
Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.
- Specific
- Deliver: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
- Relevant
- Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P3)
Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.
- Specific
- Deliver: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
- Relevant
- Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P3)
Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.
- Specific
- Deliver: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
- Relevant
- Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P3)
Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.
- Specific
- Deliver: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
- Relevant
- Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
- Time-bound
- ⟨date⟩
JFM responsibility (P3)
Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.
- Specific
- Deliver: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
- Measurable
- Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩.
- Achievable
- Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence."
- Relevant
- Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional.
- Time-bound
- ⟨date⟩
Copy / print as textshow ▾hide ▴
1. Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals. [source: JFM responsibility (P3)] Specific: Deliver: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence." Relevant: Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional. Time-bound: ⟨date⟩ 2. Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps. [source: JFM responsibility (P3)] Specific: Deliver: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence." Relevant: Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional. Time-bound: ⟨date⟩ 3. Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure. [source: JFM responsibility (P3)] Specific: Deliver: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence." Relevant: Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional. Time-bound: ⟨date⟩ 4. Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions. [source: JFM responsibility (P3)] Specific: Deliver: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence." Relevant: Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional. Time-bound: ⟨date⟩ 5. Contributes improvements to detection content and response playbooks, and informally mentors junior analysts. [source: JFM responsibility (P3)] Specific: Deliver: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts." Measurable: Move the metric this drives from ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩. Achievable: Scoped to this level's jfm complexity/problem-solving rubric: "Evaluates identifiable factors across diverse standard incidents; reconstructs timelines and validates facts on low-to-medium severity events with moderate independence." Relevant: Advances the Security · Incident Response mandate for a P3 — Mid-Level Professional. Time-bound: ⟨date⟩
OKRs
Objectives from this level's core outputs; key results only where a real dimension or capability backs them.
JFM responsibility (P3)
Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."
- Evidence at this level's scope bar: "Features or a sub-system end-to-end" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P3)
Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."
- Evidence at this level's autonomy bar: "Works independently on standard work; reviewed on the non-standard" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P3)
Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."
- Evidence at this level's complexity bar: "Diverse problems; adapts existing approaches" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P3)
Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."
- Evidence at this level's impact bar: "Project / team outcomes" — ⟨target⟩ by ⟨date⟩
JFM responsibility (P3)
Contributes improvements to detection content and response playbooks, and informally mentors junior analysts.
- From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."
- Evidence at this level's decision rights bar: "Owns implementation decisions for own scope" — ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾hide ▴
Objective 1: Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals. [source: JFM responsibility (P3)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals." KR2. Evidence at this level's scope bar: "Features or a sub-system end-to-end" — ⟨target⟩ by ⟨date⟩ Objective 2: Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps. [source: JFM responsibility (P3)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps." KR2. Evidence at this level's autonomy bar: "Works independently on standard work; reviewed on the non-standard" — ⟨target⟩ by ⟨date⟩ Objective 3: Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure. [source: JFM responsibility (P3)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure." KR2. Evidence at this level's complexity bar: "Diverse problems; adapts existing approaches" — ⟨target⟩ by ⟨date⟩ Objective 4: Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions. [source: JFM responsibility (P3)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions." KR2. Evidence at this level's impact bar: "Project / team outcomes" — ⟨target⟩ by ⟨date⟩ Objective 5: Contributes improvements to detection content and response playbooks, and informally mentors junior analysts. [source: JFM responsibility (P3)] KR1. From ⟨baseline⟩ to ⟨target⟩ by ⟨date⟩ — tied to: "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts." KR2. Evidence at this level's decision rights bar: "Owns implementation decisions for own scope" — ⟨target⟩ by ⟨date⟩
MBO areas
Key result areas from this level's responsibilities, each with a standard grounded in the canon leveling rubric where one exists.
| Area | Standard | Target | Due |
|---|---|---|---|
| Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals. | Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." | ⟨target⟩ | ⟨date⟩ |
| Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps. | Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." | ⟨target⟩ | ⟨date⟩ |
| Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure. | Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." | ⟨target⟩ | ⟨date⟩ |
| Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions. | Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." | ⟨target⟩ | ⟨date⟩ |
| Contributes improvements to detection content and response playbooks, and informally mentors junior analysts. | Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." | ⟨target⟩ | ⟨date⟩ |
Copy / print as textshow ▾hide ▴
1. Area: Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals. [source: JFM responsibility (P3) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." Target: ⟨target⟩ Due: ⟨date⟩ 2. Area: Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps. [source: JFM responsibility (P3) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." Target: ⟨target⟩ Due: ⟨date⟩ 3. Area: Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure. [source: JFM responsibility (P3) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." Target: ⟨target⟩ Due: ⟨date⟩ 4. Area: Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions. [source: JFM responsibility (P3) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." Target: ⟨target⟩ Due: ⟨date⟩ 5. Area: Contributes improvements to detection content and response playbooks, and informally mentors junior analysts. [source: JFM responsibility (P3) — reused, no distinct responsibility content] Standard: Consistent with this level's jfm knowledge-application rubric: "Independently applies investigation, containment, eradication, and recovery techniques across endpoint, identity, cloud, network, and application signals using SIEM and EDR tooling." Target: ⟨target⟩ Due: ⟨date⟩
Scorecard
Only perspectives with real canon backing are shown — no Financial or Customer perspective, since nothing in the canon grounds business-financial or customer measures for a role alone.
Internal process
- "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals."→ ⟨target⟩ by ⟨date⟩
- "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps."→ ⟨target⟩ by ⟨date⟩
- "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure."→ ⟨target⟩ by ⟨date⟩
- "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions."→ ⟨target⟩ by ⟨date⟩
- "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts."→ ⟨target⟩ by ⟨date⟩
Role calibration
- Meets the scope bar: "Features or a sub-system end-to-end"→ ⟨target⟩ by ⟨date⟩
- Meets the autonomy bar: "Works independently on standard work; reviewed on the non-standard"→ ⟨target⟩ by ⟨date⟩
- Meets the complexity bar: "Diverse problems; adapts existing approaches"→ ⟨target⟩ by ⟨date⟩
- Meets the impact bar: "Project / team outcomes"→ ⟨target⟩ by ⟨date⟩
- Meets the decision rights bar: "Owns implementation decisions for own scope"→ ⟨target⟩ by ⟨date⟩
- Meets the leadership bar: "Mentors juniors informally"→ ⟨target⟩ by ⟨date⟩
Copy / print as textshow ▾hide ▴
Internal process - "Works independently on standard incidents and collaborates on complex events, detecting and investigating across endpoint, identity, cloud, network, and application signals." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P3)] - "Executes containment, eradication, and recovery actions, partnering with Engineering/IT owners to safely implement response steps." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P3)] - "Acts as incident coordinator for low-to-medium severity events, planning response activities and tracking actions to closure." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P3)] - "Contributes to post-incident reviews by compiling facts, validating timelines, and tracking corrective actions." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P3)] - "Contributes improvements to detection content and response playbooks, and informally mentors junior analysts." → ⟨target⟩ by ⟨date⟩ [source: JFM responsibility (P3)] Role calibration - Meets the scope bar: "Features or a sub-system end-to-end" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Scope)] - Meets the autonomy bar: "Works independently on standard work; reviewed on the non-standard" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Autonomy)] - Meets the complexity bar: "Diverse problems; adapts existing approaches" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Complexity)] - Meets the impact bar: "Project / team outcomes" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Impact)] - Meets the decision rights bar: "Owns implementation decisions for own scope" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Decision rights)] - Meets the leadership bar: "Mentors juniors informally" → ⟨target⟩ by ⟨date⟩ [source: level dimension (Leadership)]